diff options
Diffstat (limited to 'epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn')
| -rw-r--r-- | epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn | 497 |
1 files changed, 497 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn b/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn new file mode 100644 index 0000000000..fb3f4e8b56 --- /dev/null +++ b/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn @@ -0,0 +1,497 @@ +--http://www.ietf.org/rfc/rfc4120.txt?number=4120 +KerberosV5Spec2 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) krb5spec2(2) +} DEFINITIONS EXPLICIT TAGS ::= BEGIN + +-- OID arc for KerberosV5 +-- +-- This OID may be used to identify Kerberos protocol messages +-- encapsulated in other protocols. +-- +-- This OID also designates the OID arc for KerberosV5-related OIDs. +-- +-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. +-- WS construct +Applications ::= CHOICE { + ticket Ticket, -- 1 -- + authenticator Authenticator, -- 2 -- + encTicketPart EncTicketPart, -- 3 -- + as-req AS-REQ, -- 10 -- + as-rep AS-REP, -- 11 -- + tgs-req TGS-REQ, -- 12 -- + tgs-rep TGS-REP, -- 13 -- + ap-req AP-REQ, -- 14 -- + ap-rep AP-REP, -- 15 -- + krb-safe KRB-SAFE, -- 20 -- + krb-priv KRB-PRIV, -- 21 -- + krb-cred KRB-CRED, -- 22 -- + encASRepPart EncASRepPart, -- 25 -- + encTGSRepPart EncTGSRepPart, -- 26 -- + encAPRepPart EncAPRepPart, -- 27 -- + encKrbPrivPart ENC-KRB-PRIV-PART, -- 28 -- + encKrbCredPart EncKrbCredPart, -- 29 -- + krb-error KRB-ERROR -- 30 -- + } +-- end WS construct +id-krb5 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) +} + +Int32 ::= INTEGER (-2147483648..2147483647) + -- signed values representable in 32 bits + +UInt32 ::= INTEGER (0..4294967295) + -- unsigned 32 bit values + +Microseconds ::= INTEGER (0..999999) + -- microseconds + +KerberosString ::= GeneralString (IA5String) +CNameString ::= GeneralString (IA5String) +SNameString ::= GeneralString (IA5String) + +Realm ::= KerberosString + +PrincipalName ::= SEQUENCE { +-- name-type [0] Int32, Use the translationj from krb5.asn (Heimdahl) + name-type [0] NAME-TYPE, + name-string [1] SEQUENCE OF KerberosString +} + +CName ::= SEQUENCE { + name-type [0] NAME-TYPE, + cname-string [1] SEQUENCE OF CNameString +} + +SName ::= SEQUENCE { + name-type [0] NAME-TYPE, + sname-string [1] SEQUENCE OF SNameString +} + +KerberosTime ::= GeneralizedTime -- with no fractional seconds + +HostAddress ::= SEQUENCE { +-- addr-type [0] Int32, + addr-type [0] ADDR-TYPE, --use k5.asn + address [1] OCTET STRING +} + +-- NOTE: HostAddresses is always used as an OPTIONAL field and +-- should not be empty. +HostAddresses -- NOTE: subtly different from rfc1510, + -- but has a value mapping and encodes the same + ::= SEQUENCE OF HostAddress + +-- NOTE: AuthorizationData is always used as an OPTIONAL field and +-- should not be empty. +AuthorizationData ::= SEQUENCE OF SEQUENCE { + ad-type [0] Int32, + ad-data [1] OCTET STRING +} + +PA-DATA ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] +-- padata-type [1] Int32, use k5.asn + padata-type [1] PADATA-TYPE, + padata-value [2] OCTET STRING -- might be encoded AP-REQ +} + +KerberosFlags ::= BIT STRING (SIZE (32..MAX)) + -- minimum number of bits shall be sent, + -- but no fewer than 32 + +EncryptedData ::= SEQUENCE { +-- etype [0] Int32 - - EncryptionType - -, Use k5.asn + etype [0] ENCTYPE -- EncryptionType --, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptionKey ::= SEQUENCE { + keytype [0] Int32 -- actually encryption type --, + keyvalue [1] OCTET STRING +} + +Checksum ::= SEQUENCE { +-- cksumtype [0] Int32, Use k5.asn + cksumtype [0] CKSUMTYPE, + checksum [1] OCTET STRING +} + +EncryptedTicketData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedAuthorizationData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedKDCREPData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedAPREPData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedKrbPrivData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptedKrbCredData ::= SEQUENCE { + etype [0] ENCTYPE, -- EncryptionType - - Use k5.asn + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +Ticket ::= [APPLICATION 1] SEQUENCE { + tkt-vno [0] INTEGER (5), + realm [1] Realm, + sname [2] SName, + enc-part [3] EncryptedTicketData +} + +-- Encrypted part of ticket +EncTicketPart ::= [APPLICATION 3] SEQUENCE { + flags [0] TicketFlags, + key [1] EncryptionKey, + crealm [2] Realm, + cname [3] CName, + transited [4] TransitedEncoding, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + caddr [9] HostAddresses OPTIONAL, + authorization-data [10] AuthorizationData OPTIONAL +} + +-- encoded Transited field +TransitedEncoding ::= SEQUENCE { + tr-type [0] Int32 -- must be registered --, + contents [1] OCTET STRING +} +-- Use the k5.asn def +-- TicketFlags ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- may-postdate(5), + -- postdated(6), + -- invalid(7), + -- renewable(8), + -- initial(9), + -- pre-authent(10), + -- hw-authent(11), +-- the following are new since 1510 + -- transited-policy-checked(12), + -- ok-as-delegate(13) + +AS-REQ ::= [APPLICATION 10] KDC-REQ + +TGS-REQ ::= [APPLICATION 12] KDC-REQ + +KDC-REQ ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + pvno [1] INTEGER (5) , +-- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -), +-- msg-type [2] INTEGER, use k5.asn + msg-type [2] MESSAGE-TYPE, + padata [3] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + req-body [4] KDC-REQ-BODY +} + +KDC-REQ-BODY ::= SEQUENCE { + kdc-options [0] KDCOptions, + cname [1] CName OPTIONAL + -- Used only in AS-REQ --, + realm [2] Realm + -- Server's realm + -- Also client's in AS-REQ --, + sname [3] SName OPTIONAL, + from [4] KerberosTime OPTIONAL, + +-- this field is not optional in the kerberos spec, however, in the packetcable spec it is optional +-- make it optional here since normal kerberos will still decode the pdu correctly. + till [5] KerberosTime OPTIONAL, + + rtime [6] KerberosTime OPTIONAL, + nonce [7] UInt32, +-- etype [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn + etype [8] SEQUENCE OF ENCTYPE -- EncryptionType + -- in preference order --, + addresses [9] HostAddresses OPTIONAL, + enc-authorization-data [10] EncryptedAuthorizationData OPTIONAL + -- AuthorizationData --, + additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + -- NOTE: not empty +} + +-- Use th k5.asn def +--KDCOptions ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- allow-postdate(5), + -- postdated(6), + -- unused7(7), + -- renewable(8), + -- unused9(9), + -- unused10(10), + -- opt-hardware-auth(11), + -- unused12(12), + -- unused13(13), +-- 15 is reserved for canonicalize + -- unused15(15), +-- 26 was unused in 1510 + -- disable-transited-check(26), +-- + -- renewable-ok(27), + -- enc-tkt-in-skey(28), + -- renew(30), + -- validate(31) + +AS-REP ::= [APPLICATION 11] KDC-REP + +TGS-REP ::= [APPLICATION 13] KDC-REP + + +KDC-REP ::= SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -), +-- msg-type [1] INTEGER, use k5.asn + msg-type [1] MESSAGE-TYPE, + padata [2] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + crealm [3] Realm, + cname [4] CName, + ticket [5] Ticket, + enc-part [6] EncryptedKDCREPData + -- EncASRepPart or EncTGSRepPart, + -- as appropriate +} + +EncASRepPart ::= [APPLICATION 25] EncKDCRepPart + +EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +EncKDCRepPart ::= SEQUENCE { + key [0] EncryptionKey, + last-req [1] LastReq, + nonce [2] UInt32, + key-expiration [3] KerberosTime OPTIONAL, + flags [4] TicketFlags, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + srealm [9] Realm, + sname [10] SName, + caddr [11] HostAddresses OPTIONAL, + encrypted-pa-data[12] METHOD-DATA OPTIONAL -- from k5.asn +} + +LastReq ::= SEQUENCE OF SEQUENCE { +-- lr-type [0] Int32, Use k5.asn + lr-type [0] LR-TYPE, + lr-value [1] KerberosTime +} + +AP-REQ ::= [APPLICATION 14] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (14), use k5.asn + msg-type [1] MESSAGE-TYPE, + ap-options [2] APOptions, + ticket [3] Ticket, + authenticator [4] EncryptedAuthorizationData -- Authenticator +} +-- Use the krb5.asn def. +--APOptions ::= KerberosFlags + -- reserved(0), + -- use-session-key(1), + -- mutual-required(2) + +-- Unencrypted authenticator +Authenticator ::= [APPLICATION 2] SEQUENCE { + authenticator-vno [0] INTEGER (5), + crealm [1] Realm, + cname [2] CName, + cksum [3] Checksum OPTIONAL, + cusec [4] Microseconds, + ctime [5] KerberosTime, + subkey [6] EncryptionKey OPTIONAL, + seq-number [7] UInt32 OPTIONAL, + authorization-data [8] AuthorizationData OPTIONAL +} + +AP-REP ::= [APPLICATION 15] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (15), Use k5.asn + msg-type [1] MESSAGE-TYPE, + enc-part [2] EncryptedAPREPData -- EncAPRepPart +} + +EncAPRepPart ::= [APPLICATION 27] SEQUENCE { + ctime [0] KerberosTime, + cusec [1] Microseconds, + subkey [2] EncryptionKey OPTIONAL, + seq-number [3] UInt32 OPTIONAL +} + +KRB-SAFE ::= [APPLICATION 20] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (20), use k5.asn + msg-type [1] MESSAGE-TYPE, + safe-body [2] KRB-SAFE-BODY, + cksum [3] Checksum +} + +KRB-SAFE-BODY ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress OPTIONAL, -- XXX this one is OPTIONAL in packetcable? but mandatory in kerberos + r-address [5] HostAddress OPTIONAL +} + +KRB-PRIV ::= [APPLICATION 21] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (21), Use k5.asn + msg-type [1] MESSAGE-TYPE, + -- NOTE: there is no [2] tag + enc-part [3] EncryptedKrbPrivData -- EncKrbPrivPart +} + +ENC-KRB-PRIV-PART ::= [APPLICATION 28] EncKrbPrivPart + +EncKrbPrivPart ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress -- sender's addr --, + r-address [5] HostAddress OPTIONAL -- recip's addr +} + +KRB-CRED ::= [APPLICATION 22] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (22), use k5.asn + msg-type [1] MESSAGE-TYPE, + tickets [2] SEQUENCE OF Ticket, + enc-part [3] EncryptedKrbCredData -- EncKrbCredPart +} + +EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { + ticket-info [0] SEQUENCE OF KrbCredInfo, + nonce [1] UInt32 OPTIONAL, + timestamp [2] KerberosTime OPTIONAL, + usec [3] Microseconds OPTIONAL, + s-address [4] HostAddress OPTIONAL, + r-address [5] HostAddress OPTIONAL +} + +KrbCredInfo ::= SEQUENCE { + key [0] EncryptionKey, + prealm [1] Realm OPTIONAL, + pname [2] PrincipalName OPTIONAL, + flags [3] TicketFlags OPTIONAL, + authtime [4] KerberosTime OPTIONAL, + starttime [5] KerberosTime OPTIONAL, + endtime [6] KerberosTime OPTIONAL, + renew-till [7] KerberosTime OPTIONAL, + srealm [8] Realm OPTIONAL, + sname [9] SName OPTIONAL, + caddr [10] HostAddresses OPTIONAL +} + +KRB-ERROR ::= [APPLICATION 30] SEQUENCE { + pvno [0] INTEGER (5), +-- msg-type [1] INTEGER (30), use k5.asn + msg-type [1] MESSAGE-TYPE, + ctime [2] KerberosTime OPTIONAL, + cusec [3] Microseconds OPTIONAL, + stime [4] KerberosTime, + susec [5] Microseconds, +-- error-code [6] Int32, + error-code [6] ERROR-CODE, -- Use k5.asn + crealm [7] Realm OPTIONAL, + cname [8] CName OPTIONAL, + realm [9] Realm -- service realm --, + sname [10] SName -- service name --, + e-text [11] KerberosString OPTIONAL, + e-data [12] OCTET STRING OPTIONAL, + e-checksum [13] Checksum OPTIONAL -- used by PacketCable +} + +METHOD-DATA ::= SEQUENCE OF PA-DATA + +TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + data-type [0] Int32, + data-value [1] OCTET STRING OPTIONAL +} + +-- preauth stuff follows + +PA-ENC-TIMESTAMP ::= SEQUENCE { + etype [0] ENCTYPE -- EncryptionType --, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +PA-ENC-TS-ENC ::= SEQUENCE { + patimestamp [0] KerberosTime -- client's time --, + pausec [1] Microseconds OPTIONAL +} + +ETYPE-INFO-ENTRY ::= SEQUENCE { +-- etype [0] Int32, use k5.asn + etype [0] ENCTYPE, + salt [1] OCTET STRING OPTIONAL +} + +ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +ETYPE-INFO2-ENTRY ::= SEQUENCE { +-- etype [0] Int32, use k5.asn + etype [0] ENCTYPE, + salt [1] KerberosString OPTIONAL, + s2kparams [2] OCTET STRING OPTIONAL +} + +ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +AD-IF-RELEVANT ::= AuthorizationData + +AD-KDCIssued ::= SEQUENCE { + ad-checksum [0] Checksum, + i-realm [1] Realm OPTIONAL, + i-sname [2] SName OPTIONAL, + elements [3] AuthorizationData +} + +AD-AND-OR ::= SEQUENCE { + condition-count [0] Int32, + elements [1] AuthorizationData +} + +AD-MANDATORY-FOR-KDC ::= AuthorizationData + +END |