1 # Unix SMB/CIFS implementation.
2 # Copyright (C) 2020 Catalyst.Net Ltd
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 3 of the License, or
7 # (at your option) any later version.
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 import samba
.tests
.krb5
.rfc4120_pyasn1
as krb5_asn1
21 AES256_CTS_HMAC_SHA1_96
= int(
22 krb5_asn1
.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96'))
23 AES128_CTS_HMAC_SHA1_96
= int(
24 krb5_asn1
.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96'))
25 ARCFOUR_HMAC_MD5
= int(
26 krb5_asn1
.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5'))
28 krb5_asn1
.EncryptionTypeValues('kRB5-ENCTYPE-DES-CBC-CRC'))
30 krb5_asn1
.EncryptionTypeValues('kRB5-ENCTYPE-DES-CBC-MD5'))
32 krb5_asn1
.EncryptionTypeValues('kRB5-ENCTYPE-DES3-CBC-MD5'))
34 krb5_asn1
.EncryptionTypeValues('kRB5-ENCTYPE-DES3-CBC-SHA1'))
36 DES_EDE3_CBC
= 15 # des-ede3-cbc-EnvOID — required for Windows PK-INIT.
39 KRB_ERROR
= int(krb5_asn1
.MessageTypeValues('krb-error'))
40 KRB_AP_REP
= int(krb5_asn1
.MessageTypeValues('krb-ap-rep'))
41 KRB_AP_REQ
= int(krb5_asn1
.MessageTypeValues('krb-ap-req'))
42 KRB_AS_REP
= int(krb5_asn1
.MessageTypeValues('krb-as-rep'))
43 KRB_AS_REQ
= int(krb5_asn1
.MessageTypeValues('krb-as-req'))
44 KRB_TGS_REP
= int(krb5_asn1
.MessageTypeValues('krb-tgs-rep'))
45 KRB_TGS_REQ
= int(krb5_asn1
.MessageTypeValues('krb-tgs-req'))
46 KRB_PRIV
= int(krb5_asn1
.MessageTypeValues('krb-priv'))
49 PADATA_ENC_TIMESTAMP
= int(
50 krb5_asn1
.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP'))
51 PADATA_ENCRYPTED_CHALLENGE
= int(
52 krb5_asn1
.PADataTypeValues('kRB5-PADATA-ENCRYPTED-CHALLENGE'))
53 PADATA_ETYPE_INFO
= int(
54 krb5_asn1
.PADataTypeValues('kRB5-PADATA-ETYPE-INFO'))
55 PADATA_ETYPE_INFO2
= int(
56 krb5_asn1
.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2'))
57 PADATA_FOR_USER
= int(
58 krb5_asn1
.PADataTypeValues('kRB5-PADATA-FOR-USER'))
59 PADATA_FX_COOKIE
= int(
60 krb5_asn1
.PADataTypeValues('kRB5-PADATA-FX-COOKIE'))
61 PADATA_FX_ERROR
= int(
62 krb5_asn1
.PADataTypeValues('kRB5-PADATA-FX-ERROR'))
64 krb5_asn1
.PADataTypeValues('kRB5-PADATA-FX-FAST'))
66 krb5_asn1
.PADataTypeValues('kRB5-PADATA-KDC-REQ'))
67 PADATA_PAC_OPTIONS
= int(
68 krb5_asn1
.PADataTypeValues('kRB5-PADATA-PAC-OPTIONS'))
69 PADATA_PAC_REQUEST
= int(
70 krb5_asn1
.PADataTypeValues('kRB5-PADATA-PA-PAC-REQUEST'))
71 PADATA_PK_AS_REQ
= int(
72 krb5_asn1
.PADataTypeValues('kRB5-PADATA-PK-AS-REQ'))
73 PADATA_PK_AS_REP
= int(
74 krb5_asn1
.PADataTypeValues('kRB5-PADATA-PK-AS-REP'))
75 PADATA_PK_AS_REQ_19
= int(
76 krb5_asn1
.PADataTypeValues('kRB5-PADATA-PK-AS-REQ-19'))
77 PADATA_PK_AS_REP_19
= int(
78 krb5_asn1
.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19'))
80 krb5_asn1
.PADataTypeValues('kRB5-PADATA-PW-SALT'))
81 PADATA_SUPPORTED_ETYPES
= int(
82 krb5_asn1
.PADataTypeValues('kRB5-PADATA-SUPPORTED-ETYPES'))
83 PADATA_PKINIT_KX
= int(
84 krb5_asn1
.PADataTypeValues('kRB5-PADATA-PKINIT-KX'))
86 krb5_asn1
.PADataTypeValues('kRB5-PADATA-GSS'))
87 PADATA_REQ_ENC_PA_REP
= int(
88 krb5_asn1
.PADataTypeValues('kRB5-PADATA-REQ-ENC-PA-REP'))
89 PADATA_AS_FRESHNESS
= int(
90 krb5_asn1
.PADataTypeValues('kRB5-PADATA-AS-FRESHNESS'))
93 KDC_ERR_C_PRINCIPAL_UNKNOWN
= 6
94 KDC_ERR_S_PRINCIPAL_UNKNOWN
= 7
95 KDC_ERR_NEVER_VALID
= 11
97 KDC_ERR_BADOPTION
= 13
98 KDC_ERR_ETYPE_NOSUPP
= 14
99 KDC_ERR_SUMTYPE_NOSUPP
= 15
100 KDC_ERR_CLIENT_REVOKED
= 18
101 KDC_ERR_TGT_REVOKED
= 20
102 KDC_ERR_PREAUTH_FAILED
= 24
103 KDC_ERR_PREAUTH_REQUIRED
= 25
104 KDC_ERR_BAD_INTEGRITY
= 31
105 KDC_ERR_TKT_EXPIRED
= 32
108 KDC_ERR_BADMATCH
= 36
110 KDC_ERR_MODIFIED
= 41
111 KDC_ERR_BADKEYVER
= 44
112 KDC_ERR_INAPP_CKSUM
= 50
114 KDC_ERR_CLIENT_NOT_TRUSTED
= 62
115 KDC_ERR_INVALID_SIG
= 64
116 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
= 65
117 KDC_ERR_WRONG_REALM
= 68
118 KDC_ERR_CANT_VERIFY_CERTIFICATE
= 70
119 KDC_ERR_INVALID_CERTIFICATE
= 71
120 KDC_ERR_REVOKED_CERTIFICATE
= 72
121 KDC_ERR_REVOCATION_STATUS_UNKNOWN
= 73
122 KDC_ERR_CLIENT_NAME_MISMATCH
= 75
123 KDC_ERR_INCONSISTENT_KEY_PURPOSE
= 77
124 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED
= 78
125 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED
= 79
126 KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED
= 80
127 KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED
= 81
128 KDC_ERR_PREAUTH_EXPIRED
= 90
129 KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS
= 93
131 # Kpasswd error codes
133 KPASSWD_MALFORMED
= 1
134 KPASSWD_HARDERROR
= 2
135 KPASSWD_AUTHERROR
= 3
136 KPASSWD_SOFTERROR
= 4
137 KPASSWD_ACCESSDENIED
= 5
138 KPASSWD_BAD_VERSION
= 6
139 KPASSWD_INITIAL_FLAG_NEEDED
= 7
141 # Extended error types
142 KERB_AP_ERR_TYPE_SKEW_RECOVERY
= int(
143 krb5_asn1
.KerbErrorDataTypeValues('kERB-AP-ERR-TYPE-SKEW-RECOVERY'))
144 KERB_ERR_TYPE_EXTENDED
= int(
145 krb5_asn1
.KerbErrorDataTypeValues('kERB-ERR-TYPE-EXTENDED'))
148 NT_UNKNOWN
= int(krb5_asn1
.NameTypeValues('kRB5-NT-UNKNOWN'))
149 NT_PRINCIPAL
= int(krb5_asn1
.NameTypeValues('kRB5-NT-PRINCIPAL'))
150 NT_SRV_HST
= int(krb5_asn1
.NameTypeValues('kRB5-NT-SRV-HST'))
151 NT_SRV_INST
= int(krb5_asn1
.NameTypeValues('kRB5-NT-SRV-INST'))
152 NT_ENTERPRISE_PRINCIPAL
= int(krb5_asn1
.NameTypeValues(
153 'kRB5-NT-ENTERPRISE-PRINCIPAL'))
154 NT_WELLKNOWN
= int(krb5_asn1
.NameTypeValues('kRB5-NT-WELLKNOWN'))
156 # Authorization data ad-type values
159 AD_INTENDED_FOR_SERVER
= 2
160 AD_INTENDED_FOR_APPLICATION_CLASS
= 3
163 AD_MANDATORY_TICKET_EXTENSIONS
= 6
164 AD_IN_TICKET_EXTENSIONS
= 7
165 AD_MANDATORY_FOR_KDC
= 8
166 AD_INITIAL_VERIFIED_CAS
= 9
167 AD_FX_FAST_ARMOR
= 71
173 # RFC 4120 Section 7.5.1. Key Usage Numbers
174 KU_PA_ENC_TIMESTAMP
= 1
175 ''' AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
176 client key (section 5.2.7.2) '''
178 ''' AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
179 application session key), encrypted with the service key
181 KU_AS_REP_ENC_PART
= 3
182 ''' AS-REP encrypted part (includes tgs session key or application
183 session key), encrypted with the client key (section 5.4.2) '''
184 KU_TGS_REQ_AUTH_DAT_SESSION
= 4
185 ''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
186 session key (section 5.4.1) '''
187 KU_TGS_REQ_AUTH_DAT_SUBKEY
= 5
188 ''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
189 authenticator subkey (section 5.4.1) '''
190 KU_TGS_REQ_AUTH_CKSUM
= 6
191 ''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
192 with the tgs session key (section 5.5.1) '''
195 ''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
196 authenticator subkey), encrypted with the tgs session key
198 KU_TGS_REP_ENC_PART_SESSION
= 8
199 ''' TGS-REP encrypted part (includes application session key),
200 encrypted with the tgs session key (section 5.4.2) '''
201 KU_TGS_REP_ENC_PART_SUB_KEY
= 9
202 ''' TGS-REP encrypted part (includes application session key),
203 encrypted with the tgs authenticator subkey (section 5.4.2) '''
204 KU_AP_REQ_AUTH_CKSUM
= 10
205 ''' AP-REQ Authenticator cksum, keyed with the application session
206 key (section 5.5.1) '''
208 ''' AP-REQ Authenticator (includes application authenticator
209 subkey), encrypted with the application session key (section 5.5.1) '''
210 KU_AP_REQ_ENC_PART
= 12
211 ''' AP-REP encrypted part (includes application session subkey),
212 encrypted with the application session key (section 5.5.2) '''
214 ''' KRB-PRIV encrypted part, encrypted with a key chosen by the
215 application (section 5.7.1) '''
217 ''' KRB-CRED encrypted part, encrypted with a key chosen by the
218 application (section 5.8.1) '''
219 KU_KRB_SAFE_CKSUM
= 15
220 ''' KRB-SAFE cksum, keyed with a key chosen by the application
222 KU_NON_KERB_SALT
= 16
223 KU_NON_KERB_CKSUM_SALT
= 17
225 KU_ACCEPTOR_SEAL
= 22
226 KU_ACCEPTOR_SIGN
= 23
227 KU_INITIATOR_SEAL
= 24
228 KU_INITIATOR_SIGN
= 25
230 KU_FAST_REQ_CHKSUM
= 50
233 KU_FAST_FINISHED
= 53
234 KU_ENC_CHALLENGE_CLIENT
= 54
235 KU_ENC_CHALLENGE_KDC
= 55
241 FX_FAST_ARMOR_AP_REQUEST
= 1
243 # PKINIT typed data errors
244 TD_TRUSTED_CERTIFIERS
= 104
245 TD_INVALID_CERTIFICATES
= 105
246 TD_DH_PARAMETERS
= 109