Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsg upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-05-05 17:47:29 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-05-05 17:47:29 +0000
commit: 4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree: 8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/lib/asn1/krb5.asn1
parent: Initial commit. (diff)
download: samba-upstream.tar.xz
samba-upstream.zip
1 files changed, 1052 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/asn1/krb5.asn1 b/third_party/heimdal/lib/asn1/krb5.asn1
new file mode 100644
index 0000000..00a0acb
--- /dev/null
+++ b/third_party/heimdal/lib/asn1/krb5.asn1
@@ -0,0 +1,1052 @@
+-- $Id$
+
+KERBEROS5 DEFINITIONS ::=
+BEGIN
+EXPORTS
+	AD-AND-OR,
+	AD-IF-RELEVANT,
+	AD-KDCIssued,
+	AD-LoginAlias,
+	AP-REP,
+	AP-REQ,
+	AS-REP,
+	AS-REQ,
+	AUTHDATA-TYPE,
+	Authenticator,
+	AuthorizationData,
+	AuthorizationDataElement,
+	CKSUMTYPE,
+	ChangePasswdDataMS,
+	Checksum,
+        CompositePrincipal,
+	ENCTYPE,
+	ETYPE-INFO,
+	ETYPE-INFO-ENTRY,
+	ETYPE-INFO2,
+	ETYPE-INFO2-ENTRY,
+	EncAPRepPart,
+	EncASRepPart,
+	EncKDCRepPart,
+	EncKrbCredPart,
+	EncKrbPrivPart,
+	EncTGSRepPart,
+	EncTicketPart,
+	EncryptedData,
+	EncryptionKey,
+	EtypeList,
+	HostAddress,
+	HostAddresses,
+	KDC-REQ-BODY,
+	KDCOptions,
+	KDC-REP,
+	KRB-CRED,
+	KRB-ERROR,
+	KRB-PRIV,
+	KRB-SAFE,
+	KRB-SAFE-BODY,
+	KerberosString,
+	KerberosTime,
+	KrbCredInfo,
+	LR-TYPE,
+	LastReq,
+	METHOD-DATA,
+	NAME-TYPE,
+	PA-ClientCanonicalized,
+	PA-ClientCanonicalizedNames,
+	PA-DATA,
+	PA-ENC-TS-ENC,
+	PA-KERB-KEY-LIST-REP,
+	PA-KERB-KEY-LIST-REQ,
+	PA-PAC-OPTIONS,
+	PA-PAC-REQUEST,
+	PA-S4U2Self,
+	PA-S4U-X509-USER,
+	PA-SERVER-REFERRAL-DATA,
+	PA-ServerReferralData,
+	PA-SvrReferralData,
+	PADATA-TYPE,
+	PA-FX-FAST-REQUEST,
+	PA-FX-FAST-REPLY,
+	Principal,
+	PrincipalName,
+	Principals,
+	Realm,
+	TGS-REP,
+	TGS-REQ,
+	Ticket,
+	TicketFlags,
+	TransitedEncoding,
+	TypedData,
+	KrbFastResponse,
+	KrbFastFinished,
+	KrbFastReq,
+	KrbFastArmor,
+	KrbFastArmoredReq,
+	KDCFastState,
+	KDCFastCookie,
+	KDC-PROXY-MESSAGE,
+	KERB-AD-RESTRICTION-ENTRY,
+	KERB-TIMES,
+	KERB-CRED,
+	KERB-TGS-REQ-IN,
+	KERB-TGS-REQ-OUT,
+	KERB-ARMOR-SERVICE-REPLY
+	;
+
+NAME-TYPE ::= INTEGER {
+	KRB5_NT_UNKNOWN(0),	-- Name type not known
+	KRB5_NT_PRINCIPAL(1),	-- Just the name of the principal as in
+	KRB5_NT_SRV_INST(2),	-- Service and other unique instance (krbtgt)
+	KRB5_NT_SRV_HST(3),	-- Service with host name as instance
+	KRB5_NT_SRV_XHST(4),	-- Service with host as remaining components
+	KRB5_NT_UID(5),		-- Unique ID
+	KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
+	KRB5_NT_SMTP_NAME(7),	-- Name in form of SMTP email name
+	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
+	KRB5_NT_WELLKNOWN(11),	-- Wellknown
+	KRB5_NT_SRV_HST_DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
+	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
+	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
+	KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
+	KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
+	KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
+	KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove
+	KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
+	KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed
+}
+
+-- message types
+
+MESSAGE-TYPE ::= INTEGER {
+	krb-as-req(10), -- Request for initial authentication
+	krb-as-rep(11), -- Response to KRB_AS_REQ request
+	krb-tgs-req(12), -- Request for authentication based on TGT
+	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
+	krb-ap-req(14), -- application request to server
+	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
+	krb-safe(20), -- Safe (checksummed) application message
+	krb-priv(21), -- Private (encrypted) application message
+	krb-cred(22), -- Private (encrypted) message to forward credentials
+	krb-error(30) -- Error response
+}
+
+
+-- pa-data types
+
+PADATA-TYPE ::= INTEGER {
+	KRB5-PADATA-NONE(0),
+	KRB5-PADATA-TGS-REQ(1),
+	KRB5-PADATA-AP-REQ(1),
+	KRB5-PADATA-ENC-TIMESTAMP(2),
+	KRB5-PADATA-PW-SALT(3),
+	KRB5-PADATA-ENC-UNIX-TIME(5),
+	KRB5-PADATA-SANDIA-SECUREID(6),
+	KRB5-PADATA-SESAME(7),
+	KRB5-PADATA-OSF-DCE(8),
+	KRB5-PADATA-CYBERSAFE-SECUREID(9),
+	KRB5-PADATA-AFS3-SALT(10),
+	KRB5-PADATA-ETYPE-INFO(11),
+	KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
+	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
+	KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
+	KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
+	KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
+	KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
+	KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
+	KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
+	KRB5-PADATA-ETYPE-INFO2(19),
+	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
+	KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
+	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
+	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
+	KRB5-PADATA-SAM-ETYPE-INFO(23),
+	KRB5-PADATA-SERVER-REFERRAL(25),
+	KRB5-PADATA-ALT-PRINC(24),		-- (crawdad@fnal.gov)
+	KRB5-PADATA-SAM-CHALLENGE2(30),		-- (kenh@pobox.com)
+	KRB5-PADATA-SAM-RESPONSE2(31),		-- (kenh@pobox.com)
+	KRB5-PA-EXTRA-TGT(41),			-- Reserved extra TGT
+	KRB5-PADATA-FX-FAST-ARMOR(71),		-- fast armor
+	KRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
+	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
+	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
+	KRB5-PADATA-TD-APP-DEFINED-ERROR(106),	-- application specific
+	KRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
+	KRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
+	KRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
+	KRB5-PADATA-FOR-USER(129),		-- MS-KILE
+	KRB5-PADATA-FOR-X509-USER(130),		-- MS-KILE
+	KRB5-PADATA-FOR-CHECK-DUPS(131),	-- MS-KILE
+	KRB5-PADATA-AS-CHECKSUM(132),		-- MS-KILE
+	KRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to
+						-- tell KDC that is supports
+						-- the asCheckSum in the
+						--  PK-AS-REP
+	KRB5-PADATA-FX-COOKIE(133),		-- krb-wg-preauth-framework
+	KRB5-PADATA-AUTHENTICATION-SET(134),	-- krb-wg-preauth-framework
+	KRB5-PADATA-AUTH-SET-SELECTED(135),	-- krb-wg-preauth-framework
+	KRB5-PADATA-FX-FAST(136),		-- krb-wg-preauth-framework
+	KRB5-PADATA-FX-ERROR(137),		-- krb-wg-preauth-framework
+	KRB5-PADATA-ENCRYPTED-CHALLENGE(138),	-- krb-wg-preauth-framework
+	KRB5-PADATA-OTP-CHALLENGE(141),		-- (gareth.richards@rsa.com)
+	KRB5-PADATA-OTP-REQUEST(142),		-- (gareth.richards@rsa.com)
+	KBB5-PADATA-OTP-CONFIRM(143),		-- (gareth.richards@rsa.com)
+	KRB5-PADATA-OTP-PIN-CHANGE(144),	-- (gareth.richards@rsa.com)
+	KRB5-PADATA-EPAK-AS-REQ(145),
+	KRB5-PADATA-EPAK-AS-REP(146),
+	KRB5-PADATA-PKINIT-KX(147),		-- krb-wg-anon
+	KRB5-PADATA-PKU2U-NAME(148),		-- zhu-pku2u
+	KRB5-PADATA-REQ-ENC-PA-REP(149),	--
+	KER5-PADATA-KERB-KEY-LIST-REQ(161),	-- MS-KILE
+	KER5-PADATA-KERB-PAKEY-LIST-REP(162),	-- MS-KILE
+	KRB5-PADATA-SUPPORTED-ETYPES(165),	-- MS-KILE
+	KRB5-PADATA-PAC-OPTIONS(167),		-- MS-KILE
+	KRB5-PADATA-GSS(655)			-- krb-wg-gss-preauth
+
+}
+
+AUTHDATA-TYPE ::= INTEGER {
+	KRB5-AUTHDATA-IF-RELEVANT(1),
+	KRB5-AUTHDATA-INTENDED-FOR_SERVER(2),
+	KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
+	KRB5-AUTHDATA-KDC-ISSUED(4),
+	KRB5-AUTHDATA-AND-OR(5),
+	KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
+	KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
+	KRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
+	KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
+	KRB5-AUTHDATA-OSF-DCE(64),
+	KRB5-AUTHDATA-SESAME(65),
+	KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
+	KRB5-AUTHDATA-AUTHENTICATION-STRENGTH(70),
+	KRB5-AUTHDATA-FX-FAST-ARMOR(71),
+	KRB5-AUTHDATA-FX-FAST-USED(72),
+	KRB5-AUTHDATA-WIN2K-PAC(128),
+	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
+	KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
+	KRB5-AUTHDATA-SIGNTICKET-OLD(142),
+	KRB5-AUTHDATA-SIGNTICKET(512),
+	KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised
+	KRB5-AUTHDATA-KERB-LOCAL(141),		-- MS-KILE
+	KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142),	-- MS-KILE
+	KRB5-AUTHDATA-AP-OPTIONS(143),		-- MS-KILE
+	KRB5-AUTHDATA-TARGET-PRINCIPAL(144),	-- MS-KILE
+        -- N.B. these assignments have not been confirmed yet.
+        --
+        -- DO NOT USE in production yet!
+	KRB5-AUTHDATA-ON-BEHALF-OF(580),      -- UTF8String princ name
+	KRB5-AUTHDATA-BEARER-TOKEN-JWT(581),  -- JWT token
+	KRB5-AUTHDATA-BEARER-TOKEN-SAML(582), -- SAML token
+	KRB5-AUTHDATA-BEARER-TOKEN-OIDC(583), -- OIDC token
+	KRB5-AUTHDATA-CSR-AUTHORIZED(584),     -- Proxy has authorized client
+                                              -- to requested exts in CSR
+	KRB5-AUTHDATA-GSS-COMPOSITE-NAME(655) -- gss_export_name_composite
+}
+
+-- checksumtypes
+
+CKSUMTYPE ::= INTEGER {
+	CKSUMTYPE_NONE(0),
+	CKSUMTYPE_CRC32(1),
+	CKSUMTYPE_RSA_MD4(2),
+	CKSUMTYPE_RSA_MD4_DES(3),
+	CKSUMTYPE_DES_MAC(4),
+	CKSUMTYPE_DES_MAC_K(5),
+	CKSUMTYPE_RSA_MD4_DES_K(6),
+	CKSUMTYPE_RSA_MD5(7),
+	CKSUMTYPE_RSA_MD5_DES(8),
+	CKSUMTYPE_RSA_MD5_DES3(9),
+	CKSUMTYPE_SHA1_OTHER(10),
+	CKSUMTYPE_HMAC_SHA1_DES3(12),
+	CKSUMTYPE_SHA1(14),
+	CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
+	CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
+	CKSUMTYPE_HMAC_SHA256_128_AES128(19),
+	CKSUMTYPE_HMAC_SHA384_192_AES256(20),
+	CKSUMTYPE_GSSAPI(0x8003),
+	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
+	CKSUMTYPE_HMAC_MD5_ENC(-1138),	-- even more unofficial
+	CKSUMTYPE_SHA256(-21),
+	CKSUMTYPE_SHA384(-22),
+	CKSUMTYPE_SHA512(-23)
+}
+
+--enctypes
+ENCTYPE ::= INTEGER {
+	KRB5_ENCTYPE_NULL(0),
+	KRB5_ENCTYPE_DES_CBC_CRC(1),
+	KRB5_ENCTYPE_DES_CBC_MD4(2),
+	KRB5_ENCTYPE_DES_CBC_MD5(3),
+	KRB5_ENCTYPE_DES3_CBC_MD5(5),
+	KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
+	KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
+	KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
+	KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
+	KRB5_ENCTYPE_DES3_CBC_SHA1(16),	-- with key derivation
+	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
+	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
+	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128(19),
+	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192(20),
+	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
+	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
+	KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
+-- some "old" windows types
+	KRB5_ENCTYPE_ARCFOUR_MD4(-128),
+	KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
+	KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
+-- these are for Heimdal internal use
+	KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
+	KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
+	KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
+	KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
+	KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004),		-- private use, lukeh@padl.com
+	KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005)		-- private use, lukeh@padl.com
+}
+
+
+
+
+-- this is sugar to make something ASN1 does not have: unsigned
+
+Krb5UInt32 ::= INTEGER (0..4294967295)
+Krb5Int32 ::= INTEGER (-2147483648..2147483647)
+
+KerberosString  ::= GeneralString
+
+Realm ::= GeneralString
+PrincipalName ::= SEQUENCE {
+	name-type[0]		NAME-TYPE,
+	name-string[1]		SEQUENCE OF GeneralString
+}
+
+HostAddress ::= SEQUENCE  {
+	addr-type[0]		Krb5Int32,
+	address[1]		OCTET STRING
+}
+
+-- This is from RFC1510.
+--
+-- HostAddresses ::= SEQUENCE OF SEQUENCE {
+-- 	addr-type[0]		Krb5Int32,
+--	address[1]		OCTET STRING
+-- }
+
+-- This seems much better.
+HostAddresses ::= SEQUENCE OF HostAddress
+
+
+KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
+
+AuthorizationDataElement ::= SEQUENCE {
+	ad-type[0]		Krb5Int32,
+	ad-data[1]		OCTET STRING
+}
+
+AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
+
+APOptions ::= BIT STRING {
+	reserved(0),
+	use-session-key(1),
+	mutual-required(2)
+}
+
+TicketFlags ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	may-postdate(5),
+	postdated(6),
+	invalid(7),
+	renewable(8),
+	initial(9),
+	pre-authent(10),
+	hw-authent(11),
+	transited-policy-checked(12),
+	ok-as-delegate(13),
+	enc-pa-rep(15),
+	anonymous(16)
+}
+
+KDCOptions ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	allow-postdate(5),
+	postdated(6),
+	renewable(8),
+	cname-in-addl-tkt(14), -- ms extension
+	canonicalize(15),
+	request-anonymous(16),
+	disable-transited-check(26),
+	renewable-ok(27),
+	enc-tkt-in-skey(28),
+	renew(30),
+	validate(31)
+}
+
+LR-TYPE ::= INTEGER {
+	LR_NONE(0),		-- no information
+	LR_INITIAL_TGT(1),	-- last initial TGT request
+	LR_INITIAL(2),		-- last initial request
+	LR_ISSUE_USE_TGT(3),	-- time of newest TGT used
+	LR_RENEWAL(4),		-- time of last renewal
+	LR_REQUEST(5),		-- time of last request (of any type)
+	LR_PW_EXPTIME(6),	-- expiration time of password
+	LR_ACCT_EXPTIME(7)	-- expiration time of account
+}
+
+LastReq ::= SEQUENCE OF SEQUENCE {
+	lr-type[0]		LR-TYPE,
+	lr-value[1]		KerberosTime
+}
+
+
+EncryptedData ::= SEQUENCE {
+	etype[0] 		ENCTYPE, -- EncryptionType
+	kvno[1]			Krb5Int32 OPTIONAL,
+	cipher[2]		OCTET STRING -- ciphertext
+}
+
+EncryptionKey ::= SEQUENCE {
+	keytype[0]		Krb5Int32,
+	keyvalue[1]		OCTET STRING
+}
+
+-- encoded Transited field
+TransitedEncoding ::= SEQUENCE {
+	tr-type[0]		Krb5Int32, -- must be registered
+	contents[1]		OCTET STRING
+}
+
+Ticket ::= [APPLICATION 1] SEQUENCE {
+	tkt-vno[0]		Krb5Int32,
+	realm[1]		Realm,
+	sname[2]		PrincipalName,
+	enc-part[3]		EncryptedData
+}
+-- Encrypted part of ticket
+EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+	flags[0]		TicketFlags,
+	key[1]			EncryptionKey,
+	crealm[2]		Realm,
+	cname[3]		PrincipalName,
+	transited[4]		TransitedEncoding,
+	authtime[5]		KerberosTime,
+	starttime[6]		KerberosTime OPTIONAL,
+	endtime[7]		KerberosTime,
+	renew-till[8]		KerberosTime OPTIONAL,
+	caddr[9]		HostAddresses OPTIONAL,
+	authorization-data[10]	AuthorizationData OPTIONAL
+}
+
+Checksum ::= SEQUENCE {
+	cksumtype[0]		CKSUMTYPE,
+	checksum[1]		OCTET STRING
+}
+
+-- For GSS name attributes [RFC6680] we'll decorate Principal (which is not an
+-- RFC4120 type, but which we use a) in HDB, b) in the API as that which
+-- krb5_principal points to) with PrincipalNameAttrs.
+--
+-- Attributes have three possible sources in Heimdal Kerberos at this time:
+--
+--  - the EncKDCRepPart (for the client's attributes on the client side)
+--  - the EncTicketPart (for the client's attributes on the server side)
+--  - the Authenticator's AuthorizationData (if any; server-side)
+--
+-- In principle there can be more:
+--
+--  - locally-set (asserted) attributes
+--  - locally-looked-up attributes (e.g., in LDAP)
+--  - locally-transformed attributes (e.g., local groups, filtered SIDs from a
+--    PAC, etc.)
+--
+-- We could also cache "cooked" attributes as reported by the RFC6680 API given
+-- the sources we have.
+--
+-- For now we'll only support authenticated attributes where those come from
+-- the KDC, and attributes asserted in Authenticator authz-data.
+PrincipalNameAttrSrc ::= CHOICE {
+        enc-kdc-rep-part    [0] EncKDCRepPart,  -- minus session key
+        enc-ticket-part     [1] EncTicketPart   -- minus session key
+}
+PrincipalNameAttrs ::= SEQUENCE {
+        -- True if this name was authenticated via an AP-REQ or a KDC-REP
+        authenticated       [0]     BOOLEAN,
+        -- These are compiled from the Ticket, KDC-REP, and/or Authenticator
+        source              [1]     PrincipalNameAttrSrc OPTIONAL,
+        authenticator-ad    [2]     AuthorizationData OPTIONAL,
+        -- For the server on the client side we should keep track of the
+        -- transit path taken to reach it (if absent -> unknown).
+        --
+        -- We don't learn much more about the server from the KDC.
+        peer-realm          [3]     Realm OPTIONAL,
+        transited           [4]     TransitedEncoding OPTIONAL,
+        -- True if the PAC was verified
+        pac-verified        [5]     BOOLEAN,
+        -- True if any AD-KDC-ISSUEDs in the Ticket were validated
+        kdc-issued-verified [6]     BOOLEAN,
+        -- TODO: Add requested attributes, for gss_set_name_attribute(), which
+        --       should cause corresponding authz-data elements to be added to
+        --       any TGS-REQ or to the AP-REQ's Authenticator as appropriate.
+        want-ad             [7]     AuthorizationData OPTIONAL
+}
+-- This is our type for exported composite name tokens for GSS [RFC6680].
+-- It's the same as Principal (below) as decorated with (see krb5.opt file and
+-- asn1_compile usage), except it's not decorated, so the name attributes are
+-- encoded/decoded.
+CompositePrincipal ::= [APPLICATION 48] SEQUENCE {
+	name[0]			PrincipalName,
+	realm[1]		Realm,
+        nameattrs[2]            PrincipalNameAttrs OPTIONAL
+}
+
+-- This is not part of RFC1510/RFC4120.  We use this internally as our
+-- krb5_principal (which is a typedef of *Principal), and in HDB entries.
+Principal ::= SEQUENCE {
+	name[0]			PrincipalName,
+	realm[1]		Realm
+        -- This will be decorated with an optional nameattrs field of
+        -- PrincipalNameAttrs type that doesn't get encoded.  Same as
+        -- CompositePrincipal above, except that CompositePrincipal's
+        -- nameattrs field does get encoded, while Principal's does not:
+        --
+        -- nameattrs[2]         PrincipalNameAttrs OPTIONAL
+}
+
+Principals ::= SEQUENCE OF Principal
+
+Authenticator ::= [APPLICATION 2] SEQUENCE    {
+	authenticator-vno[0]	Krb5Int32,
+	crealm[1]		Realm,
+	cname[2]		PrincipalName,
+	cksum[3]		Checksum OPTIONAL,
+	cusec[4]		Krb5Int32,
+	ctime[5]		KerberosTime,
+	subkey[6]		EncryptionKey OPTIONAL,
+	seq-number[7]		Krb5UInt32 OPTIONAL,
+	authorization-data[8]	AuthorizationData OPTIONAL
+}
+
+PA-DATA ::= SEQUENCE {
+	-- might be encoded AP-REQ
+	padata-type[1]		PADATA-TYPE,
+	padata-value[2]		OCTET STRING
+}
+
+ETYPE-INFO-ENTRY ::= SEQUENCE {
+	etype[0]		ENCTYPE,
+	salt[1]			OCTET STRING OPTIONAL,
+	salttype[2]		Krb5Int32 OPTIONAL
+}
+
+ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ETYPE-INFO2-ENTRY ::= SEQUENCE {
+	etype[0]		ENCTYPE,
+	salt[1]			KerberosString OPTIONAL,
+	s2kparams[2]		OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+TypedData ::=   SEQUENCE {
+	data-type[0]		Krb5Int32,
+	data-value[1]		OCTET STRING OPTIONAL
+}
+
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
+
+KDC-REQ-BODY ::= SEQUENCE {
+	kdc-options[0]		KDCOptions,
+	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
+	realm[2]		Realm,	-- Server's realm
+					-- Also client's in AS-REQ
+	sname[3]		PrincipalName OPTIONAL,
+	from[4]			KerberosTime OPTIONAL,
+	till[5]			KerberosTime OPTIONAL,
+	rtime[6]		KerberosTime OPTIONAL,
+	nonce[7]		Krb5Int32,
+	etype[8]		SEQUENCE OF ENCTYPE, -- EncryptionType,
+					-- in preference order
+	addresses[9]		HostAddresses OPTIONAL,
+	enc-authorization-data[10] EncryptedData OPTIONAL,
+					-- Encrypted AuthorizationData encoding
+	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
+}
+
+KDC-REQ ::= SEQUENCE {
+	pvno[1]			Krb5Int32,
+	msg-type[2]		MESSAGE-TYPE,
+	padata[3]		METHOD-DATA OPTIONAL,
+	req-body[4]		KDC-REQ-BODY
+}
+
+AS-REQ ::= [APPLICATION 10] KDC-REQ
+TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+-- padata-type ::= PA-ENC-TIMESTAMP
+-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
+
+PA-ENC-TS-ENC ::= SEQUENCE {
+	patimestamp[0]		KerberosTime, -- client's time
+	pausec[1]		Krb5Int32 OPTIONAL
+}
+
+-- draft-brezak-win2k-krb-authz-01
+PA-PAC-REQUEST ::= SEQUENCE {
+	include-pac[0]		BOOLEAN -- Indicates whether a PAC
+					-- should be included or not
+}
+
+-- MS-KILE/MS-SFU
+PAC-OPTIONS-FLAGS ::= BIT STRING {
+	claims(0),
+	branch-aware(1),
+	forward-to-full-dc(2),
+	resource-based-constrained-delegation(3)
+}
+
+-- MS-KILE
+PA-PAC-OPTIONS ::= SEQUENCE {
+	flags [0] PAC-OPTIONS-FLAGS
+}
+
+-- MS-KILE
+-- captures show that [UNIVERSAL 16] is required to parse it
+KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE {
+	restriction-type	[0] Krb5Int32,
+	restriction		[1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
+}
+
+-- MS-KILE Section 2.2.11
+PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE
+
+-- MS-KILE Section 2.2.12
+
+PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType,
+
+-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
+PROV-SRV-LOCATION ::= GeneralString
+
+KDC-REP ::= SEQUENCE {
+	pvno[0]			Krb5Int32,
+	msg-type[1]		MESSAGE-TYPE,
+	padata[2]		METHOD-DATA OPTIONAL,
+	crealm[3]		Realm,
+	cname[4]		PrincipalName,
+	ticket[5]		Ticket,
+	enc-part[6]		EncryptedData
+}
+
+AS-REP ::= [APPLICATION 11] KDC-REP
+TGS-REP ::= [APPLICATION 13] KDC-REP
+
+EncKDCRepPart ::= SEQUENCE {
+	key[0]			EncryptionKey,
+	last-req[1]		LastReq,
+	nonce[2]		Krb5Int32,
+	key-expiration[3]	KerberosTime OPTIONAL,
+	flags[4]		TicketFlags,
+	authtime[5]		KerberosTime,
+	starttime[6]		KerberosTime OPTIONAL,
+	endtime[7]		KerberosTime,
+	renew-till[8]		KerberosTime OPTIONAL,
+	srealm[9]		Realm,
+	sname[10]		PrincipalName,
+	caddr[11]		HostAddresses OPTIONAL,
+	encrypted-pa-data[12]	METHOD-DATA OPTIONAL
+}
+
+EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+AP-REQ ::= [APPLICATION 14] SEQUENCE {
+	pvno[0]			Krb5Int32,
+	msg-type[1]		MESSAGE-TYPE,
+	ap-options[2]		APOptions,
+	ticket[3]		Ticket,
+	authenticator[4]	EncryptedData
+}
+
+AP-REP ::= [APPLICATION 15] SEQUENCE {
+	pvno[0]			Krb5Int32,
+	msg-type[1]		MESSAGE-TYPE,
+	enc-part[2]		EncryptedData
+}
+
+EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
+	ctime[0]		KerberosTime,
+	cusec[1]		Krb5Int32,
+	subkey[2]		EncryptionKey OPTIONAL,
+	seq-number[3]		Krb5UInt32 OPTIONAL
+}
+
+KRB-SAFE-BODY ::= SEQUENCE {
+	user-data[0]		OCTET STRING,
+	timestamp[1]		KerberosTime OPTIONAL,
+	usec[2]			Krb5Int32 OPTIONAL,
+	seq-number[3]		Krb5UInt32 OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL,
+	r-address[5]		HostAddress OPTIONAL
+}
+
+KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+	pvno[0]			Krb5Int32,
+	msg-type[1]		MESSAGE-TYPE,
+	safe-body[2]		KRB-SAFE-BODY,
+	cksum[3]		Checksum
+}
+
+KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+	pvno[0]			Krb5Int32,
+	msg-type[1]		MESSAGE-TYPE,
+	enc-part[3]		EncryptedData
+}
+EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+	user-data[0]		OCTET STRING,
+	timestamp[1]		KerberosTime OPTIONAL,
+	usec[2]			Krb5Int32 OPTIONAL,
+	seq-number[3]		Krb5UInt32 OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL, -- sender's addr
+	r-address[5]		HostAddress OPTIONAL  -- recip's addr
+}
+
+KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
+	pvno[0]			Krb5Int32,
+	msg-type[1]		MESSAGE-TYPE, -- KRB_CRED
+	tickets[2]		SEQUENCE OF Ticket,
+	enc-part[3]		EncryptedData
+}
+
+KrbCredInfo ::= SEQUENCE {
+	key[0]			EncryptionKey,
+	prealm[1]		Realm OPTIONAL,
+	pname[2]		PrincipalName OPTIONAL,
+	flags[3]		TicketFlags OPTIONAL,
+	authtime[4]		KerberosTime OPTIONAL,
+	starttime[5]		KerberosTime OPTIONAL,
+	endtime[6] 		KerberosTime OPTIONAL,
+	renew-till[7]		KerberosTime OPTIONAL,
+	srealm[8]		Realm OPTIONAL,
+	sname[9]		PrincipalName OPTIONAL,
+	caddr[10]		HostAddresses OPTIONAL
+}
+
+EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
+	ticket-info[0]		SEQUENCE OF KrbCredInfo,
+	nonce[1]		Krb5Int32 OPTIONAL,
+	timestamp[2]		KerberosTime OPTIONAL,
+	usec[3]			Krb5Int32 OPTIONAL,
+	s-address[4]		HostAddress OPTIONAL,
+	r-address[5]		HostAddress OPTIONAL
+}
+
+KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+	pvno[0]			Krb5Int32,
+	msg-type[1]		MESSAGE-TYPE,
+	ctime[2]		KerberosTime OPTIONAL,
+	cusec[3]		Krb5Int32 OPTIONAL,
+	stime[4]		KerberosTime,
+	susec[5]		Krb5Int32,
+	error-code[6]		Krb5Int32,
+	crealm[7]		Realm OPTIONAL,
+	cname[8]		PrincipalName OPTIONAL,
+	realm[9]		Realm, -- Correct realm
+	sname[10]		PrincipalName, -- Correct name
+	e-text[11]		GeneralString OPTIONAL,
+	e-data[12]		OCTET STRING OPTIONAL
+}
+
+ChangePasswdDataMS ::= SEQUENCE {
+	newpasswd[0]		OCTET STRING,
+	targname[1]		PrincipalName OPTIONAL,
+	targrealm[2]		Realm OPTIONAL
+}
+
+EtypeList ::= SEQUENCE OF ENCTYPE
+	-- the client's proposed enctype list in
+	-- decreasing preference order, favorite choice first
+
+krb5-pvno Krb5Int32 ::= 5 -- current Kerberos protocol version number
+
+-- transited encodings
+
+domain-X500-Compress	Krb5Int32 ::= 1
+
+-- authorization data primitives
+
+AD-IF-RELEVANT ::= AuthorizationData
+
+AD-KDCIssued ::= SEQUENCE {
+	ad-checksum[0]		Checksum,
+	i-realm[1]		Realm OPTIONAL,
+	i-sname[2]		PrincipalName OPTIONAL,
+	elements[3]		AuthorizationData
+}
+
+AD-AND-OR ::= SEQUENCE {
+	condition-count[0]	Krb5Int32,
+	elements[1]		AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
+
+PA-SAM-TYPE ::= INTEGER {
+	PA_SAM_TYPE_ENIGMA(1),		-- Enigma Logic
+	PA_SAM_TYPE_DIGI_PATH(2),	-- Digital Pathways
+	PA_SAM_TYPE_SKEY_K0(3),		-- S/key where  KDC has key 0
+	PA_SAM_TYPE_SKEY(4),		-- Traditional S/Key
+	PA_SAM_TYPE_SECURID(5),		-- Security Dynamics
+	PA_SAM_TYPE_CRYPTOCARD(6)	-- CRYPTOCard
+}
+
+PA-SAM-REDIRECT ::= HostAddresses
+
+SAMFlags ::= BIT STRING {
+	use-sad-as-key(0),
+	send-encrypted-sad(1),
+	must-pk-encrypt-sad(2)
+}
+
+PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
+	sam-type[0]		Krb5Int32,
+	sam-flags[1]		SAMFlags,
+	sam-type-name[2]	GeneralString OPTIONAL,
+	sam-track-id[3]		GeneralString OPTIONAL,
+	sam-challenge-label[4]	GeneralString OPTIONAL,
+	sam-challenge[5]	GeneralString OPTIONAL,
+	sam-response-prompt[6]	GeneralString OPTIONAL,
+	sam-pk-for-sad[7]	EncryptionKey OPTIONAL,
+	sam-nonce[8]		Krb5Int32,
+	sam-etype[9]		Krb5Int32,
+	...
+}
+
+PA-SAM-CHALLENGE-2 ::= SEQUENCE {
+	sam-body[0]		PA-SAM-CHALLENGE-2-BODY,
+	sam-cksum[1]		SEQUENCE OF Checksum, -- (1..MAX)
+	...
+}
+
+PA-SAM-RESPONSE-2 ::= SEQUENCE {
+	sam-type[0]		Krb5Int32,
+	sam-flags[1]		SAMFlags,
+	sam-track-id[2]		GeneralString OPTIONAL,
+	sam-enc-nonce-or-sad[3]	EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
+	sam-nonce[4]		Krb5Int32,
+	...
+}
+
+PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
+	sam-nonce[0]		Krb5Int32,
+	sam-sad[1]		GeneralString OPTIONAL,
+	...
+}
+
+PA-S4U2Self ::= SEQUENCE {
+	name[0]		PrincipalName,
+        realm[1]	Realm,
+        cksum[2]	Checksum,
+        auth[3]		GeneralString
+}
+
+PA-S4U-X509-USER::= SEQUENCE {
+	user-id[0] S4UUserID,
+	checksum[1] Checksum
+}
+
+S4UUserID ::= SEQUENCE {
+	nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY
+	cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints
+	crealm [2] Realm,
+	subject-certificate [3] OCTET STRING OPTIONAL,
+	options [4] BIT STRING OPTIONAL,
+	...
+}
+
+AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
+	login-alias	[0] PrincipalName,
+	checksum	[1] Checksum
+}
+
+-- old ms referral
+PA-SvrReferralData ::= SEQUENCE {
+	referred-name   [1] PrincipalName OPTIONAL,
+	referred-realm  [0] Realm
+}
+
+PA-SERVER-REFERRAL-DATA ::= EncryptedData
+
+PA-ServerReferralData ::= SEQUENCE {
+	referred-realm		[0] Realm OPTIONAL,
+	true-principal-name	[1] PrincipalName OPTIONAL,
+	requested-principal-name [2] PrincipalName OPTIONAL,
+	referral-valid-until     [3] KerberosTime OPTIONAL,
+	...
+}
+
+FastOptions ::= BIT STRING {
+	    reserved(0),
+	    hide-client-names(1),
+	    critical2(2),
+	    critical3(3),
+	    critical4(4),
+	    critical5(5),
+	    critical6(6),
+	    critical7(7),
+	    critical8(8),
+	    critical9(9),
+	    critical10(10),
+	    critical11(11),
+	    critical12(12),
+	    critical13(13),
+	    critical14(14),
+	    critical15(15),
+	    kdc-follow-referrals(16)
+}
+
+KrbFastReq ::= SEQUENCE {
+	fast-options [0] FastOptions,
+	padata       [1] METHOD-DATA,
+	req-body     [2] KDC-REQ-BODY,
+	...
+}
+
+KrbFastArmor ::= SEQUENCE {
+	armor-type   [0] Krb5Int32,
+	armor-value  [1] OCTET STRING,
+        ...
+}
+
+KrbFastArmoredReq ::= SEQUENCE {
+	armor        [0] KrbFastArmor OPTIONAL,
+	req-checksum [1] Checksum,
+	enc-fast-req [2] EncryptedData -- KrbFastReq --
+}
+
+PA-FX-FAST-REQUEST ::= CHOICE {
+	armored-data [0] KrbFastArmoredReq,
+	...
+}
+
+KrbFastFinished ::= SEQUENCE {
+	timestamp   [0] KerberosTime,
+	usec        [1] Krb5Int32,
+	crealm      [2] Realm,
+	cname       [3] PrincipalName,
+	ticket-checksum [4] Checksum,
+	...
+}
+
+KrbFastResponse ::= SEQUENCE {
+	padata      	[0] METHOD-DATA,
+        strengthen-key	[1] EncryptionKey OPTIONAL,
+	finished	[2] KrbFastFinished OPTIONAL,
+        nonce		[3] Krb5UInt32,
+	...
+}
+
+KrbFastArmoredRep ::= SEQUENCE {
+	enc-fast-rep      [0] EncryptedData, -- KrbFastResponse --
+	...
+}
+
+PA-FX-FAST-REPLY ::= CHOICE {
+	armored-data [0] KrbFastArmoredRep,
+	...
+}
+
+KDCFastFlags ::= BIT STRING {
+	use-reply-key(0),
+	reply-key-used(1),
+	reply-key-replaced(2),
+	kdc-verified(3),
+	requested-hidden-names(4)
+}
+
+-- KDCFastState is stored in FX_COOKIE
+KDCFastState ::= SEQUENCE {
+	flags [0] KDCFastFlags,
+	expiration [1] GeneralizedTime,
+	fast-state [2] METHOD-DATA,
+	expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
+}
+
+KDCFastCookie ::= SEQUENCE {
+	version [0] UTF8String,
+	cookie [1] EncryptedData
+}
+
+KDC-PROXY-MESSAGE ::= SEQUENCE {
+	kerb-message	[0] OCTET STRING,
+	target-domain	[1] Realm OPTIONAL,
+	dclocator-hint	[2] INTEGER OPTIONAL
+}
+
+-- these messages are used in the GSSCred communication and is not part of Kerberos propper
+
+KERB-TIMES ::= SEQUENCE {
+	authtime	[0] KerberosTime,
+	starttime	[1] KerberosTime,
+	endtime		[2] KerberosTime,
+	renew_till	[3] KerberosTime
+}
+
+KERB-CRED ::= SEQUENCE {
+	client		[0] Principal,
+	server		[1] Principal,
+	keyblock	[2] EncryptionKey,
+	times		[3] KERB-TIMES,
+	ticket		[4] OCTET STRING,
+	authdata	[5] OCTET STRING,
+	addresses	[6] HostAddresses,
+	flags		[7] TicketFlags
+}
+
+KERB-TGS-REQ-IN ::= SEQUENCE {
+	cache		[0] OCTET STRING SIZE (16),
+	addrs		[1] HostAddresses,
+	flags		[2] Krb5UInt32,
+	imp		[3] Principal OPTIONAL,
+	ticket		[4] OCTET STRING OPTIONAL,
+	in_cred		[5] KERB-CRED,
+	krbtgt		[6] KERB-CRED,
+	padata		[7] METHOD-DATA
+}
+
+KERB-TGS-REQ-OUT ::= SEQUENCE {
+	subkey		[0] EncryptionKey OPTIONAL,
+	t		[1] TGS-REQ
+}
+
+
+
+KERB-TGS-REP-IN ::= SEQUENCE {
+	cache		[0] OCTET STRING SIZE (16),
+	subkey		[1] EncryptionKey OPTIONAL,
+	in_cred		[2] KERB-CRED,
+	t		[3] TGS-REP
+}
+
+KERB-TGS-REP-OUT ::= SEQUENCE {
+	cache		[0] OCTET STRING SIZE (16),
+	cred		[1] KERB-CRED,
+	subkey		[2] EncryptionKey
+}
+
+KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE {
+	armor		[0] KrbFastArmor,
+	armor-key	[1] EncryptionKey
+}
+
+END
+
+-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-05-05 17:47:29 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-05-05 17:47:29 +0000
commit	4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree	8ce7b00f7a76baa386372422adebbe64510812d4 /third_party/heimdal/lib/asn1/krb5.asn1
parent	Initial commit. (diff)
download	samba-upstream.tar.xz samba-upstream.zip