From d4ac17d6d093878c8da9eaac8fae6012356bb0ad Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Feb 2022 22:35:17 +0100 Subject: [PATCH] krb5: add new values and definitions from MS-KILE/MS-SFU Signed-off-by: Stefan Metzmacher --- lib/asn1/krb5.asn1 | 54 +++++++++++++++++++++++++++++++++++++++++++++- lib/krb5/krb5.h | 4 ++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1 index 639ec5af2..d7ce6bd63 100644 --- a/lib/asn1/krb5.asn1 +++ b/lib/asn1/krb5.asn1 @@ -55,8 +55,12 @@ EXPORTS PA-ClientCanonicalizedNames, PA-DATA, PA-ENC-TS-ENC, + PA-KERB-KEY-LIST-REP, + PA-KERB-KEY-LIST-REQ, + PA-PAC-OPTIONS, PA-PAC-REQUEST, PA-S4U2Self, + PA-S4U-X509-USER, PA-SERVER-REFERRAL-DATA, PA-ServerReferralData, PA-SvrReferralData, @@ -80,6 +84,7 @@ EXPORTS KDCFastState, KDCFastCookie, KDC-PROXY-MESSAGE, + KERB-AD-RESTRICTION-ENTRY, KERB-TIMES, KERB-CRED, KERB-TGS-REQ-IN, @@ -190,7 +195,10 @@ PADATA-TYPE ::= INTEGER { KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u KRB5-PADATA-REQ-ENC-PA-REP(149), -- + KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE + KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE + KRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE KRB5-PADATA-GSS(655) -- krb-wg-gss-preauth } @@ -217,7 +225,10 @@ AUTHDATA-TYPE ::= INTEGER { KRB5-AUTHDATA-SIGNTICKET-OLD(142), KRB5-AUTHDATA-SIGNTICKET(512), KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised - KRB5-AUTHDATA-AP-OPTIONS(143), + KRB5-AUTHDATA-KERB-LOCAL(141), -- MS-KILE + KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142), -- MS-KILE + KRB5-AUTHDATA-AP-OPTIONS(143), -- MS-KILE + KRB5-AUTHDATA-TARGET-PRINCIPAL(144), -- MS-KILE -- N.B. these assignments have not been confirmed yet. -- -- DO NOT USE in production yet! @@ -592,6 +603,33 @@ PA-PAC-REQUEST ::= SEQUENCE { -- should be included or not } +-- MS-KILE/MS-SFU +PAC-OPTIONS-FLAGS ::= BIT STRING { + claims(0), + branch-aware(1), + forward-to-full-dc(2), + resource-based-constrained-delegation(3) +} + +-- MS-KILE +PA-PAC-OPTIONS ::= SEQUENCE { + flags [0] PAC-OPTIONS-FLAGS +} + +-- MS-KILE +-- captures show that [UNIVERSAL 16] is required to parse it +KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE { + restriction-type [0] Krb5Int32, + restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure +} + +-- MS-KILE Section 2.2.11 +PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE + +-- MS-KILE Section 2.2.12 + +PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType, + -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf PROV-SRV-LOCATION ::= GeneralString @@ -819,6 +857,20 @@ PA-S4U2Self ::= SEQUENCE { auth[3] GeneralString } +PA-S4U-X509-USER::= SEQUENCE { + user-id[0] S4UUserID, + checksum[1] Checksum +} + +S4UUserID ::= SEQUENCE { + nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY + cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints + crealm [2] Realm, + subject-certificate [3] OCTET STRING OPTIONAL, + options [4] BIT STRING OPTIONAL, + ... +} + AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- login-alias [0] PrincipalName, checksum [1] Checksum diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h index e78edcac9..e4a9e7ec8 100644 --- a/lib/krb5/krb5.h +++ b/lib/krb5/krb5.h @@ -275,6 +275,10 @@ typedef enum krb5_key_usage { KRB5_KU_PA_SERVER_REFERRAL = 26, /* Keyusage for the server referral in a TGS req */ KRB5_KU_SAM_ENC_NONCE_SAD = 27, + /* Defined in [MS-SFU] */ + KRB5_KU_PA_S4U_X509_USER_REQUEST = 26, + /* Defined in [MS-SFU] */ + KRB5_KU_PA_S4U_X509_USER_REPLY = 27, /* Encryption of the SAM-NONCE-OR-SAD field */ KRB5_KU_PA_PKINIT_KX = 44, /* Encryption type of the kdc session contribution in pk-init */