sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-14 19:24:43 +03:00
Code
samba-mirror/python/samba/tests/krb5/rfc4120.asn1
Andrew Bartlett fc77ece0e2 selftest: Add in encrypted-pa-data from RFC 6806 
This comes from Windows 2019 which supports FAST.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-11-11 01:15:39 +00:00

673 lines
22 KiB
Groff
Raw Blame History

KerberosV5Spec2 {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2) modules(4) krb5spec2(2)
} DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- OID arc for KerberosV5
--
-- This OID may be used to identify Kerberos protocol messages
-- encapsulated in other protocols.
--
-- This OID also designates the OID arc for KerberosV5-related OIDs.
--
-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
id-krb5 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2)
}
Int32 ::= INTEGER (-2147483648..2147483647)
-- signed values representable in 32 bits
UInt32 ::= INTEGER (0..4294967295)
-- unsigned 32 bit values
Microseconds ::= INTEGER (0..999999)
-- microseconds
--
-- asn1ate doesn't support 'GeneralString (IA5String)'
-- only 'GeneralString' or 'IA5String', on the wire
-- GeneralString is used.
--
-- KerberosString ::= GeneralString (IA5String)
KerberosString ::= GeneralString
Realm ::= KerberosString
PrincipalName ::= SEQUENCE {
name-type [0] NameType, -- Int32,
name-string [1] SEQUENCE OF KerberosString
}
NameType ::= Int32
KerberosTime ::= GeneralizedTime -- with no fractional seconds
HostAddress ::= SEQUENCE {
addr-type [0] Int32,
address [1] OCTET STRING
}
-- NOTE: HostAddresses is always used as an OPTIONAL field and
-- should not be empty.
HostAddresses -- NOTE: subtly different from rfc1510,
-- but has a value mapping and encodes the same
::= SEQUENCE OF HostAddress
-- NOTE: AuthorizationData is always used as an OPTIONAL field and
-- should not be empty.
AuthorizationData ::= SEQUENCE OF SEQUENCE {
ad-type [0] AuthDataType, -- Int32,
ad-data [1] OCTET STRING
}
AuthDataType ::= Int32
PA-DATA ::= SEQUENCE {
-- NOTE: first tag is [1], not [0]
padata-type [1] PADataType, -- Int32
padata-value [2] OCTET STRING -- might be encoded AP-REQ
}
PADataType ::= Int32
--
-- asn1ate doesn't support 'MAX' nor a lower range != 1.
-- We'll use a custom enodeValue() hooks for BitString
-- in order to encode them with at least 32-Bit.
--
-- KerberosFlags ::= BIT STRING (SIZE (32..MAX))
KerberosFlags ::= BIT STRING (SIZE (1..32))
-- minimum number of bits shall be sent,
-- but no fewer than 32
EncryptedData ::= SEQUENCE {
etype [0] EncryptionType, --Int32 EncryptionType --
kvno [1] UInt32 OPTIONAL,
cipher [2] OCTET STRING -- ciphertext
}
EncryptionKey ::= SEQUENCE {
keytype [0] EncryptionType, -- Int32 actually encryption type --
keyvalue [1] OCTET STRING
}
Checksum ::= SEQUENCE {
cksumtype [0] ChecksumType, -- Int32,
checksum [1] OCTET STRING
}
ChecksumType ::= Int32
Ticket ::= [APPLICATION 1] SEQUENCE {
tkt-vno [0] INTEGER (5),
realm [1] Realm,
sname [2] PrincipalName,
enc-part [3] EncryptedData -- EncTicketPart
}
-- Encrypted part of ticket
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
flags [0] TicketFlags,
key [1] EncryptionKey,
crealm [2] Realm,
cname [3] PrincipalName,
transited [4] TransitedEncoding,
authtime [5] KerberosTime,
starttime [6] KerberosTime OPTIONAL,
endtime [7] KerberosTime,
renew-till [8] KerberosTime OPTIONAL,
caddr [9] HostAddresses OPTIONAL,
authorization-data [10] AuthorizationData OPTIONAL
}
-- encoded Transited field
TransitedEncoding ::= SEQUENCE {
tr-type [0] Int32 -- must be registered --,
contents [1] OCTET STRING
}
TicketFlags ::= KerberosFlags
-- reserved(0),
-- forwardable(1),
-- forwarded(2),
-- proxiable(3),
-- proxy(4),
-- may-postdate(5),
-- postdated(6),
-- invalid(7),
-- renewable(8),
-- initial(9),
-- pre-authent(10),
-- hw-authent(11),
-- the following are new since 1510
-- transited-policy-checked(12),
-- ok-as-delegate(13)
AS-REQ ::= [APPLICATION 10] KDC-REQ
TGS-REQ ::= [APPLICATION 12] KDC-REQ
KDC-REQ ::= SEQUENCE {
-- NOTE: first tag is [1], not [0]
pvno [1] INTEGER (5) ,
msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
padata [3] SEQUENCE OF PA-DATA OPTIONAL
-- NOTE: not empty --,
req-body [4] KDC-REQ-BODY
}
KDC-REQ-BODY ::= SEQUENCE {
kdc-options [0] KDCOptions,
cname [1] PrincipalName OPTIONAL
-- Used only in AS-REQ --,
realm [2] Realm
-- Server's realm
-- Also client's in AS-REQ --,
sname [3] PrincipalName OPTIONAL,
from [4] KerberosTime OPTIONAL,
till [5] KerberosTime,
rtime [6] KerberosTime OPTIONAL,
nonce [7] UInt32,
etype [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType
-- in preference order --,
addresses [9] HostAddresses OPTIONAL,
enc-authorization-data [10] EncryptedData OPTIONAL
-- AuthorizationData --,
additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
-- NOTE: not empty
}
EncryptionType ::= Int32
KDCOptions ::= KerberosFlags
-- reserved(0),
-- forwardable(1),
-- forwarded(2),
-- proxiable(3),
-- proxy(4),
-- allow-postdate(5),
-- postdated(6),
-- unused7(7),
-- renewable(8),
-- unused9(9),
-- unused10(10),
-- opt-hardware-auth(11),
-- unused12(12),
-- unused13(13),
-- Canonicalize is used in RFC 6806
-- canonicalize(15),
-- 26 was unused in 1510
-- disable-transited-check(26),
--
-- renewable-ok(27),
-- enc-tkt-in-skey(28),
-- renew(30),
-- validate(31)
AS-REP ::= [APPLICATION 11] KDC-REP
TGS-REP ::= [APPLICATION 13] KDC-REP
KDC-REP ::= SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
padata [2] SEQUENCE OF PA-DATA OPTIONAL
-- NOTE: not empty --,
crealm [3] Realm,
cname [4] PrincipalName,
ticket [5] Ticket,
enc-part [6] EncryptedData
-- EncASRepPart or EncTGSRepPart,
-- as appropriate
}
EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
EncKDCRepPart ::= SEQUENCE {
key [0] EncryptionKey,
last-req [1] LastReq,
nonce [2] UInt32,
key-expiration [3] KerberosTime OPTIONAL,
flags [4] TicketFlags,
authtime [5] KerberosTime,
starttime [6] KerberosTime OPTIONAL,
endtime [7] KerberosTime,
renew-till [8] KerberosTime OPTIONAL,
srealm [9] Realm,
sname [10] PrincipalName,
caddr [11] HostAddresses OPTIONAL,
encrypted-pa-data[12] METHOD-DATA OPTIONAL
}
LastReq ::= SEQUENCE OF SEQUENCE {
lr-type [0] Int32,
lr-value [1] KerberosTime
}
AP-REQ ::= [APPLICATION 14] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (14),
ap-options [2] APOptions,
ticket [3] Ticket,
authenticator [4] EncryptedData -- Authenticator
}
APOptions ::= KerberosFlags
-- reserved(0),
-- use-session-key(1),
-- mutual-required(2)
-- Unencrypted authenticator
Authenticator ::= [APPLICATION 2] SEQUENCE {
authenticator-vno [0] INTEGER (5),
crealm [1] Realm,
cname [2] PrincipalName,
cksum [3] Checksum OPTIONAL,
cusec [4] Microseconds,
ctime [5] KerberosTime,
subkey [6] EncryptionKey OPTIONAL,
seq-number [7] UInt32 OPTIONAL,
authorization-data [8] AuthorizationData OPTIONAL
}
AP-REP ::= [APPLICATION 15] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (15),
enc-part [2] EncryptedData -- EncAPRepPart
}
EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
ctime [0] KerberosTime,
cusec [1] Microseconds,
subkey [2] EncryptionKey OPTIONAL,
seq-number [3] UInt32 OPTIONAL
}
KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (20),
safe-body [2] KRB-SAFE-BODY,
cksum [3] Checksum
}
KRB-SAFE-BODY ::= SEQUENCE {
user-data [0] OCTET STRING,
timestamp [1] KerberosTime OPTIONAL,
usec [2] Microseconds OPTIONAL,
seq-number [3] UInt32 OPTIONAL,
s-address [4] HostAddress,
r-address [5] HostAddress OPTIONAL
}
KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (21),
-- NOTE: there is no [2] tag
enc-part [3] EncryptedData -- EncKrbPrivPart
}
EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
user-data [0] OCTET STRING,
timestamp [1] KerberosTime OPTIONAL,
usec [2] Microseconds OPTIONAL,
seq-number [3] UInt32 OPTIONAL,
s-address [4] HostAddress -- sender's addr --,
r-address [5] HostAddress OPTIONAL -- recip's addr
}
KRB-CRED ::= [APPLICATION 22] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (22),
tickets [2] SEQUENCE OF Ticket,
enc-part [3] EncryptedData -- EncKrbCredPart
}
EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
ticket-info [0] SEQUENCE OF KrbCredInfo,
nonce [1] UInt32 OPTIONAL,
timestamp [2] KerberosTime OPTIONAL,
usec [3] Microseconds OPTIONAL,
s-address [4] HostAddress OPTIONAL,
r-address [5] HostAddress OPTIONAL
}
KrbCredInfo ::= SEQUENCE {
key [0] EncryptionKey,
prealm [1] Realm OPTIONAL,
pname [2] PrincipalName OPTIONAL,
flags [3] TicketFlags OPTIONAL,
authtime [4] KerberosTime OPTIONAL,
starttime [5] KerberosTime OPTIONAL,
endtime [6] KerberosTime OPTIONAL,
renew-till [7] KerberosTime OPTIONAL,
srealm [8] Realm OPTIONAL,
sname [9] PrincipalName OPTIONAL,
caddr [10] HostAddresses OPTIONAL
}
KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
pvno [0] INTEGER (5),
msg-type [1] INTEGER (30),
ctime [2] KerberosTime OPTIONAL,
cusec [3] Microseconds OPTIONAL,
stime [4] KerberosTime,
susec [5] Microseconds,
error-code [6] Int32,
crealm [7] Realm OPTIONAL,
cname [8] PrincipalName OPTIONAL,
realm [9] Realm -- service realm --,
sname [10] PrincipalName -- service name --,
e-text [11] KerberosString OPTIONAL,
e-data [12] OCTET STRING OPTIONAL
}
METHOD-DATA ::= SEQUENCE OF PA-DATA
--
-- asn1ate doesn't support 'MAX'
--
-- TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
TYPED-DATA ::= SEQUENCE SIZE (1..256) OF SEQUENCE {
data-type [0] Int32,
data-value [1] OCTET STRING OPTIONAL
}
-- preauth stuff follows
PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp [0] KerberosTime -- client's time --,
pausec [1] Microseconds OPTIONAL
}
ETYPE-INFO-ENTRY ::= SEQUENCE {
etype [0] Int32,
salt [1] OCTET STRING OPTIONAL
}
ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
ETYPE-INFO2-ENTRY ::= SEQUENCE {
etype [0] Int32,
salt [1] KerberosString OPTIONAL,
s2kparams [2] OCTET STRING OPTIONAL
}
ETYPE-INFO2 ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY
AD-IF-RELEVANT ::= AuthorizationData
AD-KDCIssued ::= SEQUENCE {
ad-checksum [0] Checksum,
i-realm [1] Realm OPTIONAL,
i-sname [2] PrincipalName OPTIONAL,
elements [3] AuthorizationData
}
AD-AND-OR ::= SEQUENCE {
condition-count [0] Int32,
elements [1] AuthorizationData
}
AD-MANDATORY-FOR-KDC ::= AuthorizationData
-- S4U
PA-S4U2Self ::= SEQUENCE {
name [0] PrincipalName,
realm [1] Realm,
cksum [2] Checksum,
auth [3] KerberosString
}
--
--
-- prettyPrint values
--
--
NameTypeValues ::= INTEGER { -- Int32
kRB5-NT-UNKNOWN(0), -- Name type not known
kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in
kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt)
kRB5-NT-SRV-HST(3), -- Service with host name as instance
kRB5-NT-SRV-XHST(4), -- Service with host as remaining components
kRB5-NT-UID(5), -- Unique ID
kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name
kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
kRB5-NT-WELLKNOWN(11), -- Wellknown
kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
}
NameTypeSequence ::= SEQUENCE {
dummy [0] NameTypeValues
}
TicketFlagsValues ::= BIT STRING { -- KerberosFlags
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
may-postdate(5),
postdated(6),
invalid(7),
renewable(8),
initial(9),
pre-authent(10),
hw-authent(11),
-- the following are new since 1510
transited-policy-checked(12),
ok-as-delegate(13)
}
TicketFlagsSequence ::= SEQUENCE {
dummy [0] TicketFlagsValues
}
KDCOptionsValues ::= BIT STRING { -- KerberosFlags
reserved(0),
forwardable(1),
forwarded(2),
proxiable(3),
proxy(4),
allow-postdate(5),
postdated(6),
unused7(7),
renewable(8),
unused9(9),
unused10(10),
opt-hardware-auth(11),
unused12(12),
unused13(13),
-- Canonicalize is used by RFC 6806
canonicalize(15),
-- 26 was unused in 1510
disable-transited-check(26),
--
renewable-ok(27),
enc-tkt-in-skey(28),
renew(30),
validate(31)
}
KDCOptionsSequence ::= SEQUENCE {
dummy [0] KDCOptionsValues
}
MessageTypeValues ::= INTEGER {
krb-as-req(10), -- Request for initial authentication
krb-as-rep(11), -- Response to KRB_AS_REQ request
krb-tgs-req(12), -- Request for authentication based on TGT
krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
krb-ap-req(14), -- application request to server
krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
krb-safe(20), -- Safe (checksummed) application message
krb-priv(21), -- Private (encrypted) application message
krb-cred(22), -- Private (encrypted) message to forward credentials
krb-error(30) -- Error response
}
MessageTypeSequence ::= SEQUENCE {
dummy [0] MessageTypeValues
}
PADataTypeValues ::= INTEGER {
kRB5-PADATA-NONE(0),
-- kRB5-PADATA-TGS-REQ(1),
-- kRB5-PADATA-AP-REQ(1),
kRB5-PADATA-KDC-REQ(1),
kRB5-PADATA-ENC-TIMESTAMP(2),
kRB5-PADATA-PW-SALT(3),
kRB5-PADATA-ENC-UNIX-TIME(5),
kRB5-PADATA-SANDIA-SECUREID(6),
kRB5-PADATA-SESAME(7),
kRB5-PADATA-OSF-DCE(8),
kRB5-PADATA-CYBERSAFE-SECUREID(9),
kRB5-PADATA-AFS3-SALT(10),
kRB5-PADATA-ETYPE-INFO(11),
kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
-- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number)
kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
kRB5-PADATA-ETYPE-INFO2(19),
-- kRB5-PADATA-USE-SPECIFIED-KVNO(20),
kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
kRB5-PADATA-GET-FROM-TYPED-DATA(22),
kRB5-PADATA-SAM-ETYPE-INFO(23),
kRB5-PADATA-SERVER-REFERRAL(25),
kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
kRB5-PADATA-FOR-USER(129), -- MS-KILE
kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
-- kRB5-PADATA-PK-AS-09-BINDING(132), - client send this to
-- tell KDC that is supports
-- the asCheckSum in the
-- PK-AS-REP
kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
kRB5-PADATA-EPAK-AS-REQ(145),
kRB5-PADATA-EPAK-AS-REP(146),
kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
kRB5-PADATA-REQ-ENC-PA-REP(149), --
kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
}
PADataTypeSequence ::= SEQUENCE {
dummy [0] PADataTypeValues
}
AuthDataTypeValues ::= INTEGER {
kRB5-AUTHDATA-IF-RELEVANT(1),
kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
kRB5-AUTHDATA-KDC-ISSUED(4),
kRB5-AUTHDATA-AND-OR(5),
kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
kRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
kRB5-AUTHDATA-OSF-DCE(64),
kRB5-AUTHDATA-SESAME(65),
kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
kRB5-AUTHDATA-WIN2K-PAC(128),
kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
kRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
kRB5-AUTHDATA-SIGNTICKET-OLD(142),
kRB5-AUTHDATA-SIGNTICKET(512)
}
AuthDataTypeSequence ::= SEQUENCE {
dummy [0] AuthDataTypeValues
}
ChecksumTypeValues ::= INTEGER {
kRB5-CKSUMTYPE-NONE(0),
kRB5-CKSUMTYPE-CRC32(1),
kRB5-CKSUMTYPE-RSA-MD4(2),
kRB5-CKSUMTYPE-RSA-MD4-DES(3),
kRB5-CKSUMTYPE-DES-MAC(4),
kRB5-CKSUMTYPE-DES-MAC-K(5),
kRB5-CKSUMTYPE-RSA-MD4-DES-K(6),
kRB5-CKSUMTYPE-RSA-MD5(7),
kRB5-CKSUMTYPE-RSA-MD5-DES(8),
kRB5-CKSUMTYPE-RSA-MD5-DES3(9),
kRB5-CKSUMTYPE-SHA1-OTHER(10),
kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12),
kRB5-CKSUMTYPE-SHA1(14),
kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15),
kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16),
kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003
kRB5-CKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number
kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial
}
ChecksumTypeSequence ::= SEQUENCE {
dummy [0] ChecksumTypeValues
}
EncryptionTypeValues ::= INTEGER {
kRB5-ENCTYPE-NULL(0),
kRB5-ENCTYPE-DES-CBC-CRC(1),
kRB5-ENCTYPE-DES-CBC-MD4(2),
kRB5-ENCTYPE-DES-CBC-MD5(3),
kRB5-ENCTYPE-DES3-CBC-MD5(5),
kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7),
kRB5-ENCTYPE-SIGN-DSA-GENERATE(8),
kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9),
kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10),
kRB5-ENCTYPE-DES3-CBC-SHA1(16), -- with key derivation
kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17),
kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18),
kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23),
kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24),
kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48),
-- some "old" windows types
kRB5-ENCTYPE-ARCFOUR-MD4(-128),
kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133),
kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
-- these are for Heimdal internal use
-- kRB5-ENCTYPE-DES-CBC-NONE(-0x1000),
-- kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001),
-- kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002),
-- kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003),
-- kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004), - private use, lukeh@padl.com
-- kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005) - private use, lukeh@padl.com
kRB5-ENCTYPE-DUMMY(-1111)
}
EncryptionTypeSequence ::= SEQUENCE {
dummy [0] EncryptionTypeValues
}
END
View Git Blame Copy Permalink