]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
tests/krb5: Add more ASN1 definitions for FAST
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Mon, 5 Jul 2021 22:21:07 +0000 (10:21 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 18 Aug 2021 22:28:34 +0000 (22:28 +0000)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
python/samba/tests/krb5/rfc4120.asn1
python/samba/tests/krb5/rfc4120_constants.py
python/samba/tests/krb5/rfc4120_pyasn1.py

index d81d06ad6f7a9fad604733eb42d92b22634d36f5..f47c1d002029f70ff503b8ce375a23beabedbcd0 100644 (file)
@@ -1,3 +1,43 @@
+-- Portions of these ASN.1 modules are structures are from RFC6113
+-- authored by S. Hartman (Painless Security) and L. Zhu (Microsoft)
+--
+-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the
+-- code. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, is permitted pursuant to, and subject to the license terms
+-- contained in, the Simplified BSD License set forth in Section 4.c of the IETF
+-- Trust’s Legal Provisions Relating to IETF Documents
+-- (http://trustee.ietf.org/license-info).
+--
+-- BSD License:
+--
+-- Copyright (c) 2011 IETF Trust and the persons identified as authors of the code. All rights reserved.
+-- Redistribution and use in source and binary forms, with or without modification, are permitted provided
+-- that the following conditions are met:
+-- • Redistributions of source code must retain the above copyright notice, this list of conditions and
+-- the following disclaimer.
+--
+-- • Redistributions in binary form must reproduce the above copyright notice, this list of conditions
+-- and the following disclaimer in the documentation and/or other materials provided with the
+-- distribution.
+--
+-- • Neither the name of Internet Society, IETF or IETF Trust, nor the names of specific contributors,
+-- may be used to endorse or promote products derived from this software without specific prior written
+-- permission.
+-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
+-- AND  ANY  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+-- ARE  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+-- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+-- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+-- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+-- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+-- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+-- POSSIBILITY OF SUCH DAMAGE.
+--
+
 KerberosV5Spec2 {
         iso(1) identified-organization(3) dod(6) internet(1)
         security(5) kerberosV5(2) modules(4) krb5spec2(2)
@@ -464,6 +504,69 @@ PA-PAC-OPTIONS ::= SEQUENCE {
 KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type --
 KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey
 
+FastOptions     ::= BIT STRING {
+        reserved(0),
+        hide-client-names(1),
+        kdc-follow-referrals(16)
+}
+
+KrbFastReq      ::= SEQUENCE {
+        fast-options    [0] FastOptions,
+        padata          [1] SEQUENCE OF PA-DATA,
+        req-body        [2] KDC-REQ-BODY,
+        ...
+}
+
+KrbFastArmor    ::= SEQUENCE {
+        armor-type      [0] Int32,
+        armor-value     [1] OCTET STRING,
+        ...
+}
+
+KrbFastArmoredReq ::= SEQUENCE {
+        armor           [0] KrbFastArmor OPTIONAL,
+        req-checksum    [1] Checksum,
+        enc-fast-req    [2] EncryptedData -- KrbFastReq --
+}
+
+PA-FX-FAST-REQUEST ::= CHOICE {
+        armored-data    [0] KrbFastArmoredReq,
+        ...
+}
+
+KrbFastFinished ::= SEQUENCE {
+        timestamp       [0] KerberosTime,
+        usec            [1] Int32,
+        crealm          [2] Realm,
+        cname           [3] PrincipalName,
+        ticket-checksum [4] Checksum,
+        ...
+}
+
+KrbFastResponse ::= SEQUENCE {
+        padata          [0] SEQUENCE OF PA-DATA,
+                -- padata typed holes.
+        strengthen-key  [1] EncryptionKey OPTIONAL,
+                -- This, if present, strengthens the reply key for AS and
+                -- TGS. MUST be present for TGS.
+                -- MUST be absent in KRB-ERROR.
+        finished        [2] KrbFastFinished OPTIONAL,
+               -- Present in AS or TGS reply; absent otherwise.
+        nonce           [3] UInt32,
+               -- Nonce from the client request.
+        ...
+}
+
+KrbFastArmoredRep ::= SEQUENCE {
+        enc-fast-rep    [0] EncryptedData, -- KrbFastResponse --
+        ...
+}
+
+PA-FX-FAST-REPLY ::= CHOICE {
+        armored-data    [0] KrbFastArmoredRep,
+        ...
+}
+
 -- MS-KILE End
 --
 --
@@ -631,7 +734,8 @@ PADataTypeValues ::= INTEGER {
        kRB5-PADATA-PKINIT-KX(147),             -- krb-wg-anon
        kRB5-PADATA-PKU2U-NAME(148),            -- zhu-pku2u
        kRB5-PADATA-REQ-ENC-PA-REP(149),        --
-       kRB5-PADATA-SUPPORTED-ETYPES(165)       -- MS-KILE
+       kRB5-PADATA-SUPPORTED-ETYPES(165),      -- MS-KILE
+       kRB5-PADATA-PAC-OPTIONS(167)            -- MS-KILE
 }
 PADataTypeSequence ::= SEQUENCE {
         dummy [0] PADataTypeValues
index b00b8b48ae5cd71bfff6d8d01a13031f5bb2a690..e1a688991a76825adc01fc2264ff58704c76824a 100644 (file)
@@ -36,29 +36,44 @@ KRB_TGS_REQ = int(krb5_asn1.MessageTypeValues('krb-tgs-req'))
 # PAData types
 PADATA_ENC_TIMESTAMP = int(
     krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP'))
+PADATA_ENCRYPTED_CHALLENGE = int(
+    krb5_asn1.PADataTypeValues('kRB5-PADATA-ENCRYPTED-CHALLENGE'))
 PADATA_ETYPE_INFO = int(
     krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO'))
 PADATA_ETYPE_INFO2 = int(
     krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2'))
 PADATA_FOR_USER = int(
     krb5_asn1.PADataTypeValues('kRB5-PADATA-FOR-USER'))
+PADATA_FX_COOKIE = int(
+    krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-COOKIE'))
+PADATA_FX_ERROR = int(
+    krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-ERROR'))
+PADATA_FX_FAST = int(
+    krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-FAST'))
 PADATA_KDC_REQ = int(
     krb5_asn1.PADataTypeValues('kRB5-PADATA-KDC-REQ'))
+PADATA_PAC_OPTIONS = int(
+    krb5_asn1.PADataTypeValues('kRB5-PADATA-PAC-OPTIONS'))
 PADATA_PAC_REQUEST = int(
     krb5_asn1.PADataTypeValues('kRB5-PADATA-PA-PAC-REQUEST'))
 PADATA_PK_AS_REQ = int(
     krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ'))
 PADATA_PK_AS_REP_19 = int(
     krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19'))
+PADATA_SUPPORTED_ETYPES = int(
+    krb5_asn1.PADataTypeValues('kRB5-PADATA-SUPPORTED-ETYPES'))
 
 # Error codes
 KDC_ERR_C_PRINCIPAL_UNKNOWN = 6
+KDC_ERR_POLICY = 12
 KDC_ERR_ETYPE_NOSUPP = 14
 KDC_ERR_PREAUTH_FAILED = 24
 KDC_ERR_PREAUTH_REQUIRED = 25
+KDC_ERR_NOT_US = 35
 KDC_ERR_BADMATCH = 36
 KDC_ERR_SKEW = 37
 KDC_ERR_GENERIC = 60
+KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS = 93
 
 # Name types
 NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN'))
@@ -67,6 +82,7 @@ NT_SRV_HST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-HST'))
 NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST'))
 NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues(
     'kRB5-NT-ENTERPRISE-PRINCIPAL'))
+NT_WELLKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-WELLKNOWN'))
 
 # Authorization data ad-type values
 
@@ -79,6 +95,8 @@ AD_MANDATORY_TICKET_EXTENSIONS = 6
 AD_IN_TICKET_EXTENSIONS = 7
 AD_MANDATORY_FOR_KDC = 8
 AD_INITIAL_VERIFIED_CAS = 9
+AD_FX_FAST_ARMOR = 71
+AD_FX_FAST_USED = 72
 AD_WIN2K_PAC = 128
 AD_SIGNTICKET = 512
 
@@ -133,3 +151,18 @@ KU_KRB_SAFE_CKSUM = 15
     (section 5.6.1) '''
 KU_NON_KERB_SALT = 16
 KU_NON_KERB_CKSUM_SALT = 17
+
+KU_ACCEPTOR_SEAL = 22
+KU_ACCEPTOR_SIGN = 23
+KU_INITIATOR_SEAL = 24
+KU_INITIATOR_SIGN = 25
+
+KU_FAST_REQ_CHKSUM = 50
+KU_FAST_ENC = 51
+KU_FAST_REP = 52
+KU_FAST_FINISHED = 53
+KU_ENC_CHALLENGE_CLIENT = 54
+KU_ENC_CHALLENGE_KDC = 55
+
+# Armor types
+FX_FAST_ARMOR_AP_REQUEST = 1
index 56fe02a68f04c7ab615734231d261722b1e035af..39ec8ed798268b2325a628b4401c7a832bbe2060 100644 (file)
@@ -1,5 +1,5 @@
 # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1
-# (last modified on 2021-06-16 08:54:13.969508)
+# (last modified on 2021-06-25 12:10:34.484667)
 
 # KerberosV5Spec2
 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful
@@ -619,6 +619,17 @@ EncryptionTypeSequence.componentType = namedtype.NamedTypes(
 )
 
 
+class FastOptions(univ.BitString):
+    pass
+
+
+FastOptions.namedValues = namedval.NamedValues(
+    ('reserved', 0),
+    ('hide-client-names', 1),
+    ('kdc-follow-referrals', 16)
+)
+
+
 class KDCOptionsValues(univ.BitString):
     pass
 
@@ -800,6 +811,72 @@ KerbErrorDataTypeSequence.componentType = namedtype.NamedTypes(
 )
 
 
+class KrbFastArmor(univ.Sequence):
+    pass
+
+
+KrbFastArmor.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('armor-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+    namedtype.NamedType('armor-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
+)
+
+
+class KrbFastArmoredRep(univ.Sequence):
+    pass
+
+
+KrbFastArmoredRep.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('enc-fast-rep', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0)))
+)
+
+
+class KrbFastArmoredReq(univ.Sequence):
+    pass
+
+
+KrbFastArmoredReq.componentType = namedtype.NamedTypes(
+    namedtype.OptionalNamedType('armor', KrbFastArmor().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))),
+    namedtype.NamedType('req-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))),
+    namedtype.NamedType('enc-fast-req', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2)))
+)
+
+
+class KrbFastFinished(univ.Sequence):
+    pass
+
+
+KrbFastFinished.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+    namedtype.NamedType('usec', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+    namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
+    namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))),
+    namedtype.NamedType('ticket-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4)))
+)
+
+
+class KrbFastReq(univ.Sequence):
+    pass
+
+
+KrbFastReq.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('fast-options', FastOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+    namedtype.NamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
+    namedtype.NamedType('req-body', KDC_REQ_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2)))
+)
+
+
+class KrbFastResponse(univ.Sequence):
+    pass
+
+
+KrbFastResponse.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
+    namedtype.OptionalNamedType('strengthen-key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))),
+    namedtype.OptionalNamedType('finished', KrbFastFinished().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))),
+    namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)))
+)
+
+
 class MessageTypeValues(univ.Integer):
     pass
 
@@ -871,6 +948,24 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes(
 )
 
 
+class PA_FX_FAST_REPLY(univ.Choice):
+    pass
+
+
+PA_FX_FAST_REPLY.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('armored-data', KrbFastArmoredRep().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0)))
+)
+
+
+class PA_FX_FAST_REQUEST(univ.Choice):
+    pass
+
+
+PA_FX_FAST_REQUEST.componentType = namedtype.NamedTypes(
+    namedtype.NamedType('armored-data', KrbFastArmoredReq().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0)))
+)
+
+
 class PACOptionFlags(KerberosFlags):
     pass
 
@@ -980,7 +1075,8 @@ PADataTypeValues.namedValues = namedval.NamedValues(
     ('kRB5-PADATA-PKINIT-KX', 147),
     ('kRB5-PADATA-PKU2U-NAME', 148),
     ('kRB5-PADATA-REQ-ENC-PA-REP', 149),
-    ('kRB5-PADATA-SUPPORTED-ETYPES', 165)
+    ('kRB5-PADATA-SUPPORTED-ETYPES', 165),
+    ('kRB5-PADATA-PAC-OPTIONS', 167)
 )