From 248049bcbb8a212b01675c65a38d812dabe54546 Mon Sep 17 00:00:00 2001 From: Anders Broman Date: Thu, 16 Oct 2008 21:27:14 +0000 Subject: Add asn1 file from Heimdal use som stuff from it add more dissection in the template and .cnf file. svn path=/trunk/; revision=26484 --- asn1/kerberos/KerberosV5Spec2.asn | 63 ++- asn1/kerberos/Makefile.common | 3 +- asn1/kerberos/k5.asn | 694 +++++++++++++++++++++++++++++++ asn1/kerberos/kerberos.cnf | 38 +- asn1/kerberos/packet-kerberos-template.c | 59 ++- 5 files changed, 810 insertions(+), 47 deletions(-) create mode 100644 asn1/kerberos/k5.asn (limited to 'asn1') diff --git a/asn1/kerberos/KerberosV5Spec2.asn b/asn1/kerberos/KerberosV5Spec2.asn index 6256618816..72aa3ed35e 100644 --- a/asn1/kerberos/KerberosV5Spec2.asn +++ b/asn1/kerberos/KerberosV5Spec2.asn @@ -53,13 +53,15 @@ KerberosString ::= GeneralString (IA5String) Realm ::= KerberosString PrincipalName ::= SEQUENCE { - name-type [0] Int32, +-- name-type [0] Int32, Use the translationj from krb5.asn (Heimdahl) + name-type [0] NAME-TYPE, name-string [1] SEQUENCE OF KerberosString } KerberosTime ::= GeneralizedTime -- with no fractional seconds HostAddress ::= SEQUENCE { +-- addr-type [0] ADDR-TYPE, use k5.asn addr-type [0] Int32, address [1] OCTET STRING } @@ -79,7 +81,8 @@ AuthorizationData ::= SEQUENCE OF SEQUENCE { PA-DATA ::= SEQUENCE { -- NOTE: first tag is [1], not [0] - padata-type [1] Int32, +-- padata-type [1] Int32, use k5.asn + padata-type [1] PADATA-TYPE, padata-value [2] OCTET STRING -- might be encoded AP-REQ } @@ -88,7 +91,8 @@ KerberosFlags ::= BIT STRING (SIZE (32..MAX)) -- but no fewer than 32 EncryptedData ::= SEQUENCE { - etype [0] Int32 -- EncryptionType --, +-- etype [0] Int32 - - EncryptionType - -, Use k5.asn + etype [0] ENCTYPE -- EncryptionType --, kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } @@ -99,7 +103,8 @@ EncryptionKey ::= SEQUENCE { } Checksum ::= SEQUENCE { - cksumtype [0] Int32, +-- cksumtype [0] Int32, Use k5.asn + cksumtype [0] CKSUMTYPE, checksum [1] OCTET STRING } @@ -130,8 +135,8 @@ TransitedEncoding ::= SEQUENCE { tr-type [0] Int32 -- must be registered --, contents [1] OCTET STRING } - -TicketFlags ::= KerberosFlags +-- Use the k5.asn def +-- TicketFlags ::= KerberosFlags -- reserved(0), -- forwardable(1), -- forwarded(2), @@ -156,7 +161,8 @@ KDC-REQ ::= SEQUENCE { -- NOTE: first tag is [1], not [0] pvno [1] INTEGER (5) , -- msg-type [2] INTEGER (10 - - AS - - | 12 - - TGS - -), - msg-type [2] INTEGER, +-- msg-type [2] INTEGER, use k5.asn + msg-type [2] MESSAGE-TYPE, padata [3] SEQUENCE OF PA-DATA OPTIONAL -- NOTE: not empty --, req-body [4] KDC-REQ-BODY @@ -174,7 +180,8 @@ KDC-REQ-BODY ::= SEQUENCE { till [5] KerberosTime, rtime [6] KerberosTime OPTIONAL, nonce [7] UInt32, - etype [8] SEQUENCE OF Int32 -- EncryptionType +-- etype [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn + etype [8] SEQUENCE OF ENCTYPE -- EncryptionType -- in preference order --, addresses [9] HostAddresses OPTIONAL, enc-authorization-data [10] EncryptedData OPTIONAL @@ -183,7 +190,8 @@ KDC-REQ-BODY ::= SEQUENCE { -- NOTE: not empty } -KDCOptions ::= KerberosFlags +-- Use th k5.asn def +--KDCOptions ::= KerberosFlags -- reserved(0), -- forwardable(1), -- forwarded(2), @@ -216,7 +224,8 @@ TGS-REP ::= [APPLICATION 13] KDC-REP KDC-REP ::= SEQUENCE { pvno [0] INTEGER (5), -- msg-type [1] INTEGER (11 - - AS - - | 13 - - TGS - -), - msg-type [1] INTEGER, +-- msg-type [1] INTEGER, use k5.asn + msg-type [1] MESSAGE-TYPE, padata [2] SEQUENCE OF PA-DATA OPTIONAL -- NOTE: not empty --, crealm [3] Realm, @@ -243,23 +252,26 @@ EncKDCRepPart ::= SEQUENCE { renew-till [8] KerberosTime OPTIONAL, srealm [9] Realm, sname [10] PrincipalName, - caddr [11] HostAddresses OPTIONAL + caddr [11] HostAddresses OPTIONAL, + encrypted-pa-data[12] METHOD-DATA OPTIONAL -- from k5.asn } LastReq ::= SEQUENCE OF SEQUENCE { - lr-type [0] Int32, +-- lr-type [0] Int32, Use k5.asn + lr-type [0] LR-TYPE, lr-value [1] KerberosTime } AP-REQ ::= [APPLICATION 14] SEQUENCE { pvno [0] INTEGER (5), - msg-type [1] INTEGER (14), +-- msg-type [1] INTEGER (14), use k5.asn + msg-type [1] MESSAGE-TYPE, ap-options [2] APOptions, ticket [3] Ticket, authenticator [4] EncryptedData -- Authenticator } - -APOptions ::= KerberosFlags +-- Use the krb5.asn def. +--APOptions ::= KerberosFlags -- reserved(0), -- use-session-key(1), -- mutual-required(2) @@ -279,7 +291,8 @@ Authenticator ::= [APPLICATION 2] SEQUENCE { AP-REP ::= [APPLICATION 15] SEQUENCE { pvno [0] INTEGER (5), - msg-type [1] INTEGER (15), +-- msg-type [1] INTEGER (15), Use k5.asn + msg-type [1] MESSAGE-TYPE, enc-part [2] EncryptedData -- EncAPRepPart } @@ -292,7 +305,8 @@ EncAPRepPart ::= [APPLICATION 27] SEQUENCE { KRB-SAFE ::= [APPLICATION 20] SEQUENCE { pvno [0] INTEGER (5), - msg-type [1] INTEGER (20), +-- msg-type [1] INTEGER (20), use k5.asn + msg-type [1] MESSAGE-TYPE, safe-body [2] KRB-SAFE-BODY, cksum [3] Checksum } @@ -308,7 +322,8 @@ KRB-SAFE-BODY ::= SEQUENCE { KRB-PRIV ::= [APPLICATION 21] SEQUENCE { pvno [0] INTEGER (5), - msg-type [1] INTEGER (21), +-- msg-type [1] INTEGER (21), Use k5.asn + msg-type [1] MESSAGE-TYPE, -- NOTE: there is no [2] tag enc-part [3] EncryptedData -- EncKrbPrivPart } @@ -324,7 +339,8 @@ EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { KRB-CRED ::= [APPLICATION 22] SEQUENCE { pvno [0] INTEGER (5), - msg-type [1] INTEGER (22), +-- msg-type [1] INTEGER (22), use k5.asn + msg-type [1] MESSAGE-TYPE, tickets [2] SEQUENCE OF Ticket, enc-part [3] EncryptedData -- EncKrbCredPart } @@ -354,7 +370,8 @@ KrbCredInfo ::= SEQUENCE { KRB-ERROR ::= [APPLICATION 30] SEQUENCE { pvno [0] INTEGER (5), - msg-type [1] INTEGER (30), +-- msg-type [1] INTEGER (30), use k5.asn + msg-type [1] MESSAGE-TYPE, ctime [2] KerberosTime OPTIONAL, cusec [3] Microseconds OPTIONAL, stime [4] KerberosTime, @@ -385,14 +402,16 @@ PA-ENC-TS-ENC ::= SEQUENCE { } ETYPE-INFO-ENTRY ::= SEQUENCE { - etype [0] Int32, +-- etype [0] Int32, use k5.asn + etype [0] ENCTYPE, salt [1] OCTET STRING OPTIONAL } ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY ETYPE-INFO2-ENTRY ::= SEQUENCE { - etype [0] Int32, +-- etype [0] Int32, use k5.asn + etype [0] ENCTYPE, salt [1] KerberosString OPTIONAL, s2kparams [2] OCTET STRING OPTIONAL } diff --git a/asn1/kerberos/Makefile.common b/asn1/kerberos/Makefile.common index f5599f972d..f0825163aa 100644 --- a/asn1/kerberos/Makefile.common +++ b/asn1/kerberos/Makefile.common @@ -32,7 +32,8 @@ EXPORT_FILES = \ EXT_ASN_FILE_LIST = -ASN_FILE_LIST = KerberosV5Spec2.asn +ASN_FILE_LIST = KerberosV5Spec2.asn \ + k5.asn # The packet-$(PROTOCOL_NAME)-template.h and $(PROTOCOL_NAME).asn # files do not exist # for all protocols: Please add/remove as required. diff --git a/asn1/kerberos/k5.asn b/asn1/kerberos/k5.asn new file mode 100644 index 0000000000..c3f35d2a42 --- /dev/null +++ b/asn1/kerberos/k5.asn @@ -0,0 +1,694 @@ +-- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz +-- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $ +-- Commented out stuff already in KerberosV5Spec2.asn +-- $Id$ +KERBEROS5 DEFINITIONS ::= +BEGIN + +NAME-TYPE ::= INTEGER { + kRB5-NT-UNKNOWN(0), -- Name type not known + kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in + kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt) + kRB5-NT-SRV-HST(3), -- Service with host name as instance + kRB5-NT-SRV-XHST(4), -- Service with host as remaining components + kRB5-NT-UID(5), -- Unique ID + kRB5-NT-X500-PRINCIPAL(6), -- PKINIT + kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name + kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN + kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID + kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name + kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID +} + +-- message types + +MESSAGE-TYPE ::= INTEGER { + krb-as-req(10), -- Request for initial authentication + krb-as-rep(11), -- Response to KRB_AS_REQ request + krb-tgs-req(12), -- Request for authentication based on TGT + krb-tgs-rep(13), -- Response to KRB_TGS_REQ request + krb-ap-req(14), -- application request to server + krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL + krb-safe(20), -- Safe (checksummed) application message + krb-priv(21), -- Private (encrypted) application message + krb-cred(22), -- Private (encrypted) message to forward credentials + krb-error(30) -- Error response +} + + +-- pa-data types + +PADATA-TYPE ::= INTEGER { + kRB5-PADATA-NONE(0), + kRB5-PADATA-TGS-REQ(1), + kRB5-PADATA-AP-REQ(1), + kRB5-PADATA-ENC-TIMESTAMP(2), + kRB5-PADATA-PW-SALT(3), + kRB5-PADATA-ENC-UNIX-TIME(5), + kRB5-PADATA-SANDIA-SECUREID(6), + kRB5-PADATA-SESAME(7), + kRB5-PADATA-OSF-DCE(8), + kRB5-PADATA-CYBERSAFE-SECUREID(9), + kRB5-PADATA-AFS3-SALT(10), + kRB5-PADATA-ETYPE-INFO(11), + kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) + kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) + kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) + kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) + kRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) + kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) + kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) + kRB5-PADATA-PA-PK-OCSP-RESPONSE(18), + kRB5-PADATA-ETYPE-INFO2(19), + kRB5-PADATA-USE-SPECIFIED-KVNO(20), + kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number + kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) + kRB5-PADATA-GET-FROM-TYPED-DATA(22), + kRB5-PADATA-SAM-ETYPE-INFO(23), + kRB5-PADATA-SERVER-REFERRAL(25), + kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName + kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT + kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT + kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific + kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER + kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER + kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com + kRB5-PADATA-S4U2SELF(129), + kRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to + -- tell KDC that is supports + -- the asCheckSum in the + -- PK-AS-REP + kRB5-PADATA-CLIENT-CANONICALIZED(133) -- +} + +AUTHDATA-TYPE ::= INTEGER { + kRB5-AUTHDATA-IF-RELEVANT(1), + kRB5-AUTHDATA-INTENDED-FOR-SERVER(2), + kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), + kRB5-AUTHDATA-KDC-ISSUED(4), + kRB5-AUTHDATA-AND-OR(5), + kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), + kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), + kRB5-AUTHDATA-MANDATORY-FOR-KDC(8), + kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), + kRB5-AUTHDATA-OSF-DCE(64), + kRB5-AUTHDATA-SESAME(65), + kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), + kRB5-AUTHDATA-WIN2K-PAC(128), + kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only + kRB5-AUTHDATA-SIGNTICKET(-17) +} + +-- checksumtypes + +CKSUMTYPE ::= INTEGER { + cKSUMTYPE-NONE(0), + cKSUMTYPE-CRC32(1), + cKSUMTYPE-RSA-MD4(2), + cKSUMTYPE-RSA-MD4-DES(3), + cKSUMTYPE-DES-MAC(4), + cKSUMTYPE-DES-MAC-K(5), + cKSUMTYPE-RSA-MD4-DES-K(6), + cKSUMTYPE-RSA-MD5(7), + cKSUMTYPE-RSA-MD5-DES(8), + cKSUMTYPE-RSA-MD5-DES3(9), + cKSUMTYPE-SHA1-OTHER(10), + cKSUMTYPE-HMAC-SHA1-DES3(12), + cKSUMTYPE-SHA1(14), + cKSUMTYPE-HMAC-SHA1-96-AES-128(15), + cKSUMTYPE-HMAC-SHA1-96-AES-256(16), + cKSUMTYPE-GSSAPI(--0x8003--32771), + cKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number + cKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial +} + +--enctypes +ENCTYPE ::= INTEGER { + eTYPE-NULL(0), + eTYPE-DES-CBC-CRC(1), + eTYPE-DES-CBC-MD4(2), + eTYPE-DES-CBC-MD5(3), + eTYPE-DES3-CBC-MD5(5), + eTYPE-OLD-DES3-CBC-SHA1(7), + eTYPE-SIGN-DSA-GENERATE(8), + eTYPE-ENCRYPT-RSA-PRIV(9), + eTYPE-ENCRYPT-RSA-PUB(10), + eTYPE-DES3-CBC-SHA1(16), -- with key derivation + eTYPE-AES128-CTS-HMAC-SHA1-96(17), + eTYPE-AES256-CTS-HMAC-SHA1-96(18), + eTYPE-ARCFOUR-HMAC-MD5(23), + eTYPE-ARCFOUR-HMAC-MD5-56(24), + eTYPE-ENCTYPE-PK-CROSS(48), +-- some "old" windows types + eTYPE-ARCFOUR-MD4(-128), + eTYPE-ARCFOUR-HMAC-OLD(-133), + eTYPE-ARCFOUR-HMAC-OLD-EXP(-135), +-- these are for Heimdal internal use +-- eTYPE-DES-CBC-NONE(-0x1000), + eTYPE-DES-CBC-NONE( -4096), +-- eTYPE-DES3-CBC-NONE(-0x1001), + eTYPE-DES3-CBC-NONE(-4097), +-- eTYPE-DES-CFB64-NONE(-0x1002), + eTYPE-DES-CFB64-NONE(-4098), +-- eTYPE-DES-PCBC-NONE(-0x1003), + eTYPE-DES-PCBC-NONE(-4099), +-- eTYPE-DIGEST-MD5-NONE(-0x1004), - - private use, lukeh@padl.com + eTYPE-DIGEST-MD5-NONE(-4100), -- private use, lukeh@padl.com +-- eTYPE-CRAM-MD5-NONE(-0x1005) - - private use, lukeh@padl.com + eTYPE-CRAM-MD5-NONE(-4101) -- private use, lukeh@padl.com +} + +-- addr-types (WS extension ) +ADDR-TYPE ::= INTEGER { + kRB5-ADDR-IPv4(2), + kRB5-ADDR-CHAOS(5), + kRB5-ADDR-XEROX(6), + kRB5-ADDR-ISO(7), + kRB5-ADDR-DECNET(12), + kRB5-ADDR-APPLETALK(16), + kRB5-ADDR-NETBIOS(20), + kRB5-ADDR-IPv6(24) +} + + + +-- this is sugar to make something ASN1 does not have: unsigned + +Krb5uint32 ::= INTEGER (0..4294967295) +Krb5int32 ::= INTEGER (-2147483648..2147483647) + +--KerberosString ::= GeneralString + +--Realm ::= GeneralString +--PrincipalName ::= SEQUENCE { +-- name-type[0] NAME-TYPE, +-- name-string[1] SEQUENCE OF GeneralString +--} + +-- this is not part of RFC1510 +Principal ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm +} + +--HostAddress ::= SEQUENCE { +-- addr-type [0] Krb5int32, +-- address [1] OCTET STRING +--} + +-- This is from RFC1510. +-- +-- HostAddresses ::= SEQUENCE OF SEQUENCE { +-- addr-type[0] Krb5int32, +-- address[1] OCTET STRING +-- } + +-- This seems much better. +--HostAddresses ::= SEQUENCE OF HostAddress + + +--KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z) + +--AuthorizationDataElement ::= SEQUENCE { +-- ad-type[0] Krb5int32, +-- ad-data[1] OCTET STRING +--} + +--AuthorizationData ::= SEQUENCE OF AuthorizationDataElement + +APOptions ::= BIT STRING { + reserved(0), + use-session-key(1), + mutual-required(2) +} + +TicketFlags ::= BIT STRING { + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + may-postdate(5), + postdated(6), + invalid(7), + renewable(8), + initial(9), + pre-authent(10), + hw-authent(11), + transited-policy-checked(12), + ok-as-delegate(13), + anonymous(14) +} + +KDCOptions ::= BIT STRING { + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + allow-postdate(5), + postdated(6), + unused7(7), + renewable(8), + unused9(9), + unused10(10), + unused11(11), + request-anonymous(14), + canonicalize(15), + constrained-delegation(16), -- ms extension + disable-transited-check(26), + renewable-ok(27), + enc-tkt-in-skey(28), + renew(30), + validate(31) +} + +LR-TYPE ::= INTEGER { + lR-NONE(0), -- no information + lR-INITIAL-TGT(1), -- last initial TGT request + lR-INITIAL(2), -- last initial request + lR-ISSUE-USE-TGT(3), -- time of newest TGT used + lR-RENEWAL(4), -- time of last renewal + lR-REQUEST(5), -- time of last request (of any type) + lR-PW-EXPTIME(6), -- expiration time of password + lR-ACCT-EXPTIME(7) -- expiration time of account +} + +--LastReq ::= SEQUENCE OF SEQUENCE { +-- lr-type[0] LR-TYPE, +-- lr-value[1] KerberosTime +--} + + +--EncryptedData ::= SEQUENCE { +-- etype[0] ENCTYPE, - - EncryptionType +-- kvno[1] Krb5int32 OPTIONAL, +-- cipher[2] OCTET STRING - - ciphertext +--} + +--EncryptionKey ::= SEQUENCE { +-- keytype[0] Krb5int32, +-- keyvalue[1] OCTET STRING +--} + +-- encoded Transited field +--TransitedEncoding ::= SEQUENCE { +-- tr-type[0] Krb5int32, - - must be registered +-- contents[1] OCTET STRING +--} + +--Ticket ::= [APPLICATION 1] SEQUENCE { +-- tkt-vno[0] Krb5int32, +-- realm[1] Realm, +-- sname[2] PrincipalName, +-- enc-part[3] EncryptedData +--} +-- Encrypted part of ticket +--EncTicketPart ::= [APPLICATION 3] SEQUENCE { +-- flags[0] TicketFlags, +-- key[1] EncryptionKey, +-- crealm[2] Realm, +-- cname[3] PrincipalName, +-- transited[4] TransitedEncoding, +-- authtime[5] KerberosTime, +-- starttime[6] KerberosTime OPTIONAL, +-- endtime[7] KerberosTime, +-- renew-till[8] KerberosTime OPTIONAL, +-- caddr[9] HostAddresses OPTIONAL, +-- authorization-data[10] AuthorizationData OPTIONAL +--} + +--Checksum ::= SEQUENCE { +-- cksumtype[0] CKSUMTYPE, +-- checksum[1] OCTET STRING +--} + +--Authenticator ::= [APPLICATION 2] SEQUENCE { +-- authenticator-vno[0] Krb5int32, +-- crealm[1] Realm, +-- cname[2] PrincipalName, +-- cksum[3] Checksum OPTIONAL, +-- cusec[4] Krb5int32, +-- ctime[5] KerberosTime, +-- subkey[6] EncryptionKey OPTIONAL, +-- seq-number[7] Krb5uint32 OPTIONAL, +-- authorization-data[8] AuthorizationData OPTIONAL +--} + +--PA-DATA ::= SEQUENCE { + -- might be encoded AP-REQ +-- padata-type[1] PADATA-TYPE, +-- padata-value[2] OCTET STRING +--} + +--ETYPE-INFO-ENTRY ::= SEQUENCE { +-- etype[0] ENCTYPE, +-- salt[1] OCTET STRING OPTIONAL, +-- salttype[2] Krb5int32 OPTIONAL +--} + +--ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +--ETYPE-INFO2-ENTRY ::= SEQUENCE { +-- etype[0] ENCTYPE, +-- salt[1] KerberosString OPTIONAL, +-- s2kparams[2] OCTET STRING OPTIONAL +--} + +--ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +-- METHOD-DATA ::= SEQUENCE OF PA-DATA + +--TypedData ::= SEQUENCE { +-- data-type[0] Krb5int32, +-- data-value[1] OCTET STRING OPTIONAL +--} + +--TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData + +--KDC-REQ-BODY ::= SEQUENCE { +-- kdc-options[0] KDCOptions, +-- cname[1] PrincipalName OPTIONAL, - - Used only in AS-REQ +-- realm[2] Realm, - - Server's realm + -- Also client's in AS-REQ +-- sname[3] PrincipalName OPTIONAL, +-- from[4] KerberosTime OPTIONAL, +-- till[5] KerberosTime OPTIONAL, +-- rtime[6] KerberosTime OPTIONAL, +-- nonce[7] Krb5int32, +-- etype[8] SEQUENCE OF ENCTYPE, - - EncryptionType, + -- in preference order +-- addresses[9] HostAddresses OPTIONAL, +-- enc-authorization-data[10] EncryptedData OPTIONAL, + -- Encrypted AuthorizationData encoding +-- additional-tickets[11] SEQUENCE OF Ticket OPTIONAL +--} + +--KDC-REQ ::= SEQUENCE { +-- pvno[1] Krb5int32, +-- msg-type[2] MESSAGE-TYPE, +-- padata[3] METHOD-DATA OPTIONAL, +-- req-body[4] KDC-REQ-BODY +--} + +--AS-REQ ::= [APPLICATION 10] KDC-REQ +--TGS-REQ ::= [APPLICATION 12] KDC-REQ + +-- padata-type ::= PA-ENC-TIMESTAMP +-- padata-value ::= EncryptedData - PA-ENC-TS-ENC + +--PA-ENC-TS-ENC ::= SEQUENCE { +-- patimestamp[0] KerberosTime, - - client's time +-- pausec[1] Krb5int32 OPTIONAL +--} + +-- draft-brezak-win2k-krb-authz-01 +PA-PAC-REQUEST ::= SEQUENCE { + include-pac[0] BOOLEAN -- Indicates whether a PAC + -- should be included or not +} + +-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf +PROV-SRV-LOCATION ::= GeneralString + +--KDC-REP ::= SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- padata[2] METHOD-DATA OPTIONAL, +-- crealm[3] Realm, +-- cname[4] PrincipalName, +-- ticket[5] Ticket, +-- enc-part[6] EncryptedData +--} + +--AS-REP ::= [APPLICATION 11] KDC-REP +--TGS-REP ::= [APPLICATION 13] KDC-REP + +--EncKDCRepPart ::= SEQUENCE { +-- key[0] EncryptionKey, +-- last-req[1] LastReq, +-- nonce[2] Krb5int32, +-- key-expiration[3] KerberosTime OPTIONAL, +-- flags[4] TicketFlags, +-- authtime[5] KerberosTime, +-- starttime[6] KerberosTime OPTIONAL, +-- endtime[7] KerberosTime, +-- renew-till[8] KerberosTime OPTIONAL, +-- srealm[9] Realm, +-- sname[10] PrincipalName, +-- caddr[11] HostAddresses OPTIONAL, +-- encrypted-pa-data[12] METHOD-DATA OPTIONAL +--} + +--EncASRepPart ::= [APPLICATION 25] EncKDCRepPart +--EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +--AP-REQ ::= [APPLICATION 14] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- ap-options[2] APOptions, +-- ticket[3] Ticket, +-- authenticator[4] EncryptedData +--} + +--AP-REP ::= [APPLICATION 15] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- enc-part[2] EncryptedData +--} + +--EncAPRepPart ::= [APPLICATION 27] SEQUENCE { +-- ctime[0] KerberosTime, +-- cusec[1] Krb5int32, +-- subkey[2] EncryptionKey OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL +--} + +--KRB-SAFE-BODY ::= SEQUENCE { +-- user-data[0] OCTET STRING, +-- timestamp[1] KerberosTime OPTIONAL, +-- usec[2] Krb5int32 OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, +-- r-address[5] HostAddress OPTIONAL +--} + +--KRB-SAFE ::= [APPLICATION 20] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- safe-body[2] KRB-SAFE-BODY, +-- cksum[3] Checksum +--} + +--KRB-PRIV ::= [APPLICATION 21] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- enc-part[3] EncryptedData +--} +--EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { +-- user-data[0] OCTET STRING, +-- timestamp[1] KerberosTime OPTIONAL, +-- usec[2] Krb5int32 OPTIONAL, +-- seq-number[3] Krb5uint32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, - - sender's addr +-- r-address[5] HostAddress OPTIONAL - - recip's addr +--} + +--KRB-CRED ::= [APPLICATION 22] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, - - KRB_CRED +-- tickets[2] SEQUENCE OF Ticket, +-- enc-part[3] EncryptedData +--} + +--KrbCredInfo ::= SEQUENCE { +-- key[0] EncryptionKey, +-- prealm[1] Realm OPTIONAL, +-- pname[2] PrincipalName OPTIONAL, +-- flags[3] TicketFlags OPTIONAL, +-- authtime[4] KerberosTime OPTIONAL, +-- starttime[5] KerberosTime OPTIONAL, +-- endtime[6] KerberosTime OPTIONAL, +-- renew-till[7] KerberosTime OPTIONAL, +-- srealm[8] Realm OPTIONAL, +-- sname[9] PrincipalName OPTIONAL, +-- caddr[10] HostAddresses OPTIONAL +--} + +--EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { +-- ticket-info[0] SEQUENCE OF KrbCredInfo, +-- nonce[1] Krb5int32 OPTIONAL, +-- timestamp[2] KerberosTime OPTIONAL, +-- usec[3] Krb5int32 OPTIONAL, +-- s-address[4] HostAddress OPTIONAL, +-- r-address[5] HostAddress OPTIONAL +--} + +--KRB-ERROR ::= [APPLICATION 30] SEQUENCE { +-- pvno[0] Krb5int32, +-- msg-type[1] MESSAGE-TYPE, +-- ctime[2] KerberosTime OPTIONAL, +-- cusec[3] Krb5int32 OPTIONAL, +-- stime[4] KerberosTime, +-- susec[5] Krb5int32, +-- error-code[6] Krb5int32, +-- crealm[7] Realm OPTIONAL, +-- cname[8] PrincipalName OPTIONAL, +-- realm[9] Realm, - - Correct realm +-- sname[10] PrincipalName, - - Correct name +-- e-text[11] GeneralString OPTIONAL, +-- e-data[12] OCTET STRING OPTIONAL +--} + +ChangePasswdDataMS ::= SEQUENCE { + newpasswd[0] OCTET STRING, + targname[1] PrincipalName OPTIONAL, + targrealm[2] Realm OPTIONAL +} + +EtypeList ::= SEQUENCE OF Krb5int32 + -- the client's proposed enctype list in + -- decreasing preference order, favorite choice first + +--krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number + +-- transited encodings + +--DOMAIN-X500-COMPRESS Krb5int32 ::= 1 + +-- authorization data primitives + +--AD-IF-RELEVANT ::= AuthorizationData + +--AD-KDCIssued ::= SEQUENCE { +-- ad-checksum[0] Checksum, +-- i-realm[1] Realm OPTIONAL, +-- i-sname[2] PrincipalName OPTIONAL, +-- elements[3] AuthorizationData +--} + +--AD-AND-OR ::= SEQUENCE { +-- condition-count[0] INTEGER, +-- elements[1] AuthorizationData +--} + +--AD-MANDATORY-FOR-KDC ::= AuthorizationData + +-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 + +PA-SAM-TYPE ::= INTEGER { + pA-SAM-TYPE-ENIGMA(1), -- Enigma Logic + pA-SAM-TYPE-DIGI-PATH(2), -- Digital Pathways + pA-SAM-TYPE-SKEY-K0(3), -- S/key where KDC has key 0 + pA-SAM-TYPE-SKEY(4), -- Traditional S/Key + pA-SAM-TYPE-SECURID(5), -- Security Dynamics + pA-SAM-TYPE-CRYPTOCARD(6) -- CRYPTOCard +} + +PA-SAM-REDIRECT ::= HostAddresses + +SAMFlags ::= BIT STRING { + use-sad-as-key(0), + send-encrypted-sad(1), + must-pk-encrypt-sad(2) +} + +PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { + sam-type[0] Krb5int32, + sam-flags[1] SAMFlags, + sam-type-name[2] GeneralString OPTIONAL, + sam-track-id[3] GeneralString OPTIONAL, + sam-challenge-label[4] GeneralString OPTIONAL, + sam-challenge[5] GeneralString OPTIONAL, + sam-response-prompt[6] GeneralString OPTIONAL, + sam-pk-for-sad[7] EncryptionKey OPTIONAL, + sam-nonce[8] Krb5int32, + sam-etype[9] Krb5int32, + ... +} + +PA-SAM-CHALLENGE-2 ::= SEQUENCE { + sam-body[0] PA-SAM-CHALLENGE-2-BODY, + sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) + ... +} + +PA-SAM-RESPONSE-2 ::= SEQUENCE { + sam-type[0] Krb5int32, + sam-flags[1] SAMFlags, + sam-track-id[2] GeneralString OPTIONAL, + sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC + sam-nonce[4] Krb5int32, + ... +} + +PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { + sam-nonce[0] Krb5int32, + sam-sad[1] GeneralString OPTIONAL, + ... +} + +PA-S4U2Self ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm, + cksum[2] Checksum, + auth[3] GeneralString +} + +KRB5SignedPathPrincipals ::= SEQUENCE OF Principal + +-- never encoded on the wire, just used to checksum over +KRB5SignedPathData ::= SEQUENCE { + encticket[0] EncTicketPart, + delegated[1] KRB5SignedPathPrincipals OPTIONAL +} + +KRB5SignedPath ::= SEQUENCE { + -- DERcoded KRB5SignedPathData + -- krbtgt key (etype), KeyUsage = XXX + etype[0] ENCTYPE, + cksum[1] Checksum, + -- srvs delegated though + delegated[2] KRB5SignedPathPrincipals OPTIONAL +} + +PA-ClientCanonicalizedNames ::= SEQUENCE{ + requested-name [0] PrincipalName, + mapped-name [1] PrincipalName +} + +PA-ClientCanonicalized ::= SEQUENCE { + names [0] PA-ClientCanonicalizedNames, + canon-checksum [1] Checksum +} + +AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- + login-alias [0] PrincipalName, + checksum [1] Checksum +} + +-- old ms referral +PA-SvrReferralData ::= SEQUENCE { + referred-name [1] PrincipalName OPTIONAL, + referred-realm [0] Realm +} + +PA-SERVER-REFERRAL-DATA ::= EncryptedData + +PA-ServerReferralData ::= SEQUENCE { + referred-realm [0] Realm OPTIONAL, + true-principal-name [1] PrincipalName OPTIONAL, + requested-principal-name [2] PrincipalName OPTIONAL, + referral-valid-until [3] KerberosTime OPTIONAL, + ... +} +-- WS put extensions found elsewere here +-- http://msdn.microsoft.com/en-us/library/cc206948.aspx +-- +KERB-PA-PAC-REQUEST ::= SEQUENCE { +include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. + --If FALSE, and PAC present, remove PAC +} +END + +-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 diff --git a/asn1/kerberos/kerberos.cnf b/asn1/kerberos/kerberos.cnf index 451bb7cfca..9b74a2d5fe 100644 --- a/asn1/kerberos/kerberos.cnf +++ b/asn1/kerberos/kerberos.cnf @@ -12,7 +12,7 @@ Realm EncryptedData/etype encryptedData_etype KDC-REQ-BODY/etype kDC-REQ-BODY_etype -#.FN_BODY KDC-REQ/msg-type VAL_PTR = &msgtype +#.FN_BODY MESSAGE-TYPE VAL_PTR = &msgtype guint32 msgtype; %(DEFAULT_BODY)s @@ -29,9 +29,8 @@ guint32 msgtype; #.FN_BODY Int32 VAL_PTR = actx->value_ptr %(DEFAULT_BODY)s -#.FN_BODY PA-DATA/padata-type -/* Calling Int32 returns the value in ctx->value_ptr */ -actx->value_ptr = &krb_PA_DATA_type; +#.FN_BODY PADATA-TYPE VAL_PTR = &krb_PA_DATA_type + %(DEFAULT_BODY)s krb_PA_DATA_type&=0xff; /*this is really just one single byte */ @@ -50,49 +49,42 @@ proto_tree *sub_tree=tree; switch(krb_PA_DATA_type){ case KRB5_PA_TGS_REQ: - offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_kerberos_Applications); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications); break; case KRB5_PA_PK_AS_REQ: - offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_pkinit_PaPkAsReq); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq); break; case KRB5_PA_PK_AS_REP: - offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_pkinit_PaPkAsRep); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep); break; - /* case KRB5_PA_PAC_REQUEST: - offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_PAC_REQUEST); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST); break; case KRB5_PA_S4U2SELF: - offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_S4U2SELF); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self); break; case KRB5_PA_PROV_SRV_LOCATION: - offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_PROV_SRV_LOCATION); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION); break; - */ case KRB5_PA_ENC_TIMESTAMP: - offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_kerberos_PA_ENC_TIMESTAMP); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP); break; - /* case KRB5_PA_ENCTYPE_INFO: - offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_ENCTYPE_INFO); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO); break; case KRB5_PA_ENCTYPE_INFO2: - offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_ENCTYPE_INFO2); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2); break; case KRB5_PA_PW_SALT: - offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PW_SALT); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT); break; - */ default: - offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, NULL); + offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL); } /*qqq*/ #.TYPE_ATTR -KDC-REQ/msg-type TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(krb5_msg_types) -# this does not work for some reason :( -EncryptedData/etype TYPE = FT_UINT32 DISPLAY = BASE_DEC STRINGS = VALS(krb5_encryption_types) - +#xxx TYPE = FT_UINT16 DISPLAY = BASE_DEC STRINGS = VALS(xx_vals) diff --git a/asn1/kerberos/packet-kerberos-template.c b/asn1/kerberos/packet-kerberos-template.c index 529e2379ee..8344952fc2 100644 --- a/asn1/kerberos/packet-kerberos-template.c +++ b/asn1/kerberos/packet-kerberos-template.c @@ -118,7 +118,10 @@ static gboolean do_col_info; /* Forward declarations */ static int dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); static int dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); - +static int dissect_kerberos_KERB_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); +static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_); /* Desegment Kerberos over TCP messages */ static gboolean krb_desegment = TRUE; @@ -128,6 +131,9 @@ static struct { const char *set; const char *unset; } bitval = { "Set", "Not set static gint hf_krb_rm_reserved = -1; static gint hf_krb_rm_reclen = -1; +static gint hf_krb_provsrv_location = -1; +static gint hf_krb_smb_nt_status = -1; +static gint hf_krb_smb_unknown = -1; #include "packet-kerberos-hf.c" /* Initialize the subtree pointers */ @@ -1253,6 +1259,48 @@ dissect_krb5_decrypt_authenticator_data (proto_tree *tree, tvbuff_t *tvb, int of } #endif +static int +dissect_krb5_PA_PROV_SRV_LOCATION(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) +{ + offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0); + + return offset; +} + +static int +dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) +{ + guint32 nt_status; + + /* Microsoft stores a special 12 byte blob here + * guint32 NT_status + * guint32 unknown + * guint32 unknown + * decode everything as this blob for now until we see if anyone + * else ever uses it or we learn how to tell wether this + * is such an MS blob or not. + */ + proto_tree_add_item(tree, hf_krb_smb_nt_status, tvb, offset, 4, + TRUE); + nt_status=tvb_get_letohl(tvb, offset); + if(nt_status && check_col(actx->pinfo->cinfo, COL_INFO)) { + col_append_fstr(actx->pinfo->cinfo, COL_INFO, + " NT Status: %s", + val_to_str(nt_status, NT_errors, + "Unknown error code %#x")); + } + offset += 4; + + proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4, + TRUE); + offset += 4; + + proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4, + TRUE); + offset += 4; + + return offset; +} #include "packet-kerberos-fn.c" @@ -1482,6 +1530,15 @@ void proto_register_kerberos(void) { { &hf_krb_rm_reclen, { "Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC, NULL, KRB_RM_RECLEN, "Record length", HFILL }}, + { &hf_krb_provsrv_location, { + "PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE, + NULL, 0, "PacketCable PROV SRV Location", HFILL }}, + { &hf_krb_smb_nt_status, + { "NT Status", "kerberos.smb.nt_status", FT_UINT32, BASE_HEX, + VALS(NT_errors), 0, "NT Status code", HFILL }}, + { &hf_krb_smb_unknown, + { "Unknown", "kerberos.smb.unknown", FT_UINT32, BASE_HEX, + NULL, 0, "unknown", HFILL }}, #include "packet-kerberos-hfarr.c" }; -- cgit v1.2.3