python/samba/tests/krb5/rfc4120_constants.py

   1 # Unix SMB/CIFS implementation.
   2 # Copyright (C) 2020 Catalyst.Net Ltd
   3 #
   4 # This program is free software; you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation; either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16 #
  17
  18 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
  19
  20 # Encryption types
  21 AES256_CTS_HMAC_SHA1_96 = int(
  22     krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96'))
  23 AES128_CTS_HMAC_SHA1_96 = int(
  24     krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96'))
  25 ARCFOUR_HMAC_MD5 = int(
  26     krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5'))
  27 DES_CBC_CRC = int(
  28     krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-DES-CBC-CRC'))
  29 DES_CBC_MD5 = int(
  30     krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-DES-CBC-MD5'))
  31 DES3_CBC_MD5 = int(
  32     krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-DES3-CBC-MD5'))
  33 DES3_CBC_SHA1 = int(
  34     krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-DES3-CBC-SHA1'))
  35
  36 DES_EDE3_CBC = 15  # des-ede3-cbc-EnvOID — required for Windows PK-INIT.
  37
  38 # Message types
  39 KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error'))
  40 KRB_AP_REP = int(krb5_asn1.MessageTypeValues('krb-ap-rep'))
  41 KRB_AP_REQ = int(krb5_asn1.MessageTypeValues('krb-ap-req'))
  42 KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep'))
  43 KRB_AS_REQ = int(krb5_asn1.MessageTypeValues('krb-as-req'))
  44 KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep'))
  45 KRB_TGS_REQ = int(krb5_asn1.MessageTypeValues('krb-tgs-req'))
  46 KRB_PRIV = int(krb5_asn1.MessageTypeValues('krb-priv'))
  47
  48 # PAData types
  49 PADATA_ENC_TIMESTAMP = int(
  50     krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP'))
  51 PADATA_ENCRYPTED_CHALLENGE = int(
  52     krb5_asn1.PADataTypeValues('kRB5-PADATA-ENCRYPTED-CHALLENGE'))
  53 PADATA_ETYPE_INFO = int(
  54     krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO'))
  55 PADATA_ETYPE_INFO2 = int(
  56     krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2'))
  57 PADATA_FOR_USER = int(
  58     krb5_asn1.PADataTypeValues('kRB5-PADATA-FOR-USER'))
  59 PADATA_FX_COOKIE = int(
  60     krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-COOKIE'))
  61 PADATA_FX_ERROR = int(
  62     krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-ERROR'))
  63 PADATA_FX_FAST = int(
  64     krb5_asn1.PADataTypeValues('kRB5-PADATA-FX-FAST'))
  65 PADATA_KDC_REQ = int(
  66     krb5_asn1.PADataTypeValues('kRB5-PADATA-KDC-REQ'))
  67 PADATA_PAC_OPTIONS = int(
  68     krb5_asn1.PADataTypeValues('kRB5-PADATA-PAC-OPTIONS'))
  69 PADATA_PAC_REQUEST = int(
  70     krb5_asn1.PADataTypeValues('kRB5-PADATA-PA-PAC-REQUEST'))
  71 PADATA_PK_AS_REQ = int(
  72     krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ'))
  73 PADATA_PK_AS_REP = int(
  74     krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP'))
  75 PADATA_PK_AS_REQ_19 = int(
  76     krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REQ-19'))
  77 PADATA_PK_AS_REP_19 = int(
  78     krb5_asn1.PADataTypeValues('kRB5-PADATA-PK-AS-REP-19'))
  79 PADATA_PW_SALT = int(
  80     krb5_asn1.PADataTypeValues('kRB5-PADATA-PW-SALT'))
  81 PADATA_SUPPORTED_ETYPES = int(
  82     krb5_asn1.PADataTypeValues('kRB5-PADATA-SUPPORTED-ETYPES'))
  83 PADATA_PKINIT_KX = int(
  84     krb5_asn1.PADataTypeValues('kRB5-PADATA-PKINIT-KX'))
  85 PADATA_GSS = int(
  86     krb5_asn1.PADataTypeValues('kRB5-PADATA-GSS'))
  87 PADATA_REQ_ENC_PA_REP = int(
  88     krb5_asn1.PADataTypeValues('kRB5-PADATA-REQ-ENC-PA-REP'))
  89 PADATA_AS_FRESHNESS = int(
  90     krb5_asn1.PADataTypeValues('kRB5-PADATA-AS-FRESHNESS'))
  91
  92 # Error codes
  93 KDC_ERR_C_PRINCIPAL_UNKNOWN = 6
  94 KDC_ERR_S_PRINCIPAL_UNKNOWN = 7
  95 KDC_ERR_NEVER_VALID = 11
  96 KDC_ERR_POLICY = 12
  97 KDC_ERR_BADOPTION = 13
  98 KDC_ERR_ETYPE_NOSUPP = 14
  99 KDC_ERR_SUMTYPE_NOSUPP = 15
 100 KDC_ERR_CLIENT_REVOKED = 18
 101 KDC_ERR_TGT_REVOKED = 20
 102 KDC_ERR_PREAUTH_FAILED = 24
 103 KDC_ERR_PREAUTH_REQUIRED = 25
 104 KDC_ERR_BAD_INTEGRITY = 31
 105 KDC_ERR_TKT_EXPIRED = 32
 106 KRB_ERR_TKT_NYV = 33
 107 KDC_ERR_NOT_US = 35
 108 KDC_ERR_BADMATCH = 36
 109 KDC_ERR_SKEW = 37
 110 KDC_ERR_MODIFIED = 41
 111 KDC_ERR_BADKEYVER = 44
 112 KDC_ERR_INAPP_CKSUM = 50
 113 KDC_ERR_GENERIC = 60
 114 KDC_ERR_CLIENT_NOT_TRUSTED = 62
 115 KDC_ERR_INVALID_SIG = 64
 116 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED = 65
 117 KDC_ERR_WRONG_REALM = 68
 118 KDC_ERR_CANT_VERIFY_CERTIFICATE = 70
 119 KDC_ERR_INVALID_CERTIFICATE = 71
 120 KDC_ERR_REVOKED_CERTIFICATE = 72
 121 KDC_ERR_REVOCATION_STATUS_UNKNOWN = 73
 122 KDC_ERR_CLIENT_NAME_MISMATCH = 75
 123 KDC_ERR_INCONSISTENT_KEY_PURPOSE = 77
 124 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED = 78
 125 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED = 79
 126 KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED = 80
 127 KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED = 81
 128 KDC_ERR_PREAUTH_EXPIRED = 90
 129 KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS = 93
 130
 131 # Kpasswd error codes
 132 KPASSWD_SUCCESS = 0
 133 KPASSWD_MALFORMED = 1
 134 KPASSWD_HARDERROR = 2
 135 KPASSWD_AUTHERROR = 3
 136 KPASSWD_SOFTERROR = 4
 137 KPASSWD_ACCESSDENIED = 5
 138 KPASSWD_BAD_VERSION = 6
 139 KPASSWD_INITIAL_FLAG_NEEDED = 7
 140
 141 # Extended error types
 142 KERB_AP_ERR_TYPE_SKEW_RECOVERY = int(
 143     krb5_asn1.KerbErrorDataTypeValues('kERB-AP-ERR-TYPE-SKEW-RECOVERY'))
 144 KERB_ERR_TYPE_EXTENDED = int(
 145     krb5_asn1.KerbErrorDataTypeValues('kERB-ERR-TYPE-EXTENDED'))
 146
 147 # Name types
 148 NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN'))
 149 NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL'))
 150 NT_SRV_HST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-HST'))
 151 NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST'))
 152 NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues(
 153     'kRB5-NT-ENTERPRISE-PRINCIPAL'))
 154 NT_WELLKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-WELLKNOWN'))
 155
 156 # Authorization data ad-type values
 157
 158 AD_IF_RELEVANT = 1
 159 AD_INTENDED_FOR_SERVER = 2
 160 AD_INTENDED_FOR_APPLICATION_CLASS = 3
 161 AD_KDC_ISSUED = 4
 162 AD_AND_OR = 5
 163 AD_MANDATORY_TICKET_EXTENSIONS = 6
 164 AD_IN_TICKET_EXTENSIONS = 7
 165 AD_MANDATORY_FOR_KDC = 8
 166 AD_INITIAL_VERIFIED_CAS = 9
 167 AD_FX_FAST_ARMOR = 71
 168 AD_FX_FAST_USED = 72
 169 AD_WIN2K_PAC = 128
 170 AD_SIGNTICKET = 512
 171
 172 # Key usage numbers
 173 # RFC 4120 Section 7.5.1.  Key Usage Numbers
 174 KU_PA_ENC_TIMESTAMP = 1
 175 ''' AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
 176     client key (section 5.2.7.2) '''
 177 KU_TICKET = 2
 178 ''' AS-REP Ticket and TGS-REP Ticket (includes tgs session key or
 179     application session key), encrypted with the service key
 180     (section 5.3) '''
 181 KU_AS_REP_ENC_PART = 3
 182 ''' AS-REP encrypted part (includes tgs session key or application
 183     session key), encrypted with the client key (section 5.4.2) '''
 184 KU_TGS_REQ_AUTH_DAT_SESSION = 4
 185 ''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
 186     session key (section 5.4.1) '''
 187 KU_TGS_REQ_AUTH_DAT_SUBKEY = 5
 188 ''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs
 189     authenticator subkey (section 5.4.1) '''
 190 KU_TGS_REQ_AUTH_CKSUM = 6
 191 ''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
 192     with the tgs session key (section 5.5.1) '''
 193 KU_PKINIT_AS_REQ = 6
 194 KU_TGS_REQ_AUTH = 7
 195 ''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs
 196     authenticator subkey), encrypted with the tgs session key
 197     (section 5.5.1) '''
 198 KU_TGS_REP_ENC_PART_SESSION = 8
 199 ''' TGS-REP encrypted part (includes application session key),
 200     encrypted with the tgs session key (section 5.4.2) '''
 201 KU_TGS_REP_ENC_PART_SUB_KEY = 9
 202 ''' TGS-REP encrypted part (includes application session key),
 203     encrypted with the tgs authenticator subkey (section 5.4.2) '''
 204 KU_AP_REQ_AUTH_CKSUM = 10
 205 ''' AP-REQ Authenticator cksum, keyed with the application session
 206     key (section 5.5.1) '''
 207 KU_AP_REQ_AUTH = 11
 208 ''' AP-REQ Authenticator (includes application authenticator
 209     subkey), encrypted with the application session key (section 5.5.1) '''
 210 KU_AP_REQ_ENC_PART = 12
 211 ''' AP-REP encrypted part (includes application session subkey),
 212     encrypted with the application session key (section 5.5.2) '''
 213 KU_KRB_PRIV = 13
 214 ''' KRB-PRIV encrypted part, encrypted with a key chosen by the
 215     application (section 5.7.1) '''
 216 KU_KRB_CRED = 14
 217 ''' KRB-CRED encrypted part, encrypted with a key chosen by the
 218     application (section 5.8.1) '''
 219 KU_KRB_SAFE_CKSUM = 15
 220 ''' KRB-SAFE cksum, keyed with a key chosen by the application
 221     (section 5.6.1) '''
 222 KU_NON_KERB_SALT = 16
 223 KU_NON_KERB_CKSUM_SALT = 17
 224
 225 KU_ACCEPTOR_SEAL = 22
 226 KU_ACCEPTOR_SIGN = 23
 227 KU_INITIATOR_SEAL = 24
 228 KU_INITIATOR_SIGN = 25
 229
 230 KU_FAST_REQ_CHKSUM = 50
 231 KU_FAST_ENC = 51
 232 KU_FAST_REP = 52
 233 KU_FAST_FINISHED = 53
 234 KU_ENC_CHALLENGE_CLIENT = 54
 235 KU_ENC_CHALLENGE_KDC = 55
 236 KU_AS_REQ = 56
 237
 238 KU_AS_FRESHNESS = 60
 239
 240 # Armor types
 241 FX_FAST_ARMOR_AP_REQUEST = 1
 242
 243 # PKINIT typed data errors
 244 TD_TRUSTED_CERTIFIERS = 104
 245 TD_INVALID_CERTIFICATES = 105
 246 TD_DH_PARAMETERS = 109