1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krb5/asn.1/asn1_k_encode.c */
3 /*
4 * Copyright 1994, 2008 by the Massachusetts Institute of Technology.
5 * All Rights Reserved.
6 *
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
11 *
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
25 */
26
27 #include "asn1_encode.h"
28 #include "k5-spake.h"
29
30 DEFINT_IMMEDIATE(krb5_version, KVNO, KRB5KDC_ERR_BAD_PVNO);
31
32 static int
int32_not_minus1(const void * p)33 int32_not_minus1(const void *p)
34 {
35 return *(int32_t *)p != -1;
36 }
37
38 static void
init_int32_minus1(void * p)39 init_int32_minus1(void *p)
40 {
41 *(int32_t *)p = -1;
42 }
43
44 DEFBOOLTYPE(boolean, krb5_boolean);
45 DEFINTTYPE(int32, int32_t);
46 DEFPTRTYPE(int32_ptr, int32);
47 DEFCOUNTEDSEQOFTYPE(cseqof_int32, int32_t, int32_ptr);
48 DEFOPTIONALZEROTYPE(opt_int32, int32);
49 DEFOPTIONALTYPE(opt_int32_minus1, int32_not_minus1, init_int32_minus1, int32);
50
51 DEFUINTTYPE(uint, unsigned int);
52 DEFUINTTYPE(octet, krb5_octet);
53 DEFUINTTYPE(uint32, uint32_t);
54 DEFOPTIONALZEROTYPE(opt_uint, uint);
55
56 static int
nonempty_data(const void * p)57 nonempty_data(const void *p)
58 {
59 const krb5_data *val = p;
60 return (val->data != NULL && val->length != 0);
61 }
62
63 DEFCOUNTEDDERTYPE(der, char *, unsigned int);
64 DEFCOUNTEDTYPE(der_data, krb5_data, data, length, der);
65 DEFOPTIONALTYPE(opt_der_data, nonempty_data, NULL, der_data);
66
67 DEFCOUNTEDSTRINGTYPE(octetstring, uint8_t *, unsigned int,
68 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
69 ASN1_OCTETSTRING);
70 DEFCOUNTEDSTRINGTYPE(s_octetstring, char *, unsigned int,
71 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
72 ASN1_OCTETSTRING);
73 DEFCOUNTEDTYPE(ostring_data, krb5_data, data, length, s_octetstring);
74 DEFPTRTYPE(ostring_data_ptr, ostring_data);
75 DEFOPTIONALTYPE(opt_ostring_data, nonempty_data, NULL, ostring_data);
76 DEFOPTIONALZEROTYPE(opt_ostring_data_ptr, ostring_data_ptr);
77
78 DEFCOUNTEDSTRINGTYPE(generalstring, char *, unsigned int,
79 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
80 ASN1_GENERALSTRING);
81 DEFCOUNTEDSTRINGTYPE(u_generalstring, uint8_t *, unsigned int,
82 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
83 ASN1_GENERALSTRING);
84 DEFCOUNTEDTYPE(gstring_data, krb5_data, data, length, generalstring);
85 DEFOPTIONALTYPE(opt_gstring_data, nonempty_data, NULL, gstring_data);
86 DEFPTRTYPE(gstring_data_ptr, gstring_data);
87 DEFCOUNTEDSEQOFTYPE(cseqof_gstring_data, int32_t, gstring_data_ptr);
88
89 DEFCOUNTEDSTRINGTYPE(utf8string, char *, unsigned int,
90 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
91 ASN1_UTF8STRING);
92 DEFCOUNTEDTYPE(utf8_data, krb5_data, data, length, utf8string);
93 DEFOPTIONALTYPE(opt_utf8_data, nonempty_data, NULL, utf8_data);
94 DEFPTRTYPE(utf8_data_ptr, utf8_data);
95 DEFNULLTERMSEQOFTYPE(seqof_utf8_data, utf8_data_ptr);
96
97 DEFCOUNTEDSTRINGTYPE(object_identifier, char *, unsigned int,
98 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
99 ASN1_OBJECTIDENTIFIER);
100 DEFCOUNTEDTYPE(oid_data, krb5_data, data, length, object_identifier);
101 DEFPTRTYPE(oid_data_ptr, oid_data);
102
103 DEFOFFSETTYPE(realm_of_principal_data, krb5_principal_data, realm,
104 gstring_data);
105 DEFPTRTYPE(realm_of_principal, realm_of_principal_data);
106 DEFOPTIONALZEROTYPE(opt_realm_of_principal, realm_of_principal);
107
108 DEFFIELD(princname_0, krb5_principal_data, type, 0, int32);
109 DEFCNFIELD(princname_1, krb5_principal_data, data, length, 1,
110 cseqof_gstring_data);
111 static const struct atype_info *princname_fields[] = {
112 &k5_atype_princname_0, &k5_atype_princname_1
113 };
114 DEFSEQTYPE(principal_data, krb5_principal_data, princname_fields);
115 DEFPTRTYPE(principal, principal_data);
116 DEFOPTIONALZEROTYPE(opt_principal, principal);
117
118 /*
119 * Define the seqno type, which is an ASN.1 integer represented in a uint32_t.
120 * When decoding, negative 32-bit numbers are accepted for interoperability
121 * with old implementations.
122 */
123 static krb5_error_code
encode_seqno(asn1buf * buf,const void * p,taginfo * rettag)124 encode_seqno(asn1buf *buf, const void *p, taginfo *rettag)
125 {
126 uint32_t val = *(uint32_t *)p;
127 rettag->asn1class = UNIVERSAL;
128 rettag->construction = PRIMITIVE;
129 rettag->tagnum = ASN1_INTEGER;
130 k5_asn1_encode_uint(buf, val);
131 return 0;
132 }
133 static krb5_error_code
decode_seqno(const taginfo * t,const uint8_t * asn1,size_t len,void * p)134 decode_seqno(const taginfo *t, const uint8_t *asn1, size_t len, void *p)
135 {
136 krb5_error_code ret;
137 intmax_t val;
138 ret = k5_asn1_decode_int(asn1, len, &val);
139 if (ret)
140 return ret;
141 if (val < INT32_MIN || val > 0xFFFFFFFF)
142 return ASN1_OVERFLOW;
143 /* Negative values will cast correctly to uint32_t. */
144 *(uint32_t *)p = val;
145 return 0;
146 }
147 static int
check_seqno(const taginfo * t)148 check_seqno(const taginfo *t)
149 {
150 return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE &&
151 t->tagnum == ASN1_INTEGER);
152 }
153 DEFFNTYPE(seqno, uint32_t, encode_seqno, decode_seqno, check_seqno, NULL);
154 DEFOPTIONALZEROTYPE(opt_seqno, seqno);
155
156 /* Define the kerberos_time type, which is an ASN.1 generaltime represented in
157 * a krb5_timestamp. */
158 static krb5_error_code
encode_kerberos_time(asn1buf * buf,const void * p,taginfo * rettag)159 encode_kerberos_time(asn1buf *buf, const void *p, taginfo *rettag)
160 {
161 time_t val = ts2tt(*(krb5_timestamp *)p);
162 rettag->asn1class = UNIVERSAL;
163 rettag->construction = PRIMITIVE;
164 rettag->tagnum = ASN1_GENERALTIME;
165 return k5_asn1_encode_generaltime(buf, val);
166 }
167 static krb5_error_code
decode_kerberos_time(const taginfo * t,const uint8_t * asn1,size_t len,void * p)168 decode_kerberos_time(const taginfo *t, const uint8_t *asn1, size_t len,
169 void *p)
170 {
171 krb5_error_code ret;
172 time_t val;
173 ret = k5_asn1_decode_generaltime(asn1, len, &val);
174 if (ret)
175 return ret;
176 *(krb5_timestamp *)p = val;
177 return 0;
178 }
179 static int
check_kerberos_time(const taginfo * t)180 check_kerberos_time(const taginfo *t)
181 {
182 return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE &&
183 t->tagnum == ASN1_GENERALTIME);
184 }
185 DEFFNTYPE(kerberos_time, krb5_timestamp, encode_kerberos_time,
186 decode_kerberos_time, check_kerberos_time, NULL);
187 DEFOPTIONALZEROTYPE(opt_kerberos_time, kerberos_time);
188
189 DEFFIELD(address_0, krb5_address, addrtype, 0, int32);
190 DEFCNFIELD(address_1, krb5_address, contents, length, 1, octetstring);
191 const static struct atype_info *address_fields[] = {
192 &k5_atype_address_0, &k5_atype_address_1
193 };
194 DEFSEQTYPE(address, krb5_address, address_fields);
195 DEFPTRTYPE(address_ptr, address);
196 DEFOPTIONALZEROTYPE(opt_address_ptr, address_ptr);
197
198 DEFNULLTERMSEQOFTYPE(seqof_host_addresses, address_ptr);
199 DEFPTRTYPE(ptr_seqof_host_addresses, seqof_host_addresses);
200 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_host_addresses, ptr_seqof_host_addresses);
201
202 /*
203 * krb5_kvno is defined as unsigned int, but historically (MIT krb5 through 1.6
204 * in the encoder, and through 1.10 in the decoder) we treat it as signed, in
205 * violation of RFC 4120. kvno values large enough to be problematic are only
206 * likely to be seen with Windows read-only domain controllers, which overload
207 * the high 16-bits of kvno values for krbtgt principals. Since Windows
208 * encodes kvnos as signed 32-bit values, for interoperability it's best if we
209 * do the same.
210 */
211 DEFINTTYPE(kvno, krb5_kvno);
212 DEFOPTIONALZEROTYPE(opt_kvno, kvno);
213
214 DEFFIELD(enc_data_0, krb5_enc_data, enctype, 0, int32);
215 DEFFIELD(enc_data_1, krb5_enc_data, kvno, 1, opt_kvno);
216 DEFFIELD(enc_data_2, krb5_enc_data, ciphertext, 2, ostring_data);
217 static const struct atype_info *encrypted_data_fields[] = {
218 &k5_atype_enc_data_0, &k5_atype_enc_data_1, &k5_atype_enc_data_2
219 };
220 DEFSEQTYPE(encrypted_data, krb5_enc_data, encrypted_data_fields);
221 static int
nonempty_enc_data(const void * p)222 nonempty_enc_data(const void *p)
223 {
224 const krb5_enc_data *val = p;
225 return (val->ciphertext.data != NULL);
226 }
227 DEFOPTIONALTYPE(opt_encrypted_data, nonempty_enc_data, NULL, encrypted_data);
228
229 /* Define the krb5_flags type, which is an ASN.1 bit string represented in a
230 * 32-bit integer. */
231 static krb5_error_code
encode_krb5_flags(asn1buf * buf,const void * p,taginfo * rettag)232 encode_krb5_flags(asn1buf *buf, const void *p, taginfo *rettag)
233 {
234 uint8_t cbuf[4], *cptr = cbuf;
235 store_32_be((uint32_t)*(const krb5_flags *)p, cbuf);
236 rettag->asn1class = UNIVERSAL;
237 rettag->construction = PRIMITIVE;
238 rettag->tagnum = ASN1_BITSTRING;
239 return k5_asn1_encode_bitstring(buf, &cptr, 4);
240 }
241 static krb5_error_code
decode_krb5_flags(const taginfo * t,const uint8_t * asn1,size_t len,void * val)242 decode_krb5_flags(const taginfo *t, const uint8_t *asn1, size_t len, void *val)
243 {
244 krb5_error_code ret;
245 size_t i, blen;
246 krb5_flags f = 0;
247 uint8_t *bits;
248 ret = k5_asn1_decode_bitstring(asn1, len, &bits, &blen);
249 if (ret)
250 return ret;
251 /* Copy up to 32 bits into f, starting at the most significant byte. */
252 for (i = 0; i < blen && i < 4; i++)
253 f |= bits[i] << (8 * (3 - i));
254 *(krb5_flags *)val = f;
255 free(bits);
256 return 0;
257 }
258 static int
check_krb5_flags(const taginfo * t)259 check_krb5_flags(const taginfo *t)
260 {
261 return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE &&
262 t->tagnum == ASN1_BITSTRING);
263 }
264 DEFFNTYPE(krb5_flags, krb5_flags, encode_krb5_flags, decode_krb5_flags,
265 check_krb5_flags, NULL);
266 DEFOPTIONALZEROTYPE(opt_krb5_flags, krb5_flags);
267
268 DEFFIELD(authdata_0, krb5_authdata, ad_type, 0, int32);
269 DEFCNFIELD(authdata_1, krb5_authdata, contents, length, 1, octetstring);
270 static const struct atype_info *authdata_elt_fields[] = {
271 &k5_atype_authdata_0, &k5_atype_authdata_1
272 };
273 DEFSEQTYPE(authdata_elt, krb5_authdata, authdata_elt_fields);
274 DEFPTRTYPE(authdata_elt_ptr, authdata_elt);
275 DEFNONEMPTYNULLTERMSEQOFTYPE(auth_data, authdata_elt_ptr);
276 DEFPTRTYPE(auth_data_ptr, auth_data);
277 DEFOPTIONALEMPTYTYPE(opt_auth_data_ptr, auth_data_ptr);
278
279 /* authdata_types retrieves just the types of authdata elements in an array. */
280 DEFCTAGGEDTYPE(authdata_elt_type_0, 0, int32);
281 static const struct atype_info *authdata_elt_type_fields[] = {
282 &k5_atype_authdata_elt_type_0
283 };
284 DEFSEQTYPE(authdata_elt_type, krb5_authdatatype, authdata_elt_type_fields);
285 DEFPTRTYPE(ptr_authdata_elt_type, authdata_elt_type);
286 DEFCOUNTEDSEQOFTYPE(cseqof_authdata_elt_type, unsigned int,
287 ptr_authdata_elt_type);
288 struct authdata_types {
289 krb5_authdatatype *types;
290 unsigned int ntypes;
291 };
292 DEFCOUNTEDTYPE(authdata_types, struct authdata_types, types, ntypes,
293 cseqof_authdata_elt_type);
294
295 DEFFIELD(keyblock_0, krb5_keyblock, enctype, 0, int32);
296 DEFCNFIELD(keyblock_1, krb5_keyblock, contents, length, 1, octetstring);
297 static const struct atype_info *encryption_key_fields[] = {
298 &k5_atype_keyblock_0, &k5_atype_keyblock_1
299 };
300 DEFSEQTYPE(encryption_key, krb5_keyblock, encryption_key_fields);
301 DEFPTRTYPE(ptr_encryption_key, encryption_key);
302 DEFOPTIONALZEROTYPE(opt_ptr_encryption_key, ptr_encryption_key);
303
304 DEFFIELD(checksum_0, krb5_checksum, checksum_type, 0, int32);
305 DEFCNFIELD(checksum_1, krb5_checksum, contents, length, 1, octetstring);
306 static const struct atype_info *checksum_fields[] = {
307 &k5_atype_checksum_0, &k5_atype_checksum_1
308 };
309 DEFSEQTYPE(checksum, krb5_checksum, checksum_fields);
310 DEFPTRTYPE(checksum_ptr, checksum);
311 DEFNULLTERMSEQOFTYPE(seqof_checksum, checksum_ptr);
312 DEFPTRTYPE(ptr_seqof_checksum, seqof_checksum);
313 DEFOPTIONALZEROTYPE(opt_checksum_ptr, checksum_ptr);
314
315 /* Define the last_req_type type, which is an int32_t with some massaging on
316 * decode for backward compatibility. */
317 static krb5_error_code
encode_lr_type(asn1buf * buf,const void * p,taginfo * rettag)318 encode_lr_type(asn1buf *buf, const void *p, taginfo *rettag)
319 {
320 int32_t val = *(int32_t *)p;
321 rettag->asn1class = UNIVERSAL;
322 rettag->construction = PRIMITIVE;
323 rettag->tagnum = ASN1_INTEGER;
324 k5_asn1_encode_int(buf, val);
325 return 0;
326 }
327 static krb5_error_code
decode_lr_type(const taginfo * t,const uint8_t * asn1,size_t len,void * p)328 decode_lr_type(const taginfo *t, const uint8_t *asn1, size_t len, void *p)
329 {
330 krb5_error_code ret;
331 intmax_t val;
332 ret = k5_asn1_decode_int(asn1, len, &val);
333 if (ret)
334 return ret;
335 if (val > INT32_MAX || val < INT32_MIN)
336 return ASN1_OVERFLOW;
337 *(int32_t *)p = val;
338 return 0;
339 }
340 static int
check_lr_type(const taginfo * t)341 check_lr_type(const taginfo *t)
342 {
343 return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE &&
344 t->tagnum == ASN1_INTEGER);
345 }
346 DEFFNTYPE(last_req_type, int32_t, encode_lr_type, decode_lr_type,
347 check_lr_type, NULL);
348
349 DEFFIELD(last_req_0, krb5_last_req_entry, lr_type, 0, last_req_type);
350 DEFFIELD(last_req_1, krb5_last_req_entry, value, 1, kerberos_time);
351 static const struct atype_info *lr_fields[] = {
352 &k5_atype_last_req_0, &k5_atype_last_req_1
353 };
354 DEFSEQTYPE(last_req_ent, krb5_last_req_entry, lr_fields);
355
356 DEFPTRTYPE(last_req_ent_ptr, last_req_ent);
357 DEFNONEMPTYNULLTERMSEQOFTYPE(last_req, last_req_ent_ptr);
358 DEFPTRTYPE(last_req_ptr, last_req);
359
360 DEFCTAGGEDTYPE(ticket_0, 0, krb5_version);
361 DEFFIELD(ticket_1, krb5_ticket, server, 1, realm_of_principal);
362 DEFFIELD(ticket_2, krb5_ticket, server, 2, principal);
363 DEFFIELD(ticket_3, krb5_ticket, enc_part, 3, encrypted_data);
364 static const struct atype_info *ticket_fields[] = {
365 &k5_atype_ticket_0, &k5_atype_ticket_1, &k5_atype_ticket_2,
366 &k5_atype_ticket_3
367 };
368 DEFSEQTYPE(untagged_ticket, krb5_ticket, ticket_fields);
369 DEFAPPTAGGEDTYPE(ticket, 1, untagged_ticket);
370
371 /* First context tag is 1, not 0. */
372 DEFFIELD(pa_data_1, krb5_pa_data, pa_type, 1, int32);
373 DEFCNFIELD(pa_data_2, krb5_pa_data, contents, length, 2, octetstring);
374 static const struct atype_info *pa_data_fields[] = {
375 &k5_atype_pa_data_1, &k5_atype_pa_data_2
376 };
377 DEFSEQTYPE(pa_data, krb5_pa_data, pa_data_fields);
378 DEFPTRTYPE(pa_data_ptr, pa_data);
379
380 DEFNULLTERMSEQOFTYPE(seqof_pa_data, pa_data_ptr);
381 DEFPTRTYPE(ptr_seqof_pa_data, seqof_pa_data);
382 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_pa_data, ptr_seqof_pa_data);
383
384 DEFPTRTYPE(ticket_ptr, ticket);
385 DEFNONEMPTYNULLTERMSEQOFTYPE(seqof_ticket,ticket_ptr);
386 DEFPTRTYPE(ptr_seqof_ticket, seqof_ticket);
387 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_ticket, ptr_seqof_ticket);
388
389 static int
is_enc_kdc_rep_start_set(const void * p)390 is_enc_kdc_rep_start_set(const void *p)
391 {
392 const krb5_enc_kdc_rep_part *val = p;
393 return (val->times.starttime != 0);
394 }
395 static void
init_enc_kdc_rep_start(void * p)396 init_enc_kdc_rep_start(void *p)
397 {
398 krb5_enc_kdc_rep_part *val = p;
399 val->times.starttime = val->times.authtime;
400 }
401 static int
is_renewable_flag_set(const void * p)402 is_renewable_flag_set(const void *p)
403 {
404 const krb5_enc_kdc_rep_part *val = p;
405 return (val->flags & TKT_FLG_RENEWABLE);
406 }
407 DEFFIELD(enc_kdc_rep_0, krb5_enc_kdc_rep_part, session, 0, ptr_encryption_key);
408 DEFFIELD(enc_kdc_rep_1, krb5_enc_kdc_rep_part, last_req, 1, last_req_ptr);
409 DEFFIELD(enc_kdc_rep_2, krb5_enc_kdc_rep_part, nonce, 2, int32);
410 DEFFIELD(enc_kdc_rep_3, krb5_enc_kdc_rep_part, key_exp, 3, opt_kerberos_time);
411 DEFFIELD(enc_kdc_rep_4, krb5_enc_kdc_rep_part, flags, 4, krb5_flags);
412 DEFFIELD(enc_kdc_rep_5, krb5_enc_kdc_rep_part, times.authtime, 5,
413 kerberos_time);
414 DEFFIELD(enc_kdc_rep_6_def, krb5_enc_kdc_rep_part, times.starttime, 6,
415 kerberos_time);
416 DEFOPTIONALTYPE(enc_kdc_rep_6, is_enc_kdc_rep_start_set,
417 init_enc_kdc_rep_start, enc_kdc_rep_6_def);
418 DEFFIELD(enc_kdc_rep_7, krb5_enc_kdc_rep_part, times.endtime, 7,
419 kerberos_time);
420 DEFFIELD(enc_kdc_rep_8_def, krb5_enc_kdc_rep_part, times.renew_till, 8,
421 kerberos_time);
422 DEFOPTIONALTYPE(enc_kdc_rep_8, is_renewable_flag_set, NULL, enc_kdc_rep_8_def);
423 DEFFIELD(enc_kdc_rep_9, krb5_enc_kdc_rep_part, server, 9, realm_of_principal);
424 DEFFIELD(enc_kdc_rep_10, krb5_enc_kdc_rep_part, server, 10, principal);
425 DEFFIELD(enc_kdc_rep_11, krb5_enc_kdc_rep_part, caddrs, 11,
426 opt_ptr_seqof_host_addresses);
427 DEFFIELD(enc_kdc_rep_12, krb5_enc_kdc_rep_part, enc_padata, 12,
428 opt_ptr_seqof_pa_data);
429 static const struct atype_info *enc_kdc_rep_part_fields[] = {
430 &k5_atype_enc_kdc_rep_0, &k5_atype_enc_kdc_rep_1, &k5_atype_enc_kdc_rep_2,
431 &k5_atype_enc_kdc_rep_3, &k5_atype_enc_kdc_rep_4, &k5_atype_enc_kdc_rep_5,
432 &k5_atype_enc_kdc_rep_6, &k5_atype_enc_kdc_rep_7, &k5_atype_enc_kdc_rep_8,
433 &k5_atype_enc_kdc_rep_9, &k5_atype_enc_kdc_rep_10,
434 &k5_atype_enc_kdc_rep_11, &k5_atype_enc_kdc_rep_12
435 };
436 DEFSEQTYPE(enc_kdc_rep_part, krb5_enc_kdc_rep_part, enc_kdc_rep_part_fields);
437
438 /*
439 * Yuck! Eventually push this *up* above the encoder API and make the
440 * rest of the library put the realm name in one consistent place. At
441 * the same time, might as well add the msg-type field and encode both
442 * AS-REQ and TGS-REQ through the same descriptor.
443 */
444 typedef struct kdc_req_hack {
445 krb5_kdc_req v;
446 krb5_data server_realm;
447 } kdc_req_hack;
448 DEFFIELD(req_body_0, kdc_req_hack, v.kdc_options, 0, krb5_flags);
449 DEFFIELD(req_body_1, kdc_req_hack, v.client, 1, opt_principal);
450 DEFFIELD(req_body_2, kdc_req_hack, server_realm, 2, gstring_data);
451 DEFFIELD(req_body_3, kdc_req_hack, v.server, 3, opt_principal);
452 DEFFIELD(req_body_4, kdc_req_hack, v.from, 4, opt_kerberos_time);
453 DEFFIELD(req_body_5, kdc_req_hack, v.till, 5, kerberos_time);
454 DEFFIELD(req_body_6, kdc_req_hack, v.rtime, 6, opt_kerberos_time);
455 DEFFIELD(req_body_7, kdc_req_hack, v.nonce, 7, int32);
456 DEFCNFIELD(req_body_8, kdc_req_hack, v.ktype, v.nktypes, 8, cseqof_int32);
457 DEFFIELD(req_body_9, kdc_req_hack, v.addresses, 9,
458 opt_ptr_seqof_host_addresses);
459 DEFFIELD(req_body_10, kdc_req_hack, v.authorization_data, 10,
460 opt_encrypted_data);
461 DEFFIELD(req_body_11, kdc_req_hack, v.second_ticket, 11, opt_ptr_seqof_ticket);
462 static const struct atype_info *kdc_req_hack_fields[] = {
463 &k5_atype_req_body_0, &k5_atype_req_body_1, &k5_atype_req_body_2,
464 &k5_atype_req_body_3, &k5_atype_req_body_4, &k5_atype_req_body_5,
465 &k5_atype_req_body_6, &k5_atype_req_body_7, &k5_atype_req_body_8,
466 &k5_atype_req_body_9, &k5_atype_req_body_10, &k5_atype_req_body_11
467 };
468 DEFSEQTYPE(kdc_req_body_hack, kdc_req_hack, kdc_req_hack_fields);
469 static krb5_error_code
encode_kdc_req_body(asn1buf * buf,const void * p,taginfo * tag_out)470 encode_kdc_req_body(asn1buf *buf, const void *p, taginfo *tag_out)
471 {
472 const krb5_kdc_req *val = p;
473 kdc_req_hack h;
474 h.v = *val;
475 if (val->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
476 if (val->second_ticket != NULL && val->second_ticket[0] != NULL)
477 h.server_realm = val->second_ticket[0]->server->realm;
478 else
479 return ASN1_MISSING_FIELD;
480 } else if (val->server != NULL)
481 h.server_realm = val->server->realm;
482 else
483 return ASN1_MISSING_FIELD;
484 return k5_asn1_encode_atype(buf, &h, &k5_atype_kdc_req_body_hack, tag_out);
485 }
486 static void
free_kdc_req_body(void * val)487 free_kdc_req_body(void *val)
488 {
489 krb5_kdc_req *req = val;
490 krb5_free_principal(NULL, req->client);
491 krb5_free_principal(NULL, req->server);
492 free(req->ktype);
493 krb5_free_addresses(NULL, req->addresses);
494 free(req->authorization_data.ciphertext.data);
495 krb5_free_tickets(NULL, req->second_ticket);
496 }
497 static krb5_error_code
decode_kdc_req_body(const taginfo * t,const uint8_t * asn1,size_t len,void * val)498 decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len,
499 void *val)
500 {
501 krb5_error_code ret;
502 kdc_req_hack h;
503 krb5_kdc_req *b = val;
504 memset(&h, 0, sizeof(h));
505 ret = k5_asn1_decode_atype(t, asn1, len, &k5_atype_kdc_req_body_hack, &h);
506 if (ret)
507 return ret;
508 b->kdc_options = h.v.kdc_options;
509 b->client = h.v.client;
510 b->server = h.v.server;
511 b->from = h.v.from;
512 b->till = h.v.till;
513 b->rtime = h.v.rtime;
514 b->nonce = h.v.nonce;
515 b->ktype = h.v.ktype;
516 b->nktypes = h.v.nktypes;
517 b->addresses = h.v.addresses;
518 b->authorization_data = h.v.authorization_data;
519 b->second_ticket = h.v.second_ticket;
520 if (b->client != NULL && b->server != NULL) {
521 ret = krb5int_copy_data_contents(NULL, &h.server_realm,
522 &b->client->realm);
523 if (ret) {
524 free_kdc_req_body(b);
525 free(h.server_realm.data);
526 return ret;
527 }
528 b->server->realm = h.server_realm;
529 } else if (b->client != NULL)
530 b->client->realm = h.server_realm;
531 else if (b->server != NULL)
532 b->server->realm = h.server_realm;
533 else
534 free(h.server_realm.data);
535 return 0;
536 }
537 static int
check_kdc_req_body(const taginfo * t)538 check_kdc_req_body(const taginfo *t)
539 {
540 return (t->asn1class == UNIVERSAL && t->construction == CONSTRUCTED &&
541 t->tagnum == ASN1_SEQUENCE);
542 }
543 DEFFNTYPE(kdc_req_body, krb5_kdc_req, encode_kdc_req_body, decode_kdc_req_body,
544 check_kdc_req_body, free_kdc_req_body);
545 /* end ugly hack */
546
547 DEFFIELD(transited_0, krb5_transited, tr_type, 0, octet);
548 DEFFIELD(transited_1, krb5_transited, tr_contents, 1, ostring_data);
549 static const struct atype_info *transited_fields[] = {
550 &k5_atype_transited_0, &k5_atype_transited_1
551 };
552 DEFSEQTYPE(transited, krb5_transited, transited_fields);
553
554 static int
is_safe_timestamp_set(const void * p)555 is_safe_timestamp_set(const void *p)
556 {
557 const krb5_safe *val = p;
558 return (val->timestamp != 0);
559 }
560 DEFFIELD(safe_body_0, krb5_safe, user_data, 0, ostring_data);
561 DEFFIELD(safe_body_1, krb5_safe, timestamp, 1, opt_kerberos_time);
562 DEFFIELD(safe_body_2_def, krb5_safe, usec, 2, int32);
563 DEFOPTIONALTYPE(safe_body_2, is_safe_timestamp_set, NULL, safe_body_2_def);
564 DEFFIELD(safe_body_3, krb5_safe, seq_number, 3, opt_seqno);
565 DEFFIELD(safe_body_4, krb5_safe, s_address, 4, address_ptr);
566 DEFFIELD(safe_body_5, krb5_safe, r_address, 5, opt_address_ptr);
567 static const struct atype_info *safe_body_fields[] = {
568 &k5_atype_safe_body_0, &k5_atype_safe_body_1, &k5_atype_safe_body_2,
569 &k5_atype_safe_body_3, &k5_atype_safe_body_4, &k5_atype_safe_body_5
570 };
571 DEFSEQTYPE(safe_body, krb5_safe, safe_body_fields);
572
573 DEFFIELD(cred_info_0, krb5_cred_info, session, 0, ptr_encryption_key);
574 DEFFIELD(cred_info_1, krb5_cred_info, client, 1, opt_realm_of_principal);
575 DEFFIELD(cred_info_2, krb5_cred_info, client, 2, opt_principal);
576 DEFFIELD(cred_info_3, krb5_cred_info, flags, 3, opt_krb5_flags);
577 DEFFIELD(cred_info_4, krb5_cred_info, times.authtime, 4, opt_kerberos_time);
578 DEFFIELD(cred_info_5, krb5_cred_info, times.starttime, 5, opt_kerberos_time);
579 DEFFIELD(cred_info_6, krb5_cred_info, times.endtime, 6, opt_kerberos_time);
580 DEFFIELD(cred_info_7, krb5_cred_info, times.renew_till, 7, opt_kerberos_time);
581 DEFFIELD(cred_info_8, krb5_cred_info, server, 8, opt_realm_of_principal);
582 DEFFIELD(cred_info_9, krb5_cred_info, server, 9, opt_principal);
583 DEFFIELD(cred_info_10, krb5_cred_info, caddrs, 10,
584 opt_ptr_seqof_host_addresses);
585 static const struct atype_info *krb_cred_info_fields[] = {
586 &k5_atype_cred_info_0, &k5_atype_cred_info_1, &k5_atype_cred_info_2,
587 &k5_atype_cred_info_3, &k5_atype_cred_info_4, &k5_atype_cred_info_5,
588 &k5_atype_cred_info_6, &k5_atype_cred_info_7, &k5_atype_cred_info_8,
589 &k5_atype_cred_info_9, &k5_atype_cred_info_10
590 };
591 DEFSEQTYPE(cred_info, krb5_cred_info, krb_cred_info_fields);
592 DEFPTRTYPE(cred_info_ptr, cred_info);
593 DEFNULLTERMSEQOFTYPE(seqof_cred_info, cred_info_ptr);
594
595 DEFPTRTYPE(ptrseqof_cred_info, seqof_cred_info);
596
597 static int
is_salt_present(const void * p)598 is_salt_present(const void *p)
599 {
600 const krb5_etype_info_entry *val = p;
601 return (val->length != KRB5_ETYPE_NO_SALT);
602 }
603 static void
init_no_salt(void * p)604 init_no_salt(void *p)
605 {
606 krb5_etype_info_entry *val = p;
607 val->length = KRB5_ETYPE_NO_SALT;
608 }
609 DEFFIELD(etype_info_0, krb5_etype_info_entry, etype, 0, int32);
610 DEFCNFIELD(etype_info_1_def, krb5_etype_info_entry, salt, length, 1,
611 octetstring);
612 DEFOPTIONALTYPE(etype_info_1, is_salt_present, init_no_salt, etype_info_1_def);
613 static const struct atype_info *etype_info_entry_fields[] = {
614 &k5_atype_etype_info_0, &k5_atype_etype_info_1
615 };
616 DEFSEQTYPE(etype_info_entry, krb5_etype_info_entry, etype_info_entry_fields);
617
618 /* First field is the same as etype-info. */
619 DEFCNFIELD(etype_info2_1_def, krb5_etype_info_entry, salt, length, 1,
620 u_generalstring);
621 DEFOPTIONALTYPE(etype_info2_1, is_salt_present, init_no_salt,
622 etype_info2_1_def);
623 DEFFIELD(etype_info2_2, krb5_etype_info_entry, s2kparams, 2, opt_ostring_data);
624 static const struct atype_info *etype_info2_entry_fields[] = {
625 &k5_atype_etype_info_0, &k5_atype_etype_info2_1, &k5_atype_etype_info2_2
626 };
627 DEFSEQTYPE(etype_info2_entry, krb5_etype_info_entry, etype_info2_entry_fields);
628
629 DEFPTRTYPE(etype_info_entry_ptr, etype_info_entry);
630 DEFNULLTERMSEQOFTYPE(etype_info, etype_info_entry_ptr);
631
632 DEFPTRTYPE(etype_info2_entry_ptr, etype_info2_entry);
633 DEFNULLTERMSEQOFTYPE(etype_info2, etype_info2_entry_ptr);
634
635 DEFFIELD(sch_0, krb5_sam_challenge_2, sam_challenge_2_body, 0, der_data);
636 DEFFIELD(sch_1, krb5_sam_challenge_2, sam_cksum, 1, ptr_seqof_checksum);
637 static const struct atype_info *sam_challenge_2_fields[] = {
638 &k5_atype_sch_0, &k5_atype_sch_1
639 };
640 DEFSEQTYPE(sam_challenge_2, krb5_sam_challenge_2, sam_challenge_2_fields);
641
642 DEFFIELD(schb_0, krb5_sam_challenge_2_body, sam_type, 0, int32);
643 DEFFIELD(schb_1, krb5_sam_challenge_2_body, sam_flags, 1, krb5_flags);
644 DEFFIELD(schb_2, krb5_sam_challenge_2_body, sam_type_name, 2,
645 opt_ostring_data);
646 DEFFIELD(schb_3, krb5_sam_challenge_2_body, sam_track_id, 3, opt_ostring_data);
647 DEFFIELD(schb_4, krb5_sam_challenge_2_body, sam_challenge_label, 4,
648 opt_ostring_data);
649 DEFFIELD(schb_5, krb5_sam_challenge_2_body, sam_challenge, 5,
650 opt_ostring_data);
651 DEFFIELD(schb_6, krb5_sam_challenge_2_body, sam_response_prompt, 6,
652 opt_ostring_data);
653 DEFFIELD(schb_7, krb5_sam_challenge_2_body, sam_pk_for_sad, 7,
654 opt_ostring_data);
655 DEFFIELD(schb_8, krb5_sam_challenge_2_body, sam_nonce, 8, int32);
656 DEFFIELD(schb_9, krb5_sam_challenge_2_body, sam_etype, 9, int32);
657 static const struct atype_info *sam_challenge_2_body_fields[] = {
658 &k5_atype_schb_0, &k5_atype_schb_1, &k5_atype_schb_2, &k5_atype_schb_3,
659 &k5_atype_schb_4, &k5_atype_schb_5, &k5_atype_schb_6, &k5_atype_schb_7,
660 &k5_atype_schb_8, &k5_atype_schb_9
661 };
662 DEFSEQTYPE(sam_challenge_2_body,krb5_sam_challenge_2_body,
663 sam_challenge_2_body_fields);
664
665 DEFFIELD(esre_0, krb5_enc_sam_response_enc_2, sam_nonce, 0, int32);
666 DEFFIELD(esre_1, krb5_enc_sam_response_enc_2, sam_sad, 1, opt_ostring_data);
667 static const struct atype_info *enc_sam_response_enc_2_fields[] = {
668 &k5_atype_esre_0, &k5_atype_esre_1
669 };
670 DEFSEQTYPE(enc_sam_response_enc_2, krb5_enc_sam_response_enc_2,
671 enc_sam_response_enc_2_fields);
672
673 DEFFIELD(sam_resp_0, krb5_sam_response_2, sam_type, 0, int32);
674 DEFFIELD(sam_resp_1, krb5_sam_response_2, sam_flags, 1, krb5_flags);
675 DEFFIELD(sam_resp_2, krb5_sam_response_2, sam_track_id, 2, opt_ostring_data);
676 DEFFIELD(sam_resp_3, krb5_sam_response_2, sam_enc_nonce_or_sad, 3,
677 encrypted_data);
678 DEFFIELD(sam_resp_4, krb5_sam_response_2, sam_nonce, 4, int32);
679 static const struct atype_info *sam_response_2_fields[] = {
680 &k5_atype_sam_resp_0, &k5_atype_sam_resp_1, &k5_atype_sam_resp_2,
681 &k5_atype_sam_resp_3, &k5_atype_sam_resp_4
682 };
683 DEFSEQTYPE(sam_response_2, krb5_sam_response_2, sam_response_2_fields);
684
685 DEFCTAGGEDTYPE(authenticator_0, 0, krb5_version);
686 DEFFIELD(authenticator_1, krb5_authenticator, client, 1, realm_of_principal);
687 DEFFIELD(authenticator_2, krb5_authenticator, client, 2, principal);
688 DEFFIELD(authenticator_3, krb5_authenticator, checksum, 3, opt_checksum_ptr);
689 DEFFIELD(authenticator_4, krb5_authenticator, cusec, 4, int32);
690 DEFFIELD(authenticator_5, krb5_authenticator, ctime, 5, kerberos_time);
691 DEFFIELD(authenticator_6, krb5_authenticator, subkey, 6,
692 opt_ptr_encryption_key);
693 DEFFIELD(authenticator_7, krb5_authenticator, seq_number, 7, opt_seqno);
694 DEFFIELD(authenticator_8, krb5_authenticator, authorization_data, 8,
695 opt_auth_data_ptr);
696 static const struct atype_info *authenticator_fields[] = {
697 &k5_atype_authenticator_0, &k5_atype_authenticator_1,
698 &k5_atype_authenticator_2, &k5_atype_authenticator_3,
699 &k5_atype_authenticator_4, &k5_atype_authenticator_5,
700 &k5_atype_authenticator_6, &k5_atype_authenticator_7,
701 &k5_atype_authenticator_8
702 };
703 DEFSEQTYPE(untagged_authenticator, krb5_authenticator, authenticator_fields);
704 DEFAPPTAGGEDTYPE(authenticator, 2, untagged_authenticator);
705
706 DEFFIELD(enc_tkt_0, krb5_enc_tkt_part, flags, 0, krb5_flags);
707 DEFFIELD(enc_tkt_1, krb5_enc_tkt_part, session, 1, ptr_encryption_key);
708 DEFFIELD(enc_tkt_2, krb5_enc_tkt_part, client, 2, realm_of_principal);
709 DEFFIELD(enc_tkt_3, krb5_enc_tkt_part, client, 3, principal);
710 DEFFIELD(enc_tkt_4, krb5_enc_tkt_part, transited, 4, transited);
711 DEFFIELD(enc_tkt_5, krb5_enc_tkt_part, times.authtime, 5, kerberos_time);
712 DEFFIELD(enc_tkt_6, krb5_enc_tkt_part, times.starttime, 6, opt_kerberos_time);
713 DEFFIELD(enc_tkt_7, krb5_enc_tkt_part, times.endtime, 7, kerberos_time);
714 DEFFIELD(enc_tkt_8, krb5_enc_tkt_part, times.renew_till, 8, opt_kerberos_time);
715 DEFFIELD(enc_tkt_9, krb5_enc_tkt_part, caddrs, 9,
716 opt_ptr_seqof_host_addresses);
717 DEFFIELD(enc_tkt_10, krb5_enc_tkt_part, authorization_data, 10,
718 opt_auth_data_ptr);
719 static const struct atype_info *enc_tkt_part_fields[] = {
720 &k5_atype_enc_tkt_0, &k5_atype_enc_tkt_1, &k5_atype_enc_tkt_2,
721 &k5_atype_enc_tkt_3, &k5_atype_enc_tkt_4, &k5_atype_enc_tkt_5,
722 &k5_atype_enc_tkt_6, &k5_atype_enc_tkt_7, &k5_atype_enc_tkt_8,
723 &k5_atype_enc_tkt_9, &k5_atype_enc_tkt_10
724 };
725 DEFSEQTYPE(untagged_enc_tkt_part, krb5_enc_tkt_part, enc_tkt_part_fields);
726 DEFAPPTAGGEDTYPE(enc_tkt_part, 3, untagged_enc_tkt_part);
727
728 DEFAPPTAGGEDTYPE(enc_as_rep_part, 25, enc_kdc_rep_part);
729 DEFAPPTAGGEDTYPE(enc_tgs_rep_part, 26, enc_kdc_rep_part);
730
731 DEFCTAGGEDTYPE(kdc_rep_0, 0, krb5_version);
732 DEFFIELD(kdc_rep_1, krb5_kdc_rep, msg_type, 1, uint);
733 DEFFIELD(kdc_rep_2, krb5_kdc_rep, padata, 2, opt_ptr_seqof_pa_data);
734 DEFFIELD(kdc_rep_3, krb5_kdc_rep, client, 3, realm_of_principal);
735 DEFFIELD(kdc_rep_4, krb5_kdc_rep, client, 4, principal);
736 DEFFIELD(kdc_rep_5, krb5_kdc_rep, ticket, 5, ticket_ptr);
737 DEFFIELD(kdc_rep_6, krb5_kdc_rep, enc_part, 6, encrypted_data);
738 static const struct atype_info *kdc_rep_fields[] = {
739 &k5_atype_kdc_rep_0, &k5_atype_kdc_rep_1, &k5_atype_kdc_rep_2,
740 &k5_atype_kdc_rep_3, &k5_atype_kdc_rep_4, &k5_atype_kdc_rep_5,
741 &k5_atype_kdc_rep_6
742 };
743 DEFSEQTYPE(kdc_rep, krb5_kdc_rep, kdc_rep_fields);
744 DEFAPPTAGGEDTYPE(as_rep, 11, kdc_rep);
745 DEFAPPTAGGEDTYPE(tgs_rep, 13, kdc_rep);
746
747 DEFINT_IMMEDIATE(ap_req_msg_type, ASN1_KRB_AP_REQ, 0);
748 DEFCTAGGEDTYPE(ap_req_0, 0, krb5_version);
749 DEFCTAGGEDTYPE(ap_req_1, 1, ap_req_msg_type);
750 DEFFIELD(ap_req_2, krb5_ap_req, ap_options, 2, krb5_flags);
751 DEFFIELD(ap_req_3, krb5_ap_req, ticket, 3, ticket_ptr);
752 DEFFIELD(ap_req_4, krb5_ap_req, authenticator, 4, encrypted_data);
753 static const struct atype_info *ap_req_fields[] = {
754 &k5_atype_ap_req_0, &k5_atype_ap_req_1, &k5_atype_ap_req_2,
755 &k5_atype_ap_req_3, &k5_atype_ap_req_4
756 };
757 DEFSEQTYPE(untagged_ap_req, krb5_ap_req, ap_req_fields);
758 DEFAPPTAGGEDTYPE(ap_req, 14, untagged_ap_req);
759
760 DEFINT_IMMEDIATE(ap_rep_msg_type, ASN1_KRB_AP_REP, 0);
761 DEFCTAGGEDTYPE(ap_rep_0, 0, krb5_version);
762 DEFCTAGGEDTYPE(ap_rep_1, 1, ap_rep_msg_type);
763 DEFFIELD(ap_rep_2, krb5_ap_rep, enc_part, 2, encrypted_data);
764 static const struct atype_info *ap_rep_fields[] = {
765 &k5_atype_ap_rep_0, &k5_atype_ap_rep_1, &k5_atype_ap_rep_2
766 };
767 DEFSEQTYPE(untagged_ap_rep, krb5_ap_rep, ap_rep_fields);
768 DEFAPPTAGGEDTYPE(ap_rep, 15, untagged_ap_rep);
769
770 DEFFIELD(ap_rep_enc_part_0, krb5_ap_rep_enc_part, ctime, 0, kerberos_time);
771 DEFFIELD(ap_rep_enc_part_1, krb5_ap_rep_enc_part, cusec, 1, int32);
772 DEFFIELD(ap_rep_enc_part_2, krb5_ap_rep_enc_part, subkey, 2,
773 opt_ptr_encryption_key);
774 DEFFIELD(ap_rep_enc_part_3, krb5_ap_rep_enc_part, seq_number, 3, opt_seqno);
775 static const struct atype_info *ap_rep_enc_part_fields[] = {
776 &k5_atype_ap_rep_enc_part_0, &k5_atype_ap_rep_enc_part_1,
777 &k5_atype_ap_rep_enc_part_2, &k5_atype_ap_rep_enc_part_3
778 };
779 DEFSEQTYPE(untagged_ap_rep_enc_part, krb5_ap_rep_enc_part,
780 ap_rep_enc_part_fields);
781 DEFAPPTAGGEDTYPE(ap_rep_enc_part, 27, untagged_ap_rep_enc_part);
782
783 /* First context tag is 1. Fourth field is the encoding of the krb5_kdc_req
784 * structure as a KDC-REQ-BODY. */
785 DEFCTAGGEDTYPE(kdc_req_1, 1, krb5_version);
786 DEFFIELD(kdc_req_2, krb5_kdc_req, msg_type, 2, uint);
787 DEFFIELD(kdc_req_3, krb5_kdc_req, padata, 3, opt_ptr_seqof_pa_data);
788 DEFCTAGGEDTYPE(kdc_req_4, 4, kdc_req_body);
789 static const struct atype_info *kdc_req_fields[] = {
790 &k5_atype_kdc_req_1, &k5_atype_kdc_req_2, &k5_atype_kdc_req_3,
791 &k5_atype_kdc_req_4
792 };
793 DEFSEQTYPE(kdc_req, krb5_kdc_req, kdc_req_fields);
794 DEFAPPTAGGEDTYPE(as_req, 10, kdc_req);
795 DEFAPPTAGGEDTYPE(tgs_req, 12, kdc_req);
796
797 /* This is only needed because libkrb5 doesn't set msg_type when encoding
798 * krb5_kdc_reqs. If we fix that, we can use the above types for encoding. */
799 DEFINT_IMMEDIATE(as_req_msg_type, KRB5_AS_REQ, 0);
800 DEFCTAGGEDTYPE(as_req_2, 2, as_req_msg_type);
801 DEFINT_IMMEDIATE(tgs_req_msg_type, KRB5_TGS_REQ, 0);
802 DEFCTAGGEDTYPE(tgs_req_2, 2, tgs_req_msg_type);
803 static const struct atype_info *as_req_fields[] = {
804 &k5_atype_kdc_req_1, &k5_atype_as_req_2, &k5_atype_kdc_req_3,
805 &k5_atype_kdc_req_4
806 };
807 static const struct atype_info *tgs_req_fields[] = {
808 &k5_atype_kdc_req_1, &k5_atype_tgs_req_2, &k5_atype_kdc_req_3,
809 &k5_atype_kdc_req_4
810 };
811 DEFSEQTYPE(untagged_as_req, krb5_kdc_req, as_req_fields);
812 DEFAPPTAGGEDTYPE(as_req_encode, 10, untagged_as_req);
813 DEFSEQTYPE(untagged_tgs_req, krb5_kdc_req, tgs_req_fields);
814 DEFAPPTAGGEDTYPE(tgs_req_encode, 12, untagged_tgs_req);
815
816 DEFINT_IMMEDIATE(safe_msg_type, ASN1_KRB_SAFE, 0);
817 DEFCTAGGEDTYPE(safe_0, 0, krb5_version);
818 DEFCTAGGEDTYPE(safe_1, 1, safe_msg_type);
819 DEFCTAGGEDTYPE(safe_2, 2, safe_body);
820 DEFFIELD(safe_3, krb5_safe, checksum, 3, checksum_ptr);
821 static const struct atype_info *safe_fields[] = {
822 &k5_atype_safe_0, &k5_atype_safe_1, &k5_atype_safe_2, &k5_atype_safe_3
823 };
824 DEFSEQTYPE(untagged_safe, krb5_safe, safe_fields);
825 DEFAPPTAGGEDTYPE(safe, 20, untagged_safe);
826
827 /* Hack to encode a KRB-SAFE with a pre-specified body encoding. The integer-
828 * immediate fields are borrowed from krb5_safe_fields above. */
829 DEFPTRTYPE(saved_safe_body_ptr, der_data);
830 DEFOFFSETTYPE(safe_checksum_only, krb5_safe, checksum, checksum_ptr);
831 DEFPTRTYPE(safe_checksum_only_ptr, safe_checksum_only);
832 DEFFIELD(safe_with_body_2, struct krb5_safe_with_body, body, 2,
833 saved_safe_body_ptr);
834 DEFFIELD(safe_with_body_3, struct krb5_safe_with_body, safe, 3,
835 safe_checksum_only_ptr);
836 static const struct atype_info *safe_with_body_fields[] = {
837 &k5_atype_safe_0, &k5_atype_safe_1, &k5_atype_safe_with_body_2,
838 &k5_atype_safe_with_body_3
839 };
840 DEFSEQTYPE(untagged_safe_with_body, struct krb5_safe_with_body,
841 safe_with_body_fields);
842 DEFAPPTAGGEDTYPE(safe_with_body, 20, untagged_safe_with_body);
843
844 /* Third tag is [3] instead of [2]. */
845 DEFINT_IMMEDIATE(priv_msg_type, ASN1_KRB_PRIV, 0);
846 DEFCTAGGEDTYPE(priv_0, 0, krb5_version);
847 DEFCTAGGEDTYPE(priv_1, 1, priv_msg_type);
848 DEFFIELD(priv_3, krb5_priv, enc_part, 3, encrypted_data);
849 static const struct atype_info *priv_fields[] = {
850 &k5_atype_priv_0, &k5_atype_priv_1, &k5_atype_priv_3
851 };
852 DEFSEQTYPE(untagged_priv, krb5_priv, priv_fields);
853 DEFAPPTAGGEDTYPE(priv, 21, untagged_priv);
854
855 static int
is_priv_timestamp_set(const void * p)856 is_priv_timestamp_set(const void *p)
857 {
858 const krb5_priv_enc_part *val = p;
859 return (val->timestamp != 0);
860 }
861 DEFFIELD(priv_enc_part_0, krb5_priv_enc_part, user_data, 0, ostring_data);
862 DEFFIELD(priv_enc_part_1, krb5_priv_enc_part, timestamp, 1, opt_kerberos_time);
863 DEFFIELD(priv_enc_part_2_def, krb5_priv_enc_part, usec, 2, int32);
864 DEFOPTIONALTYPE(priv_enc_part_2, is_priv_timestamp_set, NULL,
865 priv_enc_part_2_def);
866 DEFFIELD(priv_enc_part_3, krb5_priv_enc_part, seq_number, 3, opt_seqno);
867 DEFFIELD(priv_enc_part_4, krb5_priv_enc_part, s_address, 4, address_ptr);
868 DEFFIELD(priv_enc_part_5, krb5_priv_enc_part, r_address, 5, opt_address_ptr);
869 static const struct atype_info *priv_enc_part_fields[] = {
870 &k5_atype_priv_enc_part_0, &k5_atype_priv_enc_part_1,
871 &k5_atype_priv_enc_part_2, &k5_atype_priv_enc_part_3,
872 &k5_atype_priv_enc_part_4, &k5_atype_priv_enc_part_5
873 };
874 DEFSEQTYPE(untagged_priv_enc_part, krb5_priv_enc_part, priv_enc_part_fields);
875 DEFAPPTAGGEDTYPE(priv_enc_part, 28, untagged_priv_enc_part);
876
877 DEFINT_IMMEDIATE(cred_msg_type, ASN1_KRB_CRED, 0);
878 DEFCTAGGEDTYPE(cred_0, 0, krb5_version);
879 DEFCTAGGEDTYPE(cred_1, 1, cred_msg_type);
880 DEFFIELD(cred_2, krb5_cred, tickets, 2, ptr_seqof_ticket);
881 DEFFIELD(cred_3, krb5_cred, enc_part, 3, encrypted_data);
882 static const struct atype_info *cred_fields[] = {
883 &k5_atype_cred_0, &k5_atype_cred_1, &k5_atype_cred_2, &k5_atype_cred_3
884 };
885 DEFSEQTYPE(untagged_cred, krb5_cred, cred_fields);
886 DEFAPPTAGGEDTYPE(krb5_cred, 22, untagged_cred);
887
888 static int
is_cred_timestamp_set(const void * p)889 is_cred_timestamp_set(const void *p)
890 {
891 const krb5_cred_enc_part *val = p;
892 return (val->timestamp != 0);
893 }
894 DEFFIELD(enc_cred_part_0, krb5_cred_enc_part, ticket_info, 0,
895 ptrseqof_cred_info);
896 DEFFIELD(enc_cred_part_1, krb5_cred_enc_part, nonce, 1, opt_int32);
897 DEFFIELD(enc_cred_part_2, krb5_cred_enc_part, timestamp, 2, opt_kerberos_time);
898 DEFFIELD(enc_cred_part_3_def, krb5_cred_enc_part, usec, 3, int32);
899 DEFOPTIONALTYPE(enc_cred_part_3, is_cred_timestamp_set, NULL,
900 enc_cred_part_3_def);
901 DEFFIELD(enc_cred_part_4, krb5_cred_enc_part, s_address, 4, opt_address_ptr);
902 DEFFIELD(enc_cred_part_5, krb5_cred_enc_part, r_address, 5, opt_address_ptr);
903 static const struct atype_info *enc_cred_part_fields[] = {
904 &k5_atype_enc_cred_part_0, &k5_atype_enc_cred_part_1,
905 &k5_atype_enc_cred_part_2, &k5_atype_enc_cred_part_3,
906 &k5_atype_enc_cred_part_4, &k5_atype_enc_cred_part_5
907 };
908 DEFSEQTYPE(untagged_enc_cred_part, krb5_cred_enc_part, enc_cred_part_fields);
909 DEFAPPTAGGEDTYPE(enc_cred_part, 29, untagged_enc_cred_part);
910
911 DEFINT_IMMEDIATE(error_msg_type, ASN1_KRB_ERROR, 0);
912 DEFCTAGGEDTYPE(error_0, 0, krb5_version);
913 DEFCTAGGEDTYPE(error_1, 1, error_msg_type);
914 DEFFIELD(error_2, krb5_error, ctime, 2, opt_kerberos_time);
915 DEFFIELD(error_3, krb5_error, cusec, 3, opt_int32);
916 DEFFIELD(error_4, krb5_error, stime, 4, kerberos_time);
917 DEFFIELD(error_5, krb5_error, susec, 5, int32);
918 DEFFIELD(error_6, krb5_error, error, 6, uint32);
919 DEFFIELD(error_7, krb5_error, client, 7, opt_realm_of_principal);
920 DEFFIELD(error_8, krb5_error, client, 8, opt_principal);
921 DEFFIELD(error_9, krb5_error, server, 9, realm_of_principal);
922 DEFFIELD(error_10, krb5_error, server, 10, principal);
923 DEFFIELD(error_11, krb5_error, text, 11, opt_gstring_data);
924 DEFFIELD(error_12, krb5_error, e_data, 12, opt_ostring_data);
925 static const struct atype_info *error_fields[] = {
926 &k5_atype_error_0, &k5_atype_error_1, &k5_atype_error_2, &k5_atype_error_3,
927 &k5_atype_error_4, &k5_atype_error_5, &k5_atype_error_6, &k5_atype_error_7,
928 &k5_atype_error_8, &k5_atype_error_9, &k5_atype_error_10,
929 &k5_atype_error_11, &k5_atype_error_12
930 };
931 DEFSEQTYPE(untagged_krb5_error, krb5_error, error_fields);
932 DEFAPPTAGGEDTYPE(krb5_error, 30, untagged_krb5_error);
933
934 DEFFIELD(pa_enc_ts_0, krb5_pa_enc_ts, patimestamp, 0, kerberos_time);
935 DEFFIELD(pa_enc_ts_1, krb5_pa_enc_ts, pausec, 1, opt_int32);
936 static const struct atype_info *pa_enc_ts_fields[] = {
937 &k5_atype_pa_enc_ts_0, &k5_atype_pa_enc_ts_1
938 };
939 DEFSEQTYPE(pa_enc_ts, krb5_pa_enc_ts, pa_enc_ts_fields);
940
941 DEFFIELD(setpw_0, struct krb5_setpw_req, password, 0, ostring_data);
942 DEFFIELD(setpw_1, struct krb5_setpw_req, target, 1, principal);
943 DEFFIELD(setpw_2, struct krb5_setpw_req, target, 2, realm_of_principal);
944 static const struct atype_info *setpw_req_fields[] = {
945 &k5_atype_setpw_0, &k5_atype_setpw_1, &k5_atype_setpw_2
946 };
947 DEFSEQTYPE(setpw_req, struct krb5_setpw_req, setpw_req_fields);
948
949 /* [MS-SFU] Section 2.2.1. */
950 DEFFIELD(pa_for_user_0, krb5_pa_for_user, user, 0, principal);
951 DEFFIELD(pa_for_user_1, krb5_pa_for_user, user, 1, realm_of_principal);
952 DEFFIELD(pa_for_user_2, krb5_pa_for_user, cksum, 2, checksum);
953 DEFFIELD(pa_for_user_3, krb5_pa_for_user, auth_package, 3, gstring_data);
954 static const struct atype_info *pa_for_user_fields[] = {
955 &k5_atype_pa_for_user_0, &k5_atype_pa_for_user_1, &k5_atype_pa_for_user_2,
956 &k5_atype_pa_for_user_3,
957 };
958 DEFSEQTYPE(pa_for_user, krb5_pa_for_user, pa_for_user_fields);
959
960 /* [MS-SFU] Section 2.2.2. */
961 /* The user principal name may be absent, but the realm is required. */
962 static int
is_s4u_principal_present(const void * p)963 is_s4u_principal_present(const void *p)
964 {
965 krb5_const_principal val = *(krb5_const_principal *)p;
966 return (val->length != 0);
967 }
968 DEFOPTIONALTYPE(opt_s4u_principal, is_s4u_principal_present, NULL, principal);
969 DEFFIELD(s4u_userid_0, krb5_s4u_userid, nonce, 0, int32);
970 DEFFIELD(s4u_userid_1, krb5_s4u_userid, user, 1, opt_s4u_principal);
971 DEFFIELD(s4u_userid_2, krb5_s4u_userid, user, 2, realm_of_principal);
972 DEFFIELD(s4u_userid_3, krb5_s4u_userid, subject_cert, 3, opt_ostring_data);
973 DEFFIELD(s4u_userid_4, krb5_s4u_userid, options, 4, opt_krb5_flags);
974 static const struct atype_info *s4u_userid_fields[] = {
975 &k5_atype_s4u_userid_0, &k5_atype_s4u_userid_1, &k5_atype_s4u_userid_2,
976 &k5_atype_s4u_userid_3, &k5_atype_s4u_userid_4
977 };
978 DEFSEQTYPE(s4u_userid, krb5_s4u_userid, s4u_userid_fields);
979
980 DEFFIELD(pa_s4u_x509_user_0, krb5_pa_s4u_x509_user, user_id, 0, s4u_userid);
981 DEFFIELD(pa_s4u_x509_user_1, krb5_pa_s4u_x509_user, cksum, 1, checksum);
982 static const struct atype_info *pa_s4u_x509_user_fields[] = {
983 &k5_atype_pa_s4u_x509_user_0, &k5_atype_pa_s4u_x509_user_1
984 };
985 DEFSEQTYPE(pa_s4u_x509_user, krb5_pa_s4u_x509_user, pa_s4u_x509_user_fields);
986
987 DEFFIELD(pa_pac_req_0, krb5_pa_pac_req, include_pac, 0, boolean);
988 static const struct atype_info *pa_pac_req_fields[] = {
989 &k5_atype_pa_pac_req_0
990 };
991 DEFSEQTYPE(pa_pac_req, krb5_pa_pac_req, pa_pac_req_fields);
992
993 /* RFC 4537 */
994 DEFCOUNTEDTYPE(etype_list, krb5_etype_list, etypes, length, cseqof_int32);
995
996 /* draft-ietf-krb-wg-preauth-framework-09 */
997 DEFFIELD(fast_armor_0, krb5_fast_armor, armor_type, 0, int32);
998 DEFFIELD(fast_armor_1, krb5_fast_armor, armor_value, 1, ostring_data);
999 static const struct atype_info *fast_armor_fields[] = {
1000 &k5_atype_fast_armor_0, &k5_atype_fast_armor_1
1001 };
1002 DEFSEQTYPE(fast_armor, krb5_fast_armor, fast_armor_fields);
1003 DEFPTRTYPE(ptr_fast_armor, fast_armor);
1004 DEFOPTIONALZEROTYPE(opt_ptr_fast_armor, ptr_fast_armor);
1005
1006 DEFFIELD(fast_armored_req_0, krb5_fast_armored_req, armor, 0,
1007 opt_ptr_fast_armor);
1008 DEFFIELD(fast_armored_req_1, krb5_fast_armored_req, req_checksum, 1, checksum);
1009 DEFFIELD(fast_armored_req_2, krb5_fast_armored_req, enc_part, 2,
1010 encrypted_data);
1011 static const struct atype_info *fast_armored_req_fields[] = {
1012 &k5_atype_fast_armored_req_0, &k5_atype_fast_armored_req_1,
1013 &k5_atype_fast_armored_req_2
1014 };
1015 DEFSEQTYPE(fast_armored_req, krb5_fast_armored_req, fast_armored_req_fields);
1016
1017 /* This is a CHOICE type with only one choice (so far) and we're not using a
1018 * distinguisher/union for it. */
1019 DEFTAGGEDTYPE(pa_fx_fast_request, CONTEXT_SPECIFIC, CONSTRUCTED, 0, 0,
1020 fast_armored_req);
1021
1022 DEFOFFSETTYPE(fast_req_padata, krb5_kdc_req, padata, ptr_seqof_pa_data);
1023 DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata);
1024 DEFPTRTYPE(ptr_kdc_req_body, kdc_req_body);
1025 DEFFIELD(fast_req_0, krb5_fast_req, fast_options, 0, krb5_flags);
1026 DEFFIELD(fast_req_1, krb5_fast_req, req_body, 1, ptr_fast_req_padata);
1027 DEFFIELD(fast_req_2, krb5_fast_req, req_body, 2, ptr_kdc_req_body);
1028 static const struct atype_info *fast_req_fields[] = {
1029 &k5_atype_fast_req_0, &k5_atype_fast_req_1, &k5_atype_fast_req_2
1030 };
1031 DEFSEQTYPE(fast_req, krb5_fast_req, fast_req_fields);
1032
1033 DEFFIELD(fast_finished_0, krb5_fast_finished, timestamp, 0, kerberos_time);
1034 DEFFIELD(fast_finished_1, krb5_fast_finished, usec, 1, int32);
1035 DEFFIELD(fast_finished_2, krb5_fast_finished, client, 2, realm_of_principal);
1036 DEFFIELD(fast_finished_3, krb5_fast_finished, client, 3, principal);
1037 DEFFIELD(fast_finished_4, krb5_fast_finished, ticket_checksum, 4, checksum);
1038 static const struct atype_info *fast_finished_fields[] = {
1039 &k5_atype_fast_finished_0, &k5_atype_fast_finished_1,
1040 &k5_atype_fast_finished_2, &k5_atype_fast_finished_3,
1041 &k5_atype_fast_finished_4
1042 };
1043 DEFSEQTYPE(fast_finished, krb5_fast_finished, fast_finished_fields);
1044 DEFPTRTYPE(ptr_fast_finished, fast_finished);
1045 DEFOPTIONALZEROTYPE(opt_ptr_fast_finished, ptr_fast_finished);
1046
1047 DEFFIELD(fast_response_0, krb5_fast_response, padata, 0, ptr_seqof_pa_data);
1048 DEFFIELD(fast_response_1, krb5_fast_response, strengthen_key, 1,
1049 opt_ptr_encryption_key);
1050 DEFFIELD(fast_response_2, krb5_fast_response, finished, 2,
1051 opt_ptr_fast_finished);
1052 DEFFIELD(fast_response_3, krb5_fast_response, nonce, 3, int32);
1053 static const struct atype_info *fast_response_fields[] = {
1054 &k5_atype_fast_response_0, &k5_atype_fast_response_1,
1055 &k5_atype_fast_response_2, &k5_atype_fast_response_3
1056 };
1057 DEFSEQTYPE(fast_response, krb5_fast_response, fast_response_fields);
1058
1059 DEFCTAGGEDTYPE(fast_rep_0, 0, encrypted_data);
1060 static const struct atype_info *fast_rep_fields[] = {
1061 &k5_atype_fast_rep_0
1062 };
1063 DEFSEQTYPE(fast_rep, krb5_enc_data, fast_rep_fields);
1064
1065 /* This is a CHOICE type with only one choice (so far) and we're not using a
1066 * distinguisher/union for it. */
1067 DEFTAGGEDTYPE(pa_fx_fast_reply, CONTEXT_SPECIFIC, CONSTRUCTED, 0, 0,
1068 fast_rep);
1069
1070 DEFFIELD(ad_kdcissued_0, krb5_ad_kdcissued, ad_checksum, 0, checksum);
1071 DEFFIELD(ad_kdcissued_1, krb5_ad_kdcissued, i_principal, 1,
1072 opt_realm_of_principal);
1073 DEFFIELD(ad_kdcissued_2, krb5_ad_kdcissued, i_principal, 2, opt_principal);
1074 DEFFIELD(ad_kdcissued_3, krb5_ad_kdcissued, elements, 3, auth_data_ptr);
1075 static const struct atype_info *ad_kdcissued_fields[] = {
1076 &k5_atype_ad_kdcissued_0, &k5_atype_ad_kdcissued_1,
1077 &k5_atype_ad_kdcissued_2, &k5_atype_ad_kdcissued_3
1078 };
1079 DEFSEQTYPE(ad_kdc_issued, krb5_ad_kdcissued, ad_kdcissued_fields);
1080
1081 DEFCTAGGEDTYPE(princ_plus_realm_0, 0, principal_data);
1082 DEFCTAGGEDTYPE(princ_plus_realm_1, 1, realm_of_principal_data);
1083 static const struct atype_info *princ_plus_realm_fields[] = {
1084 &k5_atype_princ_plus_realm_0, &k5_atype_princ_plus_realm_1
1085 };
1086 DEFSEQTYPE(princ_plus_realm_data, krb5_principal_data,
1087 princ_plus_realm_fields);
1088 DEFPTRTYPE(princ_plus_realm, princ_plus_realm_data);
1089 DEFNULLTERMSEQOFTYPE(seqof_princ_plus_realm, princ_plus_realm);
1090 DEFPTRTYPE(ptr_seqof_princ_plus_realm, seqof_princ_plus_realm);
1091 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_princ_plus_realm,
1092 ptr_seqof_princ_plus_realm);
1093
1094 /* First context tag is 1, not 0. */
1095 DEFFIELD(iakerb_header_1, krb5_iakerb_header, target_realm, 1, ostring_data);
1096 DEFFIELD(iakerb_header_2, krb5_iakerb_header, cookie, 2, opt_ostring_data_ptr);
1097 static const struct atype_info *iakerb_header_fields[] = {
1098 &k5_atype_iakerb_header_1, &k5_atype_iakerb_header_2
1099 };
1100 DEFSEQTYPE(iakerb_header, krb5_iakerb_header, iakerb_header_fields);
1101
1102 /* First context tag is 1, not 0. */
1103 DEFFIELD(iakerb_finished_0, krb5_iakerb_finished, checksum, 1, checksum);
1104 static const struct atype_info *iakerb_finished_fields[] = {
1105 &k5_atype_iakerb_finished_0
1106 };
1107 DEFSEQTYPE(iakerb_finished, krb5_iakerb_finished, iakerb_finished_fields);
1108
1109 /* Exported complete encoders -- these produce a krb5_data with
1110 the encoding in the correct byte order. */
1111
1112 MAKE_ENCODER(encode_krb5_authenticator, authenticator);
1113 MAKE_DECODER(decode_krb5_authenticator, authenticator);
1114 MAKE_ENCODER(encode_krb5_ticket, ticket);
1115 MAKE_DECODER(decode_krb5_ticket, ticket);
1116 MAKE_ENCODER(encode_krb5_encryption_key, encryption_key);
1117 MAKE_DECODER(decode_krb5_encryption_key, encryption_key);
1118 MAKE_ENCODER(encode_krb5_enc_tkt_part, enc_tkt_part);
1119 MAKE_DECODER(decode_krb5_enc_tkt_part, enc_tkt_part);
1120
1121 krb5_error_code KRB5_CALLCONV
krb5_decode_ticket(const krb5_data * code,krb5_ticket ** repptr)1122 krb5_decode_ticket(const krb5_data *code, krb5_ticket **repptr)
1123 {
1124 return decode_krb5_ticket(code, repptr);
1125 }
1126
1127 /*
1128 * For backwards compatibility, we encode both EncASRepPart and EncTGSRepPart
1129 * with application tag 26. On decode, we accept either app tag and set the
1130 * msg_type field of the resulting structure. This could be simplified and
1131 * pushed up into libkrb5.
1132 */
1133 MAKE_ENCODER(encode_krb5_enc_kdc_rep_part, enc_tgs_rep_part);
1134 krb5_error_code
decode_krb5_enc_kdc_rep_part(const krb5_data * code,krb5_enc_kdc_rep_part ** rep_out)1135 decode_krb5_enc_kdc_rep_part(const krb5_data *code,
1136 krb5_enc_kdc_rep_part **rep_out)
1137 {
1138 krb5_error_code ret;
1139 krb5_enc_kdc_rep_part *rep;
1140 void *rep_ptr;
1141 krb5_msgtype msg_type = KRB5_TGS_REP;
1142
1143 *rep_out = NULL;
1144 ret = k5_asn1_full_decode(code, &k5_atype_enc_tgs_rep_part, &rep_ptr);
1145 if (ret == ASN1_BAD_ID) {
1146 msg_type = KRB5_AS_REP;
1147 ret = k5_asn1_full_decode(code, &k5_atype_enc_as_rep_part, &rep_ptr);
1148 }
1149 if (ret)
1150 return ret;
1151 rep = rep_ptr;
1152 rep->msg_type = msg_type;
1153 *rep_out = rep;
1154 return 0;
1155 }
1156
1157 MAKE_ENCODER(encode_krb5_as_rep, as_rep);
1158 MAKE_DECODER(decode_krb5_as_rep, as_rep);
1159 MAKE_ENCODER(encode_krb5_tgs_rep, tgs_rep);
1160 MAKE_DECODER(decode_krb5_tgs_rep, tgs_rep);
1161 MAKE_ENCODER(encode_krb5_ap_req, ap_req);
1162 MAKE_DECODER(decode_krb5_ap_req, ap_req);
1163 MAKE_ENCODER(encode_krb5_ap_rep, ap_rep);
1164 MAKE_DECODER(decode_krb5_ap_rep, ap_rep);
1165 MAKE_ENCODER(encode_krb5_ap_rep_enc_part, ap_rep_enc_part);
1166 MAKE_DECODER(decode_krb5_ap_rep_enc_part, ap_rep_enc_part);
1167 MAKE_ENCODER(encode_krb5_as_req, as_req_encode);
1168 MAKE_DECODER(decode_krb5_as_req, as_req);
1169 MAKE_ENCODER(encode_krb5_tgs_req, tgs_req_encode);
1170 MAKE_DECODER(decode_krb5_tgs_req, tgs_req);
1171 MAKE_ENCODER(encode_krb5_kdc_req_body, kdc_req_body);
1172 MAKE_DECODER(decode_krb5_kdc_req_body, kdc_req_body);
1173 MAKE_ENCODER(encode_krb5_safe, safe);
1174 MAKE_DECODER(decode_krb5_safe, safe);
1175
1176 /* encode_krb5_safe_with_body takes a saved KRB-SAFE-BODY encoding to avoid
1177 * mismatches from re-encoding if the sender isn't quite DER-compliant. */
1178 MAKE_ENCODER(encode_krb5_safe_with_body, safe_with_body);
1179
1180 /*
1181 * decode_krb5_safe_with_body fully decodes a KRB-SAFE, but also returns
1182 * the KRB-SAFE-BODY encoding. This interface was designed for an earlier
1183 * generation of decoder and should probably be re-thought.
1184 */
1185 krb5_error_code
decode_krb5_safe_with_body(const krb5_data * code,krb5_safe ** rep_out,krb5_data ** body_out)1186 decode_krb5_safe_with_body(const krb5_data *code, krb5_safe **rep_out,
1187 krb5_data **body_out)
1188 {
1189 krb5_error_code ret;
1190 void *swb_ptr, *safe_ptr;
1191 struct krb5_safe_with_body *swb;
1192 krb5_safe *safe;
1193
1194 ret = k5_asn1_full_decode(code, &k5_atype_safe_with_body, &swb_ptr);
1195 if (ret)
1196 return ret;
1197 swb = swb_ptr;
1198 ret = k5_asn1_full_decode(swb->body, &k5_atype_safe_body, &safe_ptr);
1199 if (ret) {
1200 krb5_free_safe(NULL, swb->safe);
1201 krb5_free_data(NULL, swb->body);
1202 free(swb);
1203 return ret;
1204 }
1205 safe = safe_ptr;
1206 safe->checksum = swb->safe->checksum;
1207 free(swb->safe);
1208 *rep_out = safe;
1209 *body_out = swb->body;
1210 free(swb);
1211 return 0;
1212 }
1213
1214 MAKE_ENCODER(encode_krb5_priv, priv);
1215 MAKE_DECODER(decode_krb5_priv, priv);
1216 MAKE_ENCODER(encode_krb5_enc_priv_part, priv_enc_part);
1217 MAKE_DECODER(decode_krb5_enc_priv_part, priv_enc_part);
1218 MAKE_ENCODER(encode_krb5_checksum, checksum);
1219 MAKE_DECODER(decode_krb5_checksum, checksum);
1220
1221 MAKE_ENCODER(encode_krb5_cred, krb5_cred);
1222 MAKE_DECODER(decode_krb5_cred, krb5_cred);
1223 MAKE_ENCODER(encode_krb5_enc_cred_part, enc_cred_part);
1224 MAKE_DECODER(decode_krb5_enc_cred_part, enc_cred_part);
1225 MAKE_ENCODER(encode_krb5_error, krb5_error);
1226 MAKE_DECODER(decode_krb5_error, krb5_error);
1227 MAKE_ENCODER(encode_krb5_authdata, auth_data);
1228 MAKE_DECODER(decode_krb5_authdata, auth_data);
1229 MAKE_ENCODER(encode_krb5_etype_info, etype_info);
1230 MAKE_DECODER(decode_krb5_etype_info, etype_info);
1231 MAKE_ENCODER(encode_krb5_etype_info2, etype_info2);
1232 MAKE_DECODER(decode_krb5_etype_info2, etype_info2);
1233 MAKE_ENCODER(encode_krb5_enc_data, encrypted_data);
1234 MAKE_DECODER(decode_krb5_enc_data, encrypted_data);
1235 MAKE_ENCODER(encode_krb5_pa_enc_ts, pa_enc_ts);
1236 MAKE_DECODER(decode_krb5_pa_enc_ts, pa_enc_ts);
1237 MAKE_ENCODER(encode_krb5_padata_sequence, seqof_pa_data);
1238 MAKE_DECODER(decode_krb5_padata_sequence, seqof_pa_data);
1239 /* sam preauth additions */
1240 MAKE_ENCODER(encode_krb5_sam_challenge_2, sam_challenge_2);
1241 MAKE_DECODER(decode_krb5_sam_challenge_2, sam_challenge_2);
1242 MAKE_ENCODER(encode_krb5_sam_challenge_2_body, sam_challenge_2_body);
1243 MAKE_DECODER(decode_krb5_sam_challenge_2_body, sam_challenge_2_body);
1244 MAKE_ENCODER(encode_krb5_enc_sam_response_enc_2, enc_sam_response_enc_2);
1245 MAKE_DECODER(decode_krb5_enc_sam_response_enc_2, enc_sam_response_enc_2);
1246 MAKE_ENCODER(encode_krb5_sam_response_2, sam_response_2);
1247 MAKE_DECODER(decode_krb5_sam_response_2, sam_response_2);
1248
1249 /* setpw_req has an odd decoder interface which should probably be
1250 * normalized. */
1251 MAKE_ENCODER(encode_krb5_setpw_req, setpw_req);
1252 krb5_error_code
decode_krb5_setpw_req(const krb5_data * code,krb5_data ** password_out,krb5_principal * target_out)1253 decode_krb5_setpw_req(const krb5_data *code, krb5_data **password_out,
1254 krb5_principal *target_out)
1255 {
1256 krb5_error_code ret;
1257 void *req_ptr;
1258 struct krb5_setpw_req *req;
1259 krb5_data *data;
1260
1261 *password_out = NULL;
1262 *target_out = NULL;
1263 data = malloc(sizeof(*data));
1264 if (data == NULL)
1265 return ENOMEM;
1266 ret = k5_asn1_full_decode(code, &k5_atype_setpw_req, &req_ptr);
1267 if (ret) {
1268 free(data);
1269 return ret;
1270 }
1271 req = req_ptr;
1272 *data = req->password;
1273 *password_out = data;
1274 *target_out = req->target;
1275 return 0;
1276 }
1277
1278 MAKE_ENCODER(encode_krb5_pa_for_user, pa_for_user);
1279 MAKE_DECODER(decode_krb5_pa_for_user, pa_for_user);
1280 MAKE_ENCODER(encode_krb5_s4u_userid, s4u_userid);
1281 MAKE_ENCODER(encode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
1282 MAKE_DECODER(decode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
1283 MAKE_ENCODER(encode_krb5_pa_pac_req, pa_pac_req);
1284 MAKE_DECODER(decode_krb5_pa_pac_req, pa_pac_req);
1285 MAKE_ENCODER(encode_krb5_etype_list, etype_list);
1286 MAKE_DECODER(decode_krb5_etype_list, etype_list);
1287
1288 MAKE_ENCODER(encode_krb5_pa_fx_fast_request, pa_fx_fast_request);
1289 MAKE_DECODER(decode_krb5_pa_fx_fast_request, pa_fx_fast_request);
1290 MAKE_ENCODER(encode_krb5_fast_req, fast_req);
1291 MAKE_DECODER(decode_krb5_fast_req, fast_req);
1292 MAKE_ENCODER(encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply);
1293 MAKE_DECODER(decode_krb5_pa_fx_fast_reply, pa_fx_fast_reply);
1294 MAKE_ENCODER(encode_krb5_fast_response, fast_response);
1295 MAKE_DECODER(decode_krb5_fast_response, fast_response);
1296
1297 MAKE_ENCODER(encode_krb5_ad_kdcissued, ad_kdc_issued);
1298 MAKE_DECODER(decode_krb5_ad_kdcissued, ad_kdc_issued);
1299 MAKE_ENCODER(encode_krb5_iakerb_header, iakerb_header);
1300 MAKE_DECODER(decode_krb5_iakerb_header, iakerb_header);
1301 MAKE_ENCODER(encode_krb5_iakerb_finished, iakerb_finished);
1302 MAKE_DECODER(decode_krb5_iakerb_finished, iakerb_finished);
1303
1304 krb5_error_code KRB5_CALLCONV
krb5int_get_authdata_containee_types(krb5_context context,const krb5_authdata * authdata,unsigned int * num_out,krb5_authdatatype ** types_out)1305 krb5int_get_authdata_containee_types(krb5_context context,
1306 const krb5_authdata *authdata,
1307 unsigned int *num_out,
1308 krb5_authdatatype **types_out)
1309 {
1310 krb5_error_code ret;
1311 struct authdata_types *atypes;
1312 void *atypes_ptr;
1313 krb5_data d = make_data(authdata->contents, authdata->length);
1314
1315 ret = k5_asn1_full_decode(&d, &k5_atype_authdata_types, &atypes_ptr);
1316 if (ret)
1317 return ret;
1318 atypes = atypes_ptr;
1319 *num_out = atypes->ntypes;
1320 *types_out = atypes->types;
1321 free(atypes);
1322 return 0;
1323 }
1324
1325 /* RFC 3280. No context tags. */
1326 DEFOFFSETTYPE(algid_0, krb5_algorithm_identifier, algorithm, oid_data);
1327 DEFOFFSETTYPE(algid_1, krb5_algorithm_identifier, parameters, opt_der_data);
1328 static const struct atype_info *algorithm_identifier_fields[] = {
1329 &k5_atype_algid_0, &k5_atype_algid_1
1330 };
1331 DEFSEQTYPE(algorithm_identifier, krb5_algorithm_identifier,
1332 algorithm_identifier_fields);
1333 DEFPTRTYPE(ptr_algorithm_identifier, algorithm_identifier);
1334 DEFOPTIONALZEROTYPE(opt_ptr_algorithm_identifier, ptr_algorithm_identifier);
1335 DEFNULLTERMSEQOFTYPE(seqof_algorithm_identifier, ptr_algorithm_identifier);
1336 DEFPTRTYPE(ptr_seqof_algorithm_identifier, seqof_algorithm_identifier);
1337 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_algorithm_identifier,
1338 ptr_seqof_algorithm_identifier);
1339
1340 /*
1341 * PKINIT
1342 */
1343
1344 #ifndef DISABLE_PKINIT
1345
1346 DEFCTAGGEDTYPE(kdf_alg_id_0, 0, oid_data);
1347 static const struct atype_info *kdf_alg_id_fields[] = {
1348 &k5_atype_kdf_alg_id_0
1349 };
1350 DEFSEQTYPE(kdf_alg_id, krb5_data, kdf_alg_id_fields);
1351 DEFPTRTYPE(ptr_kdf_alg_id, kdf_alg_id);
1352 DEFNONEMPTYNULLTERMSEQOFTYPE(supported_kdfs, ptr_kdf_alg_id);
1353 DEFPTRTYPE(ptr_supported_kdfs, supported_kdfs);
1354 DEFOPTIONALZEROTYPE(opt_ptr_kdf_alg_id, ptr_kdf_alg_id);
1355 DEFOPTIONALZEROTYPE(opt_ptr_supported_kdfs, ptr_supported_kdfs);
1356
1357 /* KRB5PrincipalName from RFC 4556 (*not* PrincipalName from RFC 4120) */
1358 DEFCTAGGEDTYPE(pkinit_princ_0, 0, realm_of_principal_data);
1359 DEFCTAGGEDTYPE(pkinit_princ_1, 1, principal_data);
1360 static const struct atype_info *pkinit_krb5_principal_name_fields[] = {
1361 &k5_atype_pkinit_princ_0, &k5_atype_pkinit_princ_1
1362 };
1363 DEFSEQTYPE(pkinit_krb5_principal_name_data, krb5_principal_data,
1364 pkinit_krb5_principal_name_fields);
1365 DEFPTRTYPE(pkinit_krb5_principal_name, pkinit_krb5_principal_name_data);
1366
1367 /* SP80056A OtherInfo, for pkinit agility. No context tag on first field. */
1368 DEFTAGGEDTYPE(pkinit_krb5_principal_name_wrapped, UNIVERSAL, PRIMITIVE,
1369 ASN1_OCTETSTRING, 0, pkinit_krb5_principal_name);
1370 DEFOFFSETTYPE(oinfo_notag, krb5_sp80056a_other_info, algorithm_identifier,
1371 algorithm_identifier);
1372 DEFFIELD(oinfo_0, krb5_sp80056a_other_info, party_u_info, 0,
1373 pkinit_krb5_principal_name_wrapped);
1374 DEFFIELD(oinfo_1, krb5_sp80056a_other_info, party_v_info, 1,
1375 pkinit_krb5_principal_name_wrapped);
1376 DEFFIELD(oinfo_2, krb5_sp80056a_other_info, supp_pub_info, 2, ostring_data);
1377 static const struct atype_info *sp80056a_other_info_fields[] = {
1378 &k5_atype_oinfo_notag, &k5_atype_oinfo_0, &k5_atype_oinfo_1,
1379 &k5_atype_oinfo_2
1380 };
1381 DEFSEQTYPE(sp80056a_other_info, krb5_sp80056a_other_info,
1382 sp80056a_other_info_fields);
1383
1384 /* For PkinitSuppPubInfo, for pkinit agility */
1385 DEFFIELD(supp_pub_0, krb5_pkinit_supp_pub_info, enctype, 0, int32);
1386 DEFFIELD(supp_pub_1, krb5_pkinit_supp_pub_info, as_req, 1, ostring_data);
1387 DEFFIELD(supp_pub_2, krb5_pkinit_supp_pub_info, pk_as_rep, 2, ostring_data);
1388 static const struct atype_info *pkinit_supp_pub_info_fields[] = {
1389 &k5_atype_supp_pub_0, &k5_atype_supp_pub_1, &k5_atype_supp_pub_2
1390 };
1391 DEFSEQTYPE(pkinit_supp_pub_info, krb5_pkinit_supp_pub_info,
1392 pkinit_supp_pub_info_fields);
1393
1394 MAKE_ENCODER(encode_krb5_pkinit_supp_pub_info, pkinit_supp_pub_info);
1395 MAKE_ENCODER(encode_krb5_sp80056a_other_info, sp80056a_other_info);
1396
1397 /* A krb5_checksum encoded as an OCTET STRING, for PKAuthenticator. */
1398 DEFCOUNTEDTYPE(ostring_checksum, krb5_checksum, contents, length, octetstring);
1399
1400 DEFFIELD(pk_authenticator_0, krb5_pk_authenticator, cusec, 0, int32);
1401 DEFFIELD(pk_authenticator_1, krb5_pk_authenticator, ctime, 1, kerberos_time);
1402 DEFFIELD(pk_authenticator_2, krb5_pk_authenticator, nonce, 2, int32);
1403 DEFFIELD(pk_authenticator_3, krb5_pk_authenticator, paChecksum, 3,
1404 ostring_checksum);
1405 DEFFIELD(pk_authenticator_4, krb5_pk_authenticator, freshnessToken, 4,
1406 opt_ostring_data_ptr);
1407 static const struct atype_info *pk_authenticator_fields[] = {
1408 &k5_atype_pk_authenticator_0, &k5_atype_pk_authenticator_1,
1409 &k5_atype_pk_authenticator_2, &k5_atype_pk_authenticator_3,
1410 &k5_atype_pk_authenticator_4
1411 };
1412 DEFSEQTYPE(pk_authenticator, krb5_pk_authenticator, pk_authenticator_fields);
1413
1414 DEFCOUNTEDSTRINGTYPE(s_bitstring, char *, unsigned int,
1415 k5_asn1_encode_bitstring, k5_asn1_decode_bitstring,
1416 ASN1_BITSTRING);
1417 DEFCOUNTEDTYPE(bitstring_data, krb5_data, data, length, s_bitstring);
1418
1419 DEFFIELD(auth_pack_0, krb5_auth_pack, pkAuthenticator, 0, pk_authenticator);
1420 DEFFIELD(auth_pack_1, krb5_auth_pack, clientPublicValue, 1, opt_der_data);
1421 DEFFIELD(auth_pack_2, krb5_auth_pack, supportedCMSTypes, 2,
1422 opt_ptr_seqof_algorithm_identifier);
1423 DEFFIELD(auth_pack_3, krb5_auth_pack, clientDHNonce, 3, opt_ostring_data);
1424 DEFFIELD(auth_pack_4, krb5_auth_pack, supportedKDFs, 4,
1425 opt_ptr_supported_kdfs);
1426 static const struct atype_info *auth_pack_fields[] = {
1427 &k5_atype_auth_pack_0, &k5_atype_auth_pack_1, &k5_atype_auth_pack_2,
1428 &k5_atype_auth_pack_3, &k5_atype_auth_pack_4
1429 };
1430 DEFSEQTYPE(auth_pack, krb5_auth_pack, auth_pack_fields);
1431
1432 DEFFIELD_IMPLICIT(extprinc_0, krb5_external_principal_identifier,
1433 subjectName, 0, opt_ostring_data);
1434 DEFFIELD_IMPLICIT(extprinc_1, krb5_external_principal_identifier,
1435 issuerAndSerialNumber, 1, opt_ostring_data);
1436 DEFFIELD_IMPLICIT(extprinc_2, krb5_external_principal_identifier,
1437 subjectKeyIdentifier, 2, opt_ostring_data);
1438 static const struct atype_info *external_principal_identifier_fields[] = {
1439 &k5_atype_extprinc_0, &k5_atype_extprinc_1, &k5_atype_extprinc_2
1440 };
1441 DEFSEQTYPE(external_principal_identifier, krb5_external_principal_identifier,
1442 external_principal_identifier_fields);
1443 DEFPTRTYPE(external_principal_identifier_ptr, external_principal_identifier);
1444
1445 DEFNULLTERMSEQOFTYPE(seqof_external_principal_identifier,
1446 external_principal_identifier_ptr);
1447 DEFPTRTYPE(ptr_seqof_external_principal_identifier,
1448 seqof_external_principal_identifier);
1449 DEFOPTIONALZEROTYPE(opt_ptr_seqof_external_principal_identifier,
1450 ptr_seqof_external_principal_identifier);
1451
1452 DEFFIELD_IMPLICIT(pa_pk_as_req_0, krb5_pa_pk_as_req, signedAuthPack, 0,
1453 ostring_data);
1454 DEFFIELD(pa_pk_as_req_1, krb5_pa_pk_as_req, trustedCertifiers, 1,
1455 opt_ptr_seqof_external_principal_identifier);
1456 DEFFIELD_IMPLICIT(pa_pk_as_req_2, krb5_pa_pk_as_req, kdcPkId, 2,
1457 opt_ostring_data);
1458 static const struct atype_info *pa_pk_as_req_fields[] = {
1459 &k5_atype_pa_pk_as_req_0, &k5_atype_pa_pk_as_req_1,
1460 &k5_atype_pa_pk_as_req_2
1461 };
1462 DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields);
1463
1464 DEFFIELD_IMPLICIT(dh_rep_info_0, krb5_dh_rep_info, dhSignedData, 0,
1465 ostring_data);
1466 DEFFIELD(dh_rep_info_1, krb5_dh_rep_info, serverDHNonce, 1, opt_ostring_data);
1467 DEFFIELD(dh_rep_info_2, krb5_dh_rep_info, kdfID, 2, opt_ptr_kdf_alg_id);
1468 static const struct atype_info *dh_rep_info_fields[] = {
1469 &k5_atype_dh_rep_info_0, &k5_atype_dh_rep_info_1, &k5_atype_dh_rep_info_2
1470 };
1471 DEFSEQTYPE(dh_rep_info, krb5_dh_rep_info, dh_rep_info_fields);
1472
1473 DEFFIELD(dh_key_0, krb5_kdc_dh_key_info, subjectPublicKey, 0, bitstring_data);
1474 DEFFIELD(dh_key_1, krb5_kdc_dh_key_info, nonce, 1, int32);
1475 DEFFIELD(dh_key_2, krb5_kdc_dh_key_info, dhKeyExpiration, 2,
1476 opt_kerberos_time);
1477 static const struct atype_info *kdc_dh_key_info_fields[] = {
1478 &k5_atype_dh_key_0, &k5_atype_dh_key_1, &k5_atype_dh_key_2
1479 };
1480 DEFSEQTYPE(kdc_dh_key_info, krb5_kdc_dh_key_info, kdc_dh_key_info_fields);
1481
1482 DEFFIELD(reply_key_pack_0, krb5_reply_key_pack, replyKey, 0, encryption_key);
1483 DEFFIELD(reply_key_pack_1, krb5_reply_key_pack, asChecksum, 1, checksum);
1484 static const struct atype_info *reply_key_pack_fields[] = {
1485 &k5_atype_reply_key_pack_0, &k5_atype_reply_key_pack_1
1486 };
1487 DEFSEQTYPE(reply_key_pack, krb5_reply_key_pack, reply_key_pack_fields);
1488
1489 DEFCTAGGEDTYPE(pa_pk_as_rep_0, 0, dh_rep_info);
1490 DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep_1, 1, ostring_data);
1491 static const struct atype_info *pa_pk_as_rep_alternatives[] = {
1492 &k5_atype_pa_pk_as_rep_0, &k5_atype_pa_pk_as_rep_1
1493 };
1494 DEFCHOICETYPE(pa_pk_as_rep_choice, union krb5_pa_pk_as_rep_choices,
1495 enum krb5_pa_pk_as_rep_selection, pa_pk_as_rep_alternatives);
1496 DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep, krb5_pa_pk_as_rep, u, choice,
1497 pa_pk_as_rep_choice);
1498
1499 MAKE_ENCODER(encode_krb5_pa_pk_as_req, pa_pk_as_req);
1500 MAKE_DECODER(decode_krb5_pa_pk_as_req, pa_pk_as_req);
1501 MAKE_ENCODER(encode_krb5_pa_pk_as_rep, pa_pk_as_rep);
1502 MAKE_DECODER(decode_krb5_pa_pk_as_rep, pa_pk_as_rep);
1503 MAKE_ENCODER(encode_krb5_auth_pack, auth_pack);
1504 MAKE_DECODER(decode_krb5_auth_pack, auth_pack);
1505 MAKE_ENCODER(encode_krb5_kdc_dh_key_info, kdc_dh_key_info);
1506 MAKE_DECODER(decode_krb5_kdc_dh_key_info, kdc_dh_key_info);
1507 MAKE_ENCODER(encode_krb5_reply_key_pack, reply_key_pack);
1508 MAKE_DECODER(decode_krb5_reply_key_pack, reply_key_pack);
1509 MAKE_ENCODER(encode_krb5_td_trusted_certifiers,
1510 seqof_external_principal_identifier);
1511 MAKE_DECODER(decode_krb5_td_trusted_certifiers,
1512 seqof_external_principal_identifier);
1513 MAKE_ENCODER(encode_krb5_td_dh_parameters, seqof_algorithm_identifier);
1514 MAKE_DECODER(decode_krb5_td_dh_parameters, seqof_algorithm_identifier);
1515 MAKE_DECODER(decode_krb5_principal_name, pkinit_krb5_principal_name_data);
1516
1517 #else /* DISABLE_PKINIT */
1518
1519 /* Stubs for exported pkinit encoder functions. */
1520
1521 krb5_error_code
encode_krb5_sp80056a_other_info(const krb5_sp80056a_other_info * rep,krb5_data ** code)1522 encode_krb5_sp80056a_other_info(const krb5_sp80056a_other_info *rep,
1523 krb5_data **code)
1524 {
1525 return EINVAL;
1526 }
1527
1528 krb5_error_code
encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info * rep,krb5_data ** code)1529 encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *rep,
1530 krb5_data **code)
1531 {
1532 return EINVAL;
1533 }
1534
1535 #endif /* not DISABLE_PKINIT */
1536
1537 DEFFIELD(typed_data_0, krb5_pa_data, pa_type, 0, int32);
1538 DEFCNFIELD(typed_data_1, krb5_pa_data, contents, length, 1, octetstring);
1539 static const struct atype_info *typed_data_fields[] = {
1540 &k5_atype_typed_data_0, &k5_atype_typed_data_1
1541 };
1542 DEFSEQTYPE(typed_data, krb5_pa_data, typed_data_fields);
1543 DEFPTRTYPE(typed_data_ptr, typed_data);
1544
1545 DEFNULLTERMSEQOFTYPE(seqof_typed_data, typed_data_ptr);
1546 MAKE_ENCODER(encode_krb5_typed_data, seqof_typed_data);
1547 MAKE_DECODER(decode_krb5_typed_data, seqof_typed_data);
1548
1549 /* Definitions for OTP preauth (RFC 6560) */
1550
1551 DEFFIELD_IMPLICIT(tokinfo_0, krb5_otp_tokeninfo, flags, 0, krb5_flags);
1552 DEFFIELD_IMPLICIT(tokinfo_1, krb5_otp_tokeninfo, vendor, 1, opt_utf8_data);
1553 DEFFIELD_IMPLICIT(tokinfo_2, krb5_otp_tokeninfo, challenge, 2,
1554 opt_ostring_data);
1555 DEFFIELD_IMPLICIT(tokinfo_3, krb5_otp_tokeninfo, length, 3, opt_int32_minus1);
1556 DEFFIELD_IMPLICIT(tokinfo_4, krb5_otp_tokeninfo, format, 4, opt_int32_minus1);
1557 DEFFIELD_IMPLICIT(tokinfo_5, krb5_otp_tokeninfo, token_id, 5,
1558 opt_ostring_data);
1559 DEFFIELD_IMPLICIT(tokinfo_6, krb5_otp_tokeninfo, alg_id, 6, opt_utf8_data);
1560 DEFFIELD_IMPLICIT(tokinfo_7, krb5_otp_tokeninfo, supported_hash_alg, 7,
1561 opt_ptr_seqof_algorithm_identifier);
1562 DEFFIELD_IMPLICIT(tokinfo_8, krb5_otp_tokeninfo, iteration_count, 8,
1563 opt_int32_minus1);
1564 static const struct atype_info *otp_tokeninfo_fields[] = {
1565 &k5_atype_tokinfo_0, &k5_atype_tokinfo_1, &k5_atype_tokinfo_2,
1566 &k5_atype_tokinfo_3, &k5_atype_tokinfo_4, &k5_atype_tokinfo_5,
1567 &k5_atype_tokinfo_6, &k5_atype_tokinfo_7, &k5_atype_tokinfo_8
1568 };
1569 DEFSEQTYPE(otp_tokeninfo, krb5_otp_tokeninfo, otp_tokeninfo_fields);
1570 MAKE_ENCODER(encode_krb5_otp_tokeninfo, otp_tokeninfo);
1571 MAKE_DECODER(decode_krb5_otp_tokeninfo, otp_tokeninfo);
1572
1573 DEFPTRTYPE(otp_tokeninfo_ptr, otp_tokeninfo);
1574 DEFNONEMPTYNULLTERMSEQOFTYPE(seqof_otp_tokeninfo, otp_tokeninfo_ptr);
1575 DEFPTRTYPE(ptr_seqof_otp_tokeninfo, seqof_otp_tokeninfo);
1576
1577 DEFFIELD_IMPLICIT(otp_ch_0, krb5_pa_otp_challenge, nonce, 0, ostring_data);
1578 DEFFIELD_IMPLICIT(otp_ch_1, krb5_pa_otp_challenge, service, 1, opt_utf8_data);
1579 DEFFIELD_IMPLICIT(otp_ch_2, krb5_pa_otp_challenge, tokeninfo, 2,
1580 ptr_seqof_otp_tokeninfo);
1581 DEFFIELD_IMPLICIT(otp_ch_3, krb5_pa_otp_challenge, salt, 3, opt_gstring_data);
1582 DEFFIELD_IMPLICIT(otp_ch_4, krb5_pa_otp_challenge, s2kparams, 4,
1583 opt_ostring_data);
1584 static const struct atype_info *pa_otp_challenge_fields[] = {
1585 &k5_atype_otp_ch_0, &k5_atype_otp_ch_1, &k5_atype_otp_ch_2,
1586 &k5_atype_otp_ch_3, &k5_atype_otp_ch_4
1587 };
1588 DEFSEQTYPE(pa_otp_challenge, krb5_pa_otp_challenge, pa_otp_challenge_fields);
1589 MAKE_ENCODER(encode_krb5_pa_otp_challenge, pa_otp_challenge);
1590 MAKE_DECODER(decode_krb5_pa_otp_challenge, pa_otp_challenge);
1591
1592 DEFFIELD_IMPLICIT(otp_req_0, krb5_pa_otp_req, flags, 0, krb5_flags);
1593 DEFFIELD_IMPLICIT(otp_req_1, krb5_pa_otp_req, nonce, 1, opt_ostring_data);
1594 DEFFIELD_IMPLICIT(otp_req_2, krb5_pa_otp_req, enc_data, 2, encrypted_data);
1595 DEFFIELD_IMPLICIT(otp_req_3, krb5_pa_otp_req, hash_alg, 3,
1596 opt_ptr_algorithm_identifier);
1597 DEFFIELD_IMPLICIT(otp_req_4, krb5_pa_otp_req, iteration_count, 4,
1598 opt_int32_minus1);
1599 DEFFIELD_IMPLICIT(otp_req_5, krb5_pa_otp_req, otp_value, 5, opt_ostring_data);
1600 DEFFIELD_IMPLICIT(otp_req_6, krb5_pa_otp_req, pin, 6, opt_utf8_data);
1601 DEFFIELD_IMPLICIT(otp_req_7, krb5_pa_otp_req, challenge, 7, opt_ostring_data);
1602 DEFFIELD_IMPLICIT(otp_req_8, krb5_pa_otp_req, time, 8, opt_kerberos_time);
1603 DEFFIELD_IMPLICIT(otp_req_9, krb5_pa_otp_req, counter, 9, opt_ostring_data);
1604 DEFFIELD_IMPLICIT(otp_req_10, krb5_pa_otp_req, format, 10, opt_int32_minus1);
1605 DEFFIELD_IMPLICIT(otp_req_11, krb5_pa_otp_req, token_id, 11, opt_ostring_data);
1606 DEFFIELD_IMPLICIT(otp_req_12, krb5_pa_otp_req, alg_id, 12, opt_utf8_data);
1607 DEFFIELD_IMPLICIT(otp_req_13, krb5_pa_otp_req, vendor, 13, opt_utf8_data);
1608 static const struct atype_info *pa_otp_req_fields[] = {
1609 &k5_atype_otp_req_0, &k5_atype_otp_req_1, &k5_atype_otp_req_2,
1610 &k5_atype_otp_req_3, &k5_atype_otp_req_4, &k5_atype_otp_req_5,
1611 &k5_atype_otp_req_6, &k5_atype_otp_req_7, &k5_atype_otp_req_8,
1612 &k5_atype_otp_req_9, &k5_atype_otp_req_10, &k5_atype_otp_req_11,
1613 &k5_atype_otp_req_12, &k5_atype_otp_req_13
1614 };
1615 DEFSEQTYPE(pa_otp_req, krb5_pa_otp_req, pa_otp_req_fields);
1616 MAKE_ENCODER(encode_krb5_pa_otp_req, pa_otp_req);
1617 MAKE_DECODER(decode_krb5_pa_otp_req, pa_otp_req);
1618
1619 DEFCTAGGEDTYPE_IMPLICIT(pa_otp_enc_req_0, 0, ostring_data);
1620 static const struct atype_info *pa_otp_enc_req_fields[] = {
1621 &k5_atype_pa_otp_enc_req_0
1622 };
1623 DEFSEQTYPE(pa_otp_enc_req, krb5_data, pa_otp_enc_req_fields);
1624 MAKE_ENCODER(encode_krb5_pa_otp_enc_req, pa_otp_enc_req);
1625 MAKE_DECODER(decode_krb5_pa_otp_enc_req, pa_otp_enc_req);
1626
1627 DEFFIELD(kkdcp_message_0, krb5_kkdcp_message,
1628 kerb_message, 0, ostring_data);
1629 DEFFIELD(kkdcp_message_1, krb5_kkdcp_message,
1630 target_domain, 1, opt_gstring_data);
1631 DEFFIELD(kkdcp_message_2, krb5_kkdcp_message,
1632 dclocator_hint, 2, opt_int32);
1633 static const struct atype_info *kkdcp_message_fields[] = {
1634 &k5_atype_kkdcp_message_0, &k5_atype_kkdcp_message_1,
1635 &k5_atype_kkdcp_message_2
1636 };
1637 DEFSEQTYPE(kkdcp_message, krb5_kkdcp_message,
1638 kkdcp_message_fields);
1639 MAKE_ENCODER(encode_krb5_kkdcp_message, kkdcp_message);
1640 MAKE_DECODER(decode_krb5_kkdcp_message, kkdcp_message);
1641
1642 DEFFIELD(vmac_0, krb5_verifier_mac, princ, 0, opt_principal);
1643 DEFFIELD(vmac_1, krb5_verifier_mac, kvno, 1, opt_kvno);
1644 DEFFIELD(vmac_2, krb5_verifier_mac, enctype, 2, opt_int32);
1645 DEFFIELD(vmac_3, krb5_verifier_mac, checksum, 3, checksum);
1646 static const struct atype_info *vmac_fields[] = {
1647 &k5_atype_vmac_0, &k5_atype_vmac_1, &k5_atype_vmac_2, &k5_atype_vmac_3
1648 };
1649 DEFSEQTYPE(vmac, krb5_verifier_mac, vmac_fields);
1650 DEFPTRTYPE(vmac_ptr, vmac);
1651 DEFOPTIONALZEROTYPE(opt_vmac_ptr, vmac_ptr);
1652 DEFNONEMPTYNULLTERMSEQOFTYPE(vmacs, vmac_ptr);
1653 DEFPTRTYPE(vmacs_ptr, vmacs);
1654 DEFOPTIONALEMPTYTYPE(opt_vmacs_ptr, vmacs_ptr);
1655
1656 DEFFIELD(cammac_0, krb5_cammac, elements, 0, auth_data_ptr);
1657 DEFFIELD(cammac_1, krb5_cammac, kdc_verifier, 1, opt_vmac_ptr);
1658 DEFFIELD(cammac_2, krb5_cammac, svc_verifier, 2, opt_vmac_ptr);
1659 DEFFIELD(cammac_3, krb5_cammac, other_verifiers, 3, opt_vmacs_ptr);
1660 static const struct atype_info *cammac_fields[] = {
1661 &k5_atype_cammac_0, &k5_atype_cammac_1, &k5_atype_cammac_2,
1662 &k5_atype_cammac_3
1663 };
1664 DEFSEQTYPE(cammac, krb5_cammac, cammac_fields);
1665
1666 MAKE_ENCODER(encode_krb5_cammac, cammac);
1667 MAKE_DECODER(decode_krb5_cammac, cammac);
1668
1669 MAKE_ENCODER(encode_utf8_strings, seqof_utf8_data);
1670 MAKE_DECODER(decode_utf8_strings, seqof_utf8_data);
1671
1672 /*
1673 * SecureCookie ::= SEQUENCE {
1674 * time INTEGER,
1675 * data SEQUENCE OF PA-DATA,
1676 * ...
1677 * }
1678 */
1679 DEFINTTYPE(inttime, time_t);
1680 DEFOFFSETTYPE(secure_cookie_0, krb5_secure_cookie, time, inttime);
1681 DEFOFFSETTYPE(secure_cookie_1, krb5_secure_cookie, data, ptr_seqof_pa_data);
1682 static const struct atype_info *secure_cookie_fields[] = {
1683 &k5_atype_secure_cookie_0, &k5_atype_secure_cookie_1
1684 };
1685 DEFSEQTYPE(secure_cookie, krb5_secure_cookie, secure_cookie_fields);
1686 MAKE_ENCODER(encode_krb5_secure_cookie, secure_cookie);
1687 MAKE_DECODER(decode_krb5_secure_cookie, secure_cookie);
1688
1689 /*
1690 * -- based on MS-KILE and MS-SFU
1691 * PAC-OPTIONS-FLAGS ::= BIT STRING {
1692 * claims(0),
1693 * branch-aware(1),
1694 * forward-to-full-dc(2),
1695 * resource-based-constrained-delegation(3)
1696 * }
1697 *
1698 * PA-PAC-OPTIONS ::= SEQUENCE {
1699 * flags [0] PAC-OPTIONS-FLAGS
1700 * }
1701 */
1702 DEFFIELD(pa_pac_options_0, krb5_pa_pac_options, options, 0, krb5_flags);
1703 static const struct atype_info *pa_pac_options_fields[] = {
1704 &k5_atype_pa_pac_options_0
1705 };
1706 DEFSEQTYPE(pa_pac_options, krb5_pa_pac_options, pa_pac_options_fields);
1707 MAKE_ENCODER(encode_krb5_pa_pac_options, pa_pac_options);
1708 MAKE_DECODER(decode_krb5_pa_pac_options, pa_pac_options);
1709
1710
1711 DEFFIELD(spake_factor_0, krb5_spake_factor, type, 0, int32);
1712 DEFFIELD(spake_factor_1, krb5_spake_factor, data, 1, opt_ostring_data_ptr);
1713 static const struct atype_info *spake_factor_fields[] = {
1714 &k5_atype_spake_factor_0, &k5_atype_spake_factor_1
1715 };
1716 DEFSEQTYPE(spake_factor, krb5_spake_factor, spake_factor_fields);
1717 DEFPTRTYPE(spake_factor_ptr, spake_factor);
1718 DEFNULLTERMSEQOFTYPE(seqof_spake_factor, spake_factor_ptr);
1719 DEFPTRTYPE(ptr_seqof_spake_factor, seqof_spake_factor);
1720 MAKE_ENCODER(encode_krb5_spake_factor, spake_factor);
1721 MAKE_DECODER(decode_krb5_spake_factor, spake_factor);
1722
1723 DEFCNFIELD(spake_support_0, krb5_spake_support, groups, ngroups, 0,
1724 cseqof_int32);
1725 static const struct atype_info *spake_support_fields[] = {
1726 &k5_atype_spake_support_0
1727 };
1728 DEFSEQTYPE(spake_support, krb5_spake_support, spake_support_fields);
1729
1730 DEFFIELD(spake_challenge_0, krb5_spake_challenge, group, 0, int32);
1731 DEFFIELD(spake_challenge_1, krb5_spake_challenge, pubkey, 1, ostring_data);
1732 DEFFIELD(spake_challenge_2, krb5_spake_challenge, factors, 2,
1733 ptr_seqof_spake_factor);
1734 static const struct atype_info *spake_challenge_fields[] = {
1735 &k5_atype_spake_challenge_0, &k5_atype_spake_challenge_1,
1736 &k5_atype_spake_challenge_2
1737 };
1738 DEFSEQTYPE(spake_challenge, krb5_spake_challenge, spake_challenge_fields);
1739
1740 DEFFIELD(spake_response_0, krb5_spake_response, pubkey, 0, ostring_data);
1741 DEFFIELD(spake_response_1, krb5_spake_response, factor, 1, encrypted_data);
1742 static const struct atype_info *spake_response_fields[] = {
1743 &k5_atype_spake_response_0, &k5_atype_spake_response_1,
1744 };
1745 DEFSEQTYPE(spake_response, krb5_spake_response, spake_response_fields);
1746
1747 DEFCTAGGEDTYPE(pa_spake_0, 0, spake_support);
1748 DEFCTAGGEDTYPE(pa_spake_1, 1, spake_challenge);
1749 DEFCTAGGEDTYPE(pa_spake_2, 2, spake_response);
1750 DEFCTAGGEDTYPE(pa_spake_3, 3, encrypted_data);
1751 static const struct atype_info *pa_spake_alternatives[] = {
1752 &k5_atype_pa_spake_0, &k5_atype_pa_spake_1, &k5_atype_pa_spake_2,
1753 &k5_atype_pa_spake_3
1754 };
1755 DEFCHOICETYPE(pa_spake_choice, union krb5_spake_message_choices,
1756 enum krb5_spake_msgtype, pa_spake_alternatives);
1757 DEFCOUNTEDTYPE_SIGNED(pa_spake, krb5_pa_spake, u, choice, pa_spake_choice);
1758 MAKE_ENCODER(encode_krb5_pa_spake, pa_spake);
1759 MAKE_DECODER(decode_krb5_pa_spake, pa_spake);
1760