1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krb5/asn.1/asn1_k_encode.c */
4 * Copyright 1994, 2008 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
27 #include "asn1_encode.h"
30 DEFINT_IMMEDIATE(krb5_version, KVNO, KRB5KDC_ERR_BAD_PVNO);
32 DEFBOOLTYPE(bool, krb5_boolean);
33 DEFINTTYPE(int32, krb5_int32);
34 DEFPTRTYPE(int32_ptr, int32);
35 DEFCOUNTEDSEQOFTYPE(cseqof_int32, krb5_int32, int32_ptr);
36 DEFOPTIONALZEROTYPE(opt_int32, int32);
38 DEFUINTTYPE(uint, unsigned int);
39 DEFUINTTYPE(octet, krb5_octet);
40 DEFUINTTYPE(ui_4, krb5_ui_4);
41 DEFOPTIONALZEROTYPE(opt_uint, uint);
44 nonempty_data(const void *p)
46 const krb5_data *val = p;
47 return (val->data != NULL && val->length != 0);
50 DEFCOUNTEDDERTYPE(der, char *, unsigned int);
51 DEFCOUNTEDTYPE(der_data, krb5_data, data, length, der);
52 DEFOPTIONALTYPE(opt_der_data, nonempty_data, NULL, der_data);
54 DEFCOUNTEDSTRINGTYPE(octetstring, unsigned char *, unsigned int,
55 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
57 DEFCOUNTEDSTRINGTYPE(s_octetstring, char *, unsigned int,
58 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
60 DEFCOUNTEDTYPE(ostring_data, krb5_data, data, length, s_octetstring);
61 DEFPTRTYPE(ostring_data_ptr, ostring_data);
62 DEFOPTIONALTYPE(opt_ostring_data, nonempty_data, NULL, ostring_data);
63 DEFOPTIONALZEROTYPE(opt_ostring_data_ptr, ostring_data_ptr);
65 DEFCOUNTEDSTRINGTYPE(generalstring, char *, unsigned int,
66 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
68 DEFCOUNTEDSTRINGTYPE(u_generalstring, unsigned char *, unsigned int,
69 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
71 DEFCOUNTEDTYPE(gstring_data, krb5_data, data, length, generalstring);
72 DEFOPTIONALTYPE(opt_gstring_data, nonempty_data, NULL, gstring_data);
73 DEFPTRTYPE(gstring_data_ptr, gstring_data);
74 DEFCOUNTEDSEQOFTYPE(cseqof_gstring_data, krb5_int32, gstring_data_ptr);
76 DEFOFFSETTYPE(realm_of_principal_data, krb5_principal_data, realm,
78 DEFPTRTYPE(realm_of_principal, realm_of_principal_data);
79 DEFOPTIONALZEROTYPE(opt_realm_of_principal, realm_of_principal);
81 DEFFIELD(princname_0, krb5_principal_data, type, 0, int32);
82 DEFCNFIELD(princname_1, krb5_principal_data, data, length, 1,
84 static const struct atype_info *princname_fields[] = {
85 &k5_atype_princname_0, &k5_atype_princname_1
87 DEFSEQTYPE(principal_data, krb5_principal_data, princname_fields);
88 DEFPTRTYPE(principal, principal_data);
89 DEFOPTIONALZEROTYPE(opt_principal, principal);
92 * Define the seqno type, which is an ASN.1 integer represented in a krb5_ui_4.
93 * When decoding, negative 32-bit numbers are accepted for interoperability
94 * with old implementations.
96 static asn1_error_code
97 encode_seqno(asn1buf *buf, const void *p, taginfo *rettag, size_t *len_out)
99 krb5_ui_4 val = *(krb5_ui_4 *)p;
100 rettag->asn1class = UNIVERSAL;
101 rettag->construction = PRIMITIVE;
102 rettag->tagnum = ASN1_INTEGER;
103 return k5_asn1_encode_uint(buf, val, len_out);
105 static asn1_error_code
106 decode_seqno(const taginfo *t, const unsigned char *asn1, size_t len, void *p)
110 ret = k5_asn1_decode_int(asn1, len, &val);
113 if (val < KRB5_INT32_MIN || val > 0xFFFFFFFF)
114 return ASN1_OVERFLOW;
115 /* Negative values will cast correctly to krb5_ui_4. */
116 *(krb5_ui_4 *)p = val;
120 check_seqno(const taginfo *t)
122 return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE &&
123 t->tagnum == ASN1_INTEGER);
125 DEFFNTYPE(seqno, krb5_ui_4, encode_seqno, decode_seqno, check_seqno, NULL);
126 DEFOPTIONALZEROTYPE(opt_seqno, seqno);
128 /* Define the kerberos_time type, which is an ASN.1 generaltime represented in
129 * a krb5_timestamp. */
130 static asn1_error_code
131 encode_kerberos_time(asn1buf *buf, const void *p, taginfo *rettag,
134 /* Range checking for time_t vs krb5_timestamp? */
135 time_t val = *(krb5_timestamp *)p;
136 rettag->asn1class = UNIVERSAL;
137 rettag->construction = PRIMITIVE;
138 rettag->tagnum = ASN1_GENERALTIME;
139 return k5_asn1_encode_generaltime(buf, val, len_out);
141 static asn1_error_code
142 decode_kerberos_time(const taginfo *t, const unsigned char *asn1, size_t len,
147 ret = k5_asn1_decode_generaltime(asn1, len, &val);
150 *(krb5_timestamp *)p = val;
154 check_kerberos_time(const taginfo *t)
156 return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE &&
157 t->tagnum == ASN1_GENERALTIME);
159 DEFFNTYPE(kerberos_time, krb5_timestamp, encode_kerberos_time,
160 decode_kerberos_time, check_kerberos_time, NULL);
161 DEFOPTIONALZEROTYPE(opt_kerberos_time, kerberos_time);
163 DEFFIELD(address_0, krb5_address, addrtype, 0, int32);
164 DEFCNFIELD(address_1, krb5_address, contents, length, 1, octetstring);
165 const static struct atype_info *address_fields[] = {
166 &k5_atype_address_0, &k5_atype_address_1
168 DEFSEQTYPE(address, krb5_address, address_fields);
169 DEFPTRTYPE(address_ptr, address);
170 DEFOPTIONALZEROTYPE(opt_address_ptr, address_ptr);
172 DEFNULLTERMSEQOFTYPE(seqof_host_addresses, address_ptr);
173 DEFPTRTYPE(ptr_seqof_host_addresses, seqof_host_addresses);
174 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_host_addresses, ptr_seqof_host_addresses);
177 * krb5_kvno is defined as unsigned int, but historically (MIT krb5 through 1.6
178 * in the encoder, and through 1.10 in the decoder) we treat it as signed, in
179 * violation of RFC 4120. kvno values large enough to be problematic are only
180 * likely to be seen with Windows read-only domain controllers, which overload
181 * the high 16-bits of kvno values for krbtgt principals. Since Windows
182 * encodes kvnos as signed 32-bit values, for interoperability it's best if we
185 DEFINTTYPE(kvno, krb5_kvno);
186 DEFOPTIONALZEROTYPE(opt_kvno, kvno);
188 DEFFIELD(enc_data_0, krb5_enc_data, enctype, 0, int32);
189 DEFFIELD(enc_data_1, krb5_enc_data, kvno, 1, opt_kvno);
190 DEFFIELD(enc_data_2, krb5_enc_data, ciphertext, 2, ostring_data);
191 static const struct atype_info *encrypted_data_fields[] = {
192 &k5_atype_enc_data_0, &k5_atype_enc_data_1, &k5_atype_enc_data_2
194 DEFSEQTYPE(encrypted_data, krb5_enc_data, encrypted_data_fields);
196 nonempty_enc_data(const void *p)
198 const krb5_enc_data *val = p;
199 return (val->ciphertext.data != NULL);
201 DEFOPTIONALTYPE(opt_encrypted_data, nonempty_enc_data, NULL, encrypted_data);
203 /* Define the krb5_flags type, which is an ASN.1 bit string represented in a
205 static asn1_error_code
206 encode_krb5_flags(asn1buf *buf, const void *p, taginfo *rettag,
209 unsigned char cbuf[4], *cptr = cbuf;
210 store_32_be((krb5_ui_4)*(const krb5_flags *)p, cbuf);
211 rettag->asn1class = UNIVERSAL;
212 rettag->construction = PRIMITIVE;
213 rettag->tagnum = ASN1_BITSTRING;
214 return k5_asn1_encode_bitstring(buf, &cptr, 4, len_out);
216 static asn1_error_code
217 decode_krb5_flags(const taginfo *t, const unsigned char *asn1, size_t len,
224 ret = k5_asn1_decode_bitstring(asn1, len, &bits, &blen);
227 /* Copy up to 32 bits into f, starting at the most significant byte. */
228 for (i = 0; i < blen && i < 4; i++)
229 f |= bits[i] << (8 * (3 - i));
230 *(krb5_flags *)val = f;
235 check_krb5_flags(const taginfo *t)
237 return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE &&
238 t->tagnum == ASN1_BITSTRING);
240 DEFFNTYPE(krb5_flags, krb5_flags, encode_krb5_flags, decode_krb5_flags,
241 check_krb5_flags, NULL);
242 DEFOPTIONALZEROTYPE(opt_krb5_flags, krb5_flags);
244 DEFFIELD(authdata_0, krb5_authdata, ad_type, 0, int32);
245 DEFCNFIELD(authdata_1, krb5_authdata, contents, length, 1, octetstring);
246 static const struct atype_info *authdata_elt_fields[] = {
247 &k5_atype_authdata_0, &k5_atype_authdata_1
249 DEFSEQTYPE(authdata_elt, krb5_authdata, authdata_elt_fields);
250 DEFPTRTYPE(authdata_elt_ptr, authdata_elt);
251 DEFNONEMPTYNULLTERMSEQOFTYPE(auth_data, authdata_elt_ptr);
252 DEFPTRTYPE(auth_data_ptr, auth_data);
253 DEFOPTIONALEMPTYTYPE(opt_auth_data_ptr, auth_data_ptr);
255 /* authdata_types retrieves just the types of authdata elements in an array. */
256 DEFCTAGGEDTYPE(authdata_elt_type_0, 0, int32);
257 static const struct atype_info *authdata_elt_type_fields[] = {
258 &k5_atype_authdata_elt_type_0
260 DEFSEQTYPE(authdata_elt_type, krb5_authdatatype, authdata_elt_type_fields);
261 DEFPTRTYPE(ptr_authdata_elt_type, authdata_elt_type);
262 DEFCOUNTEDSEQOFTYPE(cseqof_authdata_elt_type, unsigned int,
263 ptr_authdata_elt_type);
264 struct authdata_types {
265 krb5_authdatatype *types;
268 DEFCOUNTEDTYPE(authdata_types, struct authdata_types, types, ntypes,
269 cseqof_authdata_elt_type);
271 DEFFIELD(keyblock_0, krb5_keyblock, enctype, 0, int32);
272 DEFCNFIELD(keyblock_1, krb5_keyblock, contents, length, 1, octetstring);
273 static const struct atype_info *encryption_key_fields[] = {
274 &k5_atype_keyblock_0, &k5_atype_keyblock_1
276 DEFSEQTYPE(encryption_key, krb5_keyblock, encryption_key_fields);
277 DEFPTRTYPE(ptr_encryption_key, encryption_key);
278 DEFOPTIONALZEROTYPE(opt_ptr_encryption_key, ptr_encryption_key);
280 DEFFIELD(checksum_0, krb5_checksum, checksum_type, 0, int32);
281 DEFCNFIELD(checksum_1, krb5_checksum, contents, length, 1, octetstring);
282 static const struct atype_info *checksum_fields[] = {
283 &k5_atype_checksum_0, &k5_atype_checksum_1
285 DEFSEQTYPE(checksum, krb5_checksum, checksum_fields);
286 DEFPTRTYPE(checksum_ptr, checksum);
287 DEFNULLTERMSEQOFTYPE(seqof_checksum, checksum_ptr);
288 DEFPTRTYPE(ptr_seqof_checksum, seqof_checksum);
289 DEFOPTIONALZEROTYPE(opt_checksum_ptr, checksum_ptr);
291 /* Define the last_req_type type, which is a krb5_int32 with some massaging
292 * on decode for backward compatibility. */
293 static asn1_error_code
294 encode_lr_type(asn1buf *buf, const void *p, taginfo *rettag, size_t *len_out)
296 krb5_int32 val = *(krb5_int32 *)p;
297 rettag->asn1class = UNIVERSAL;
298 rettag->construction = PRIMITIVE;
299 rettag->tagnum = ASN1_INTEGER;
300 return k5_asn1_encode_int(buf, val, len_out);
302 static asn1_error_code
303 decode_lr_type(const taginfo *t, const unsigned char *asn1, size_t len,
308 ret = k5_asn1_decode_int(asn1, len, &val);
311 if (val > KRB5_INT32_MAX || val < KRB5_INT32_MIN)
312 return ASN1_OVERFLOW;
313 #ifdef KRB5_GENEROUS_LR_TYPE
314 /* If type is in the 128-255 range, treat it as a negative 8-bit value. */
315 if (val >= 128 && val <= 255)
318 *(krb5_int32 *)p = val;
322 check_lr_type(const taginfo *t)
324 return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE &&
325 t->tagnum == ASN1_INTEGER);
327 DEFFNTYPE(last_req_type, krb5_int32, encode_lr_type, decode_lr_type,
328 check_lr_type, NULL);
330 DEFFIELD(last_req_0, krb5_last_req_entry, lr_type, 0, last_req_type);
331 DEFFIELD(last_req_1, krb5_last_req_entry, value, 1, kerberos_time);
332 static const struct atype_info *lr_fields[] = {
333 &k5_atype_last_req_0, &k5_atype_last_req_1
335 DEFSEQTYPE(last_req_ent, krb5_last_req_entry, lr_fields);
337 DEFPTRTYPE(last_req_ent_ptr, last_req_ent);
338 DEFNONEMPTYNULLTERMSEQOFTYPE(last_req, last_req_ent_ptr);
339 DEFPTRTYPE(last_req_ptr, last_req);
341 DEFCTAGGEDTYPE(ticket_0, 0, krb5_version);
342 DEFFIELD(ticket_1, krb5_ticket, server, 1, realm_of_principal);
343 DEFFIELD(ticket_2, krb5_ticket, server, 2, principal);
344 DEFFIELD(ticket_3, krb5_ticket, enc_part, 3, encrypted_data);
345 static const struct atype_info *ticket_fields[] = {
346 &k5_atype_ticket_0, &k5_atype_ticket_1, &k5_atype_ticket_2,
349 DEFSEQTYPE(untagged_ticket, krb5_ticket, ticket_fields);
350 DEFAPPTAGGEDTYPE(ticket, 1, untagged_ticket);
352 /* First context tag is 1, not 0. */
353 DEFFIELD(pa_data_1, krb5_pa_data, pa_type, 1, int32);
354 DEFCNFIELD(pa_data_2, krb5_pa_data, contents, length, 2, octetstring);
355 static const struct atype_info *pa_data_fields[] = {
356 &k5_atype_pa_data_1, &k5_atype_pa_data_2
358 DEFSEQTYPE(pa_data, krb5_pa_data, pa_data_fields);
359 DEFPTRTYPE(pa_data_ptr, pa_data);
361 DEFNULLTERMSEQOFTYPE(seqof_pa_data, pa_data_ptr);
362 DEFPTRTYPE(ptr_seqof_pa_data, seqof_pa_data);
363 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_pa_data, ptr_seqof_pa_data);
365 DEFPTRTYPE(ticket_ptr, ticket);
366 DEFNONEMPTYNULLTERMSEQOFTYPE(seqof_ticket,ticket_ptr);
367 DEFPTRTYPE(ptr_seqof_ticket, seqof_ticket);
368 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_ticket, ptr_seqof_ticket);
371 is_enc_kdc_rep_start_set(const void *p)
373 const krb5_enc_kdc_rep_part *val = p;
374 return (val->times.starttime != 0);
377 init_enc_kdc_rep_start(void *p)
379 krb5_enc_kdc_rep_part *val = p;
380 val->times.starttime = val->times.authtime;
383 is_renewable_flag_set(const void *p)
385 const krb5_enc_kdc_rep_part *val = p;
386 return (val->flags & TKT_FLG_RENEWABLE);
388 DEFFIELD(enc_kdc_rep_0, krb5_enc_kdc_rep_part, session, 0, ptr_encryption_key);
389 DEFFIELD(enc_kdc_rep_1, krb5_enc_kdc_rep_part, last_req, 1, last_req_ptr);
390 DEFFIELD(enc_kdc_rep_2, krb5_enc_kdc_rep_part, nonce, 2, int32);
391 DEFFIELD(enc_kdc_rep_3, krb5_enc_kdc_rep_part, key_exp, 3, opt_kerberos_time);
392 DEFFIELD(enc_kdc_rep_4, krb5_enc_kdc_rep_part, flags, 4, krb5_flags);
393 DEFFIELD(enc_kdc_rep_5, krb5_enc_kdc_rep_part, times.authtime, 5,
395 DEFFIELD(enc_kdc_rep_6_def, krb5_enc_kdc_rep_part, times.starttime, 6,
397 DEFOPTIONALTYPE(enc_kdc_rep_6, is_enc_kdc_rep_start_set,
398 init_enc_kdc_rep_start, enc_kdc_rep_6_def);
399 DEFFIELD(enc_kdc_rep_7, krb5_enc_kdc_rep_part, times.endtime, 7,
401 DEFFIELD(enc_kdc_rep_8_def, krb5_enc_kdc_rep_part, times.renew_till, 8,
403 DEFOPTIONALTYPE(enc_kdc_rep_8, is_renewable_flag_set, NULL, enc_kdc_rep_8_def);
404 DEFFIELD(enc_kdc_rep_9, krb5_enc_kdc_rep_part, server, 9, realm_of_principal);
405 DEFFIELD(enc_kdc_rep_10, krb5_enc_kdc_rep_part, server, 10, principal);
406 DEFFIELD(enc_kdc_rep_11, krb5_enc_kdc_rep_part, caddrs, 11,
407 opt_ptr_seqof_host_addresses);
408 DEFFIELD(enc_kdc_rep_12, krb5_enc_kdc_rep_part, enc_padata, 12,
409 opt_ptr_seqof_pa_data);
410 static const struct atype_info *enc_kdc_rep_part_fields[] = {
411 &k5_atype_enc_kdc_rep_0, &k5_atype_enc_kdc_rep_1, &k5_atype_enc_kdc_rep_2,
412 &k5_atype_enc_kdc_rep_3, &k5_atype_enc_kdc_rep_4, &k5_atype_enc_kdc_rep_5,
413 &k5_atype_enc_kdc_rep_6, &k5_atype_enc_kdc_rep_7, &k5_atype_enc_kdc_rep_8,
414 &k5_atype_enc_kdc_rep_9, &k5_atype_enc_kdc_rep_10,
415 &k5_atype_enc_kdc_rep_11, &k5_atype_enc_kdc_rep_12
417 DEFSEQTYPE(enc_kdc_rep_part, krb5_enc_kdc_rep_part, enc_kdc_rep_part_fields);
420 * Yuck! Eventually push this *up* above the encoder API and make the
421 * rest of the library put the realm name in one consistent place. At
422 * the same time, might as well add the msg-type field and encode both
423 * AS-REQ and TGS-REQ through the same descriptor.
425 typedef struct kdc_req_hack {
427 krb5_data server_realm;
429 DEFFIELD(req_body_0, kdc_req_hack, v.kdc_options, 0, krb5_flags);
430 DEFFIELD(req_body_1, kdc_req_hack, v.client, 1, opt_principal);
431 DEFFIELD(req_body_2, kdc_req_hack, server_realm, 2, gstring_data);
432 DEFFIELD(req_body_3, kdc_req_hack, v.server, 3, opt_principal);
433 DEFFIELD(req_body_4, kdc_req_hack, v.from, 4, opt_kerberos_time);
434 DEFFIELD(req_body_5, kdc_req_hack, v.till, 5, kerberos_time);
435 DEFFIELD(req_body_6, kdc_req_hack, v.rtime, 6, opt_kerberos_time);
436 DEFFIELD(req_body_7, kdc_req_hack, v.nonce, 7, int32);
437 DEFCNFIELD(req_body_8, kdc_req_hack, v.ktype, v.nktypes, 8, cseqof_int32);
438 DEFFIELD(req_body_9, kdc_req_hack, v.addresses, 9,
439 opt_ptr_seqof_host_addresses);
440 DEFFIELD(req_body_10, kdc_req_hack, v.authorization_data, 10,
442 DEFFIELD(req_body_11, kdc_req_hack, v.second_ticket, 11, opt_ptr_seqof_ticket);
443 static const struct atype_info *kdc_req_hack_fields[] = {
444 &k5_atype_req_body_0, &k5_atype_req_body_1, &k5_atype_req_body_2,
445 &k5_atype_req_body_3, &k5_atype_req_body_4, &k5_atype_req_body_5,
446 &k5_atype_req_body_6, &k5_atype_req_body_7, &k5_atype_req_body_8,
447 &k5_atype_req_body_9, &k5_atype_req_body_10, &k5_atype_req_body_11
449 DEFSEQTYPE(kdc_req_body_hack, kdc_req_hack, kdc_req_hack_fields);
450 static asn1_error_code
451 encode_kdc_req_body(asn1buf *buf, const void *p, taginfo *tag_out,
454 const krb5_kdc_req *val = p;
457 if (val->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
458 if (val->second_ticket != NULL && val->second_ticket[0] != NULL)
459 h.server_realm = val->second_ticket[0]->server->realm;
461 return ASN1_MISSING_FIELD;
462 } else if (val->server != NULL)
463 h.server_realm = val->server->realm;
465 return ASN1_MISSING_FIELD;
466 return k5_asn1_encode_atype(buf, &h, &k5_atype_kdc_req_body_hack, tag_out,
470 free_kdc_req_body(void *val)
472 krb5_kdc_req *req = val;
473 krb5_free_principal(NULL, req->client);
474 krb5_free_principal(NULL, req->server);
476 krb5_free_addresses(NULL, req->addresses);
477 free(req->authorization_data.ciphertext.data);
478 krb5_free_tickets(NULL, req->second_ticket);
480 static asn1_error_code
481 decode_kdc_req_body(const taginfo *t, const unsigned char *asn1, size_t len,
486 krb5_kdc_req *b = val;
487 memset(&h, 0, sizeof(h));
488 ret = k5_asn1_decode_atype(t, asn1, len, &k5_atype_kdc_req_body_hack, &h);
491 b->kdc_options = h.v.kdc_options;
492 b->client = h.v.client;
493 b->server = h.v.server;
496 b->rtime = h.v.rtime;
497 b->nonce = h.v.nonce;
498 b->ktype = h.v.ktype;
499 b->nktypes = h.v.nktypes;
500 b->addresses = h.v.addresses;
501 b->authorization_data = h.v.authorization_data;
502 b->second_ticket = h.v.second_ticket;
503 if (b->client != NULL && b->server != NULL) {
504 ret = krb5int_copy_data_contents(NULL, &h.server_realm,
507 free_kdc_req_body(b);
508 free(h.server_realm.data);
509 memset(&h, 0, sizeof(h));
512 b->server->realm = h.server_realm;
513 } else if (b->client != NULL)
514 b->client->realm = h.server_realm;
515 else if (b->server != NULL)
516 b->server->realm = h.server_realm;
518 free(h.server_realm.data);
522 check_kdc_req_body(const taginfo *t)
524 return (t->asn1class == UNIVERSAL && t->construction == CONSTRUCTED &&
525 t->tagnum == ASN1_SEQUENCE);
527 DEFFNTYPE(kdc_req_body, krb5_kdc_req, encode_kdc_req_body, decode_kdc_req_body,
528 check_kdc_req_body, free_kdc_req_body);
531 DEFFIELD(transited_0, krb5_transited, tr_type, 0, octet);
532 DEFFIELD(transited_1, krb5_transited, tr_contents, 1, ostring_data);
533 static const struct atype_info *transited_fields[] = {
534 &k5_atype_transited_0, &k5_atype_transited_1
536 DEFSEQTYPE(transited, krb5_transited, transited_fields);
539 is_safe_timestamp_set(const void *p)
541 const krb5_safe *val = p;
542 return (val->timestamp != 0);
544 DEFFIELD(safe_body_0, krb5_safe, user_data, 0, ostring_data);
545 DEFFIELD(safe_body_1, krb5_safe, timestamp, 1, opt_kerberos_time);
546 DEFFIELD(safe_body_2_def, krb5_safe, usec, 2, int32);
547 DEFOPTIONALTYPE(safe_body_2, is_safe_timestamp_set, NULL, safe_body_2_def);
548 DEFFIELD(safe_body_3, krb5_safe, seq_number, 3, opt_seqno);
549 DEFFIELD(safe_body_4, krb5_safe, s_address, 4, address_ptr);
550 DEFFIELD(safe_body_5, krb5_safe, r_address, 5, opt_address_ptr);
551 static const struct atype_info *safe_body_fields[] = {
552 &k5_atype_safe_body_0, &k5_atype_safe_body_1, &k5_atype_safe_body_2,
553 &k5_atype_safe_body_3, &k5_atype_safe_body_4, &k5_atype_safe_body_5
555 DEFSEQTYPE(safe_body, krb5_safe, safe_body_fields);
557 DEFFIELD(cred_info_0, krb5_cred_info, session, 0, ptr_encryption_key);
558 DEFFIELD(cred_info_1, krb5_cred_info, client, 1, opt_realm_of_principal);
559 DEFFIELD(cred_info_2, krb5_cred_info, client, 2, opt_principal);
560 DEFFIELD(cred_info_3, krb5_cred_info, flags, 3, opt_krb5_flags);
561 DEFFIELD(cred_info_4, krb5_cred_info, times.authtime, 4, opt_kerberos_time);
562 DEFFIELD(cred_info_5, krb5_cred_info, times.starttime, 5, opt_kerberos_time);
563 DEFFIELD(cred_info_6, krb5_cred_info, times.endtime, 6, opt_kerberos_time);
564 DEFFIELD(cred_info_7, krb5_cred_info, times.renew_till, 7, opt_kerberos_time);
565 DEFFIELD(cred_info_8, krb5_cred_info, server, 8, opt_realm_of_principal);
566 DEFFIELD(cred_info_9, krb5_cred_info, server, 9, opt_principal);
567 DEFFIELD(cred_info_10, krb5_cred_info, caddrs, 10,
568 opt_ptr_seqof_host_addresses);
569 static const struct atype_info *krb_cred_info_fields[] = {
570 &k5_atype_cred_info_0, &k5_atype_cred_info_1, &k5_atype_cred_info_2,
571 &k5_atype_cred_info_3, &k5_atype_cred_info_4, &k5_atype_cred_info_5,
572 &k5_atype_cred_info_6, &k5_atype_cred_info_7, &k5_atype_cred_info_8,
573 &k5_atype_cred_info_9, &k5_atype_cred_info_10
575 DEFSEQTYPE(cred_info, krb5_cred_info, krb_cred_info_fields);
576 DEFPTRTYPE(cred_info_ptr, cred_info);
577 DEFNULLTERMSEQOFTYPE(seqof_cred_info, cred_info_ptr);
579 DEFPTRTYPE(ptrseqof_cred_info, seqof_cred_info);
582 is_salt_present(const void *p)
584 const krb5_etype_info_entry *val = p;
585 return (val->length != KRB5_ETYPE_NO_SALT);
588 init_no_salt(void *p)
590 krb5_etype_info_entry *val = p;
591 val->length = KRB5_ETYPE_NO_SALT;
593 DEFFIELD(etype_info_0, krb5_etype_info_entry, etype, 0, int32);
594 DEFCNFIELD(etype_info_1_def, krb5_etype_info_entry, salt, length, 1,
596 DEFOPTIONALTYPE(etype_info_1, is_salt_present, init_no_salt, etype_info_1_def);
597 static const struct atype_info *etype_info_entry_fields[] = {
598 &k5_atype_etype_info_0, &k5_atype_etype_info_1
600 DEFSEQTYPE(etype_info_entry, krb5_etype_info_entry, etype_info_entry_fields);
602 /* First field is the same as etype-info. */
603 DEFCNFIELD(etype_info2_1_def, krb5_etype_info_entry, salt, length, 1,
605 DEFOPTIONALTYPE(etype_info2_1, is_salt_present, init_no_salt,
607 DEFFIELD(etype_info2_2, krb5_etype_info_entry, s2kparams, 2, opt_ostring_data);
608 static const struct atype_info *etype_info2_entry_fields[] = {
609 &k5_atype_etype_info_0, &k5_atype_etype_info2_1, &k5_atype_etype_info2_2
611 DEFSEQTYPE(etype_info2_entry, krb5_etype_info_entry, etype_info2_entry_fields);
613 DEFPTRTYPE(etype_info_entry_ptr, etype_info_entry);
614 DEFNULLTERMSEQOFTYPE(etype_info, etype_info_entry_ptr);
616 DEFPTRTYPE(etype_info2_entry_ptr, etype_info2_entry);
617 DEFNULLTERMSEQOFTYPE(etype_info2, etype_info2_entry_ptr);
619 DEFFIELD(sch_0, krb5_sam_challenge_2, sam_challenge_2_body, 0, der_data);
620 DEFFIELD(sch_1, krb5_sam_challenge_2, sam_cksum, 1, ptr_seqof_checksum);
621 static const struct atype_info *sam_challenge_2_fields[] = {
622 &k5_atype_sch_0, &k5_atype_sch_1
624 DEFSEQTYPE(sam_challenge_2, krb5_sam_challenge_2, sam_challenge_2_fields);
626 DEFFIELD(schb_0, krb5_sam_challenge_2_body, sam_type, 0, int32);
627 DEFFIELD(schb_1, krb5_sam_challenge_2_body, sam_flags, 1, krb5_flags);
628 DEFFIELD(schb_2, krb5_sam_challenge_2_body, sam_type_name, 2,
630 DEFFIELD(schb_3, krb5_sam_challenge_2_body, sam_track_id, 3, opt_ostring_data);
631 DEFFIELD(schb_4, krb5_sam_challenge_2_body, sam_challenge_label, 4,
633 DEFFIELD(schb_5, krb5_sam_challenge_2_body, sam_challenge, 5,
635 DEFFIELD(schb_6, krb5_sam_challenge_2_body, sam_response_prompt, 6,
637 DEFFIELD(schb_7, krb5_sam_challenge_2_body, sam_pk_for_sad, 7,
639 DEFFIELD(schb_8, krb5_sam_challenge_2_body, sam_nonce, 8, int32);
640 DEFFIELD(schb_9, krb5_sam_challenge_2_body, sam_etype, 9, int32);
641 static const struct atype_info *sam_challenge_2_body_fields[] = {
642 &k5_atype_schb_0, &k5_atype_schb_1, &k5_atype_schb_2, &k5_atype_schb_3,
643 &k5_atype_schb_4, &k5_atype_schb_5, &k5_atype_schb_6, &k5_atype_schb_7,
644 &k5_atype_schb_8, &k5_atype_schb_9
646 DEFSEQTYPE(sam_challenge_2_body,krb5_sam_challenge_2_body,
647 sam_challenge_2_body_fields);
649 DEFFIELD(esre_0, krb5_enc_sam_response_enc_2, sam_nonce, 0, int32);
650 DEFFIELD(esre_1, krb5_enc_sam_response_enc_2, sam_sad, 1, opt_ostring_data);
651 static const struct atype_info *enc_sam_response_enc_2_fields[] = {
652 &k5_atype_esre_0, &k5_atype_esre_1
654 DEFSEQTYPE(enc_sam_response_enc_2, krb5_enc_sam_response_enc_2,
655 enc_sam_response_enc_2_fields);
657 DEFFIELD(sam_resp_0, krb5_sam_response_2, sam_type, 0, int32);
658 DEFFIELD(sam_resp_1, krb5_sam_response_2, sam_flags, 1, krb5_flags);
659 DEFFIELD(sam_resp_2, krb5_sam_response_2, sam_track_id, 2, opt_ostring_data);
660 DEFFIELD(sam_resp_3, krb5_sam_response_2, sam_enc_nonce_or_sad, 3,
662 DEFFIELD(sam_resp_4, krb5_sam_response_2, sam_nonce, 4, int32);
663 static const struct atype_info *sam_response_2_fields[] = {
664 &k5_atype_sam_resp_0, &k5_atype_sam_resp_1, &k5_atype_sam_resp_2,
665 &k5_atype_sam_resp_3, &k5_atype_sam_resp_4
667 DEFSEQTYPE(sam_response_2, krb5_sam_response_2, sam_response_2_fields);
669 DEFCTAGGEDTYPE(authenticator_0, 0, krb5_version);
670 DEFFIELD(authenticator_1, krb5_authenticator, client, 1, realm_of_principal);
671 DEFFIELD(authenticator_2, krb5_authenticator, client, 2, principal);
672 DEFFIELD(authenticator_3, krb5_authenticator, checksum, 3, opt_checksum_ptr);
673 DEFFIELD(authenticator_4, krb5_authenticator, cusec, 4, int32);
674 DEFFIELD(authenticator_5, krb5_authenticator, ctime, 5, kerberos_time);
675 DEFFIELD(authenticator_6, krb5_authenticator, subkey, 6,
676 opt_ptr_encryption_key);
677 DEFFIELD(authenticator_7, krb5_authenticator, seq_number, 7, opt_seqno);
678 DEFFIELD(authenticator_8, krb5_authenticator, authorization_data, 8,
680 static const struct atype_info *authenticator_fields[] = {
681 &k5_atype_authenticator_0, &k5_atype_authenticator_1,
682 &k5_atype_authenticator_2, &k5_atype_authenticator_3,
683 &k5_atype_authenticator_4, &k5_atype_authenticator_5,
684 &k5_atype_authenticator_6, &k5_atype_authenticator_7,
685 &k5_atype_authenticator_8
687 DEFSEQTYPE(untagged_authenticator, krb5_authenticator, authenticator_fields);
688 DEFAPPTAGGEDTYPE(authenticator, 2, untagged_authenticator);
691 is_enc_tkt_start_set(const void *p)
693 const krb5_enc_tkt_part *val = p;
694 return (val->times.starttime != 0);
697 init_enc_tkt_start(void *p)
699 krb5_enc_tkt_part *val = p;
700 val->times.starttime = val->times.authtime;
702 DEFFIELD(enc_tkt_0, krb5_enc_tkt_part, flags, 0, krb5_flags);
703 DEFFIELD(enc_tkt_1, krb5_enc_tkt_part, session, 1, ptr_encryption_key);
704 DEFFIELD(enc_tkt_2, krb5_enc_tkt_part, client, 2, realm_of_principal);
705 DEFFIELD(enc_tkt_3, krb5_enc_tkt_part, client, 3, principal);
706 DEFFIELD(enc_tkt_4, krb5_enc_tkt_part, transited, 4, transited);
707 DEFFIELD(enc_tkt_5, krb5_enc_tkt_part, times.authtime, 5, kerberos_time);
708 DEFFIELD(enc_tkt_6_def, krb5_enc_tkt_part, times.starttime, 6, kerberos_time);
709 DEFOPTIONALTYPE(enc_tkt_6, is_enc_tkt_start_set, init_enc_tkt_start,
711 DEFFIELD(enc_tkt_7, krb5_enc_tkt_part, times.endtime, 7, kerberos_time);
712 DEFFIELD(enc_tkt_8, krb5_enc_tkt_part, times.renew_till, 8, opt_kerberos_time);
713 DEFFIELD(enc_tkt_9, krb5_enc_tkt_part, caddrs, 9,
714 opt_ptr_seqof_host_addresses);
715 DEFFIELD(enc_tkt_10, krb5_enc_tkt_part, authorization_data, 10,
717 static const struct atype_info *enc_tkt_part_fields[] = {
718 &k5_atype_enc_tkt_0, &k5_atype_enc_tkt_1, &k5_atype_enc_tkt_2,
719 &k5_atype_enc_tkt_3, &k5_atype_enc_tkt_4, &k5_atype_enc_tkt_5,
720 &k5_atype_enc_tkt_6, &k5_atype_enc_tkt_7, &k5_atype_enc_tkt_8,
721 &k5_atype_enc_tkt_9, &k5_atype_enc_tkt_10
723 DEFSEQTYPE(untagged_enc_tkt_part, krb5_enc_tkt_part, enc_tkt_part_fields);
724 DEFAPPTAGGEDTYPE(enc_tkt_part, 3, untagged_enc_tkt_part);
726 DEFAPPTAGGEDTYPE(enc_as_rep_part, 25, enc_kdc_rep_part);
727 DEFAPPTAGGEDTYPE(enc_tgs_rep_part, 26, enc_kdc_rep_part);
729 DEFCTAGGEDTYPE(kdc_rep_0, 0, krb5_version);
730 DEFFIELD(kdc_rep_1, krb5_kdc_rep, msg_type, 1, uint);
731 DEFFIELD(kdc_rep_2, krb5_kdc_rep, padata, 2, opt_ptr_seqof_pa_data);
732 DEFFIELD(kdc_rep_3, krb5_kdc_rep, client, 3, realm_of_principal);
733 DEFFIELD(kdc_rep_4, krb5_kdc_rep, client, 4, principal);
734 DEFFIELD(kdc_rep_5, krb5_kdc_rep, ticket, 5, ticket_ptr);
735 DEFFIELD(kdc_rep_6, krb5_kdc_rep, enc_part, 6, encrypted_data);
736 static const struct atype_info *kdc_rep_fields[] = {
737 &k5_atype_kdc_rep_0, &k5_atype_kdc_rep_1, &k5_atype_kdc_rep_2,
738 &k5_atype_kdc_rep_3, &k5_atype_kdc_rep_4, &k5_atype_kdc_rep_5,
741 DEFSEQTYPE(kdc_rep, krb5_kdc_rep, kdc_rep_fields);
742 DEFAPPTAGGEDTYPE(as_rep, 11, kdc_rep);
743 DEFAPPTAGGEDTYPE(tgs_rep, 13, kdc_rep);
745 DEFINT_IMMEDIATE(ap_req_msg_type, ASN1_KRB_AP_REQ, 0);
746 DEFCTAGGEDTYPE(ap_req_0, 0, krb5_version);
747 DEFCTAGGEDTYPE(ap_req_1, 1, ap_req_msg_type);
748 DEFFIELD(ap_req_2, krb5_ap_req, ap_options, 2, krb5_flags);
749 DEFFIELD(ap_req_3, krb5_ap_req, ticket, 3, ticket_ptr);
750 DEFFIELD(ap_req_4, krb5_ap_req, authenticator, 4, encrypted_data);
751 static const struct atype_info *ap_req_fields[] = {
752 &k5_atype_ap_req_0, &k5_atype_ap_req_1, &k5_atype_ap_req_2,
753 &k5_atype_ap_req_3, &k5_atype_ap_req_4
755 DEFSEQTYPE(untagged_ap_req, krb5_ap_req, ap_req_fields);
756 DEFAPPTAGGEDTYPE(ap_req, 14, untagged_ap_req);
758 DEFINT_IMMEDIATE(ap_rep_msg_type, ASN1_KRB_AP_REP, 0);
759 DEFCTAGGEDTYPE(ap_rep_0, 0, krb5_version);
760 DEFCTAGGEDTYPE(ap_rep_1, 1, ap_rep_msg_type);
761 DEFFIELD(ap_rep_2, krb5_ap_rep, enc_part, 2, encrypted_data);
762 static const struct atype_info *ap_rep_fields[] = {
763 &k5_atype_ap_rep_0, &k5_atype_ap_rep_1, &k5_atype_ap_rep_2
765 DEFSEQTYPE(untagged_ap_rep, krb5_ap_rep, ap_rep_fields);
766 DEFAPPTAGGEDTYPE(ap_rep, 15, untagged_ap_rep);
768 DEFFIELD(ap_rep_enc_part_0, krb5_ap_rep_enc_part, ctime, 0, kerberos_time);
769 DEFFIELD(ap_rep_enc_part_1, krb5_ap_rep_enc_part, cusec, 1, int32);
770 DEFFIELD(ap_rep_enc_part_2, krb5_ap_rep_enc_part, subkey, 2,
771 opt_ptr_encryption_key);
772 DEFFIELD(ap_rep_enc_part_3, krb5_ap_rep_enc_part, seq_number, 3, opt_seqno);
773 static const struct atype_info *ap_rep_enc_part_fields[] = {
774 &k5_atype_ap_rep_enc_part_0, &k5_atype_ap_rep_enc_part_1,
775 &k5_atype_ap_rep_enc_part_2, &k5_atype_ap_rep_enc_part_3
777 DEFSEQTYPE(untagged_ap_rep_enc_part, krb5_ap_rep_enc_part,
778 ap_rep_enc_part_fields);
779 DEFAPPTAGGEDTYPE(ap_rep_enc_part, 27, untagged_ap_rep_enc_part);
781 /* First context tag is 1. Fourth field is the encoding of the krb5_kdc_req
782 * structure as a KDC-REQ-BODY. */
783 DEFCTAGGEDTYPE(kdc_req_1, 1, krb5_version);
784 DEFFIELD(kdc_req_2, krb5_kdc_req, msg_type, 2, uint);
785 DEFFIELD(kdc_req_3, krb5_kdc_req, padata, 3, opt_ptr_seqof_pa_data);
786 DEFCTAGGEDTYPE(kdc_req_4, 4, kdc_req_body);
787 static const struct atype_info *kdc_req_fields[] = {
788 &k5_atype_kdc_req_1, &k5_atype_kdc_req_2, &k5_atype_kdc_req_3,
791 DEFSEQTYPE(kdc_req, krb5_kdc_req, kdc_req_fields);
792 DEFAPPTAGGEDTYPE(as_req, 10, kdc_req);
793 DEFAPPTAGGEDTYPE(tgs_req, 12, kdc_req);
795 /* This is only needed because libkrb5 doesn't set msg_type when encoding
796 * krb5_kdc_reqs. If we fix that, we can use the above types for encoding. */
797 DEFINT_IMMEDIATE(as_req_msg_type, KRB5_AS_REQ, 0);
798 DEFCTAGGEDTYPE(as_req_2, 2, as_req_msg_type);
799 DEFINT_IMMEDIATE(tgs_req_msg_type, KRB5_TGS_REQ, 0);
800 DEFCTAGGEDTYPE(tgs_req_2, 2, tgs_req_msg_type);
801 static const struct atype_info *as_req_fields[] = {
802 &k5_atype_kdc_req_1, &k5_atype_as_req_2, &k5_atype_kdc_req_3,
805 static const struct atype_info *tgs_req_fields[] = {
806 &k5_atype_kdc_req_1, &k5_atype_tgs_req_2, &k5_atype_kdc_req_3,
809 DEFSEQTYPE(untagged_as_req, krb5_kdc_req, as_req_fields);
810 DEFAPPTAGGEDTYPE(as_req_encode, 10, untagged_as_req);
811 DEFSEQTYPE(untagged_tgs_req, krb5_kdc_req, tgs_req_fields);
812 DEFAPPTAGGEDTYPE(tgs_req_encode, 12, untagged_tgs_req);
814 DEFINT_IMMEDIATE(safe_msg_type, ASN1_KRB_SAFE, 0);
815 DEFCTAGGEDTYPE(safe_0, 0, krb5_version);
816 DEFCTAGGEDTYPE(safe_1, 1, safe_msg_type);
817 DEFCTAGGEDTYPE(safe_2, 2, safe_body);
818 DEFFIELD(safe_3, krb5_safe, checksum, 3, checksum_ptr);
819 static const struct atype_info *safe_fields[] = {
820 &k5_atype_safe_0, &k5_atype_safe_1, &k5_atype_safe_2, &k5_atype_safe_3
822 DEFSEQTYPE(untagged_safe, krb5_safe, safe_fields);
823 DEFAPPTAGGEDTYPE(safe, 20, untagged_safe);
825 /* Hack to encode a KRB-SAFE with a pre-specified body encoding. The integer-
826 * immediate fields are borrowed from krb5_safe_fields above. */
827 DEFPTRTYPE(saved_safe_body_ptr, der_data);
828 DEFOFFSETTYPE(safe_checksum_only, krb5_safe, checksum, checksum_ptr);
829 DEFPTRTYPE(safe_checksum_only_ptr, safe_checksum_only);
830 DEFFIELD(safe_with_body_2, struct krb5_safe_with_body, body, 2,
831 saved_safe_body_ptr);
832 DEFFIELD(safe_with_body_3, struct krb5_safe_with_body, safe, 3,
833 safe_checksum_only_ptr);
834 static const struct atype_info *safe_with_body_fields[] = {
835 &k5_atype_safe_0, &k5_atype_safe_1, &k5_atype_safe_with_body_2,
836 &k5_atype_safe_with_body_3
838 DEFSEQTYPE(untagged_safe_with_body, struct krb5_safe_with_body,
839 safe_with_body_fields);
840 DEFAPPTAGGEDTYPE(safe_with_body, 20, untagged_safe_with_body);
842 /* Third tag is [3] instead of [2]. */
843 DEFINT_IMMEDIATE(priv_msg_type, ASN1_KRB_PRIV, 0);
844 DEFCTAGGEDTYPE(priv_0, 0, krb5_version);
845 DEFCTAGGEDTYPE(priv_1, 1, priv_msg_type);
846 DEFFIELD(priv_3, krb5_priv, enc_part, 3, encrypted_data);
847 static const struct atype_info *priv_fields[] = {
848 &k5_atype_priv_0, &k5_atype_priv_1, &k5_atype_priv_3
850 DEFSEQTYPE(untagged_priv, krb5_priv, priv_fields);
851 DEFAPPTAGGEDTYPE(priv, 21, untagged_priv);
854 is_priv_timestamp_set(const void *p)
856 const krb5_priv_enc_part *val = p;
857 return (val->timestamp != 0);
859 DEFFIELD(priv_enc_part_0, krb5_priv_enc_part, user_data, 0, ostring_data);
860 DEFFIELD(priv_enc_part_1, krb5_priv_enc_part, timestamp, 1, opt_kerberos_time);
861 DEFFIELD(priv_enc_part_2_def, krb5_priv_enc_part, usec, 2, int32);
862 DEFOPTIONALTYPE(priv_enc_part_2, is_priv_timestamp_set, NULL,
863 priv_enc_part_2_def);
864 DEFFIELD(priv_enc_part_3, krb5_priv_enc_part, seq_number, 3, opt_seqno);
865 DEFFIELD(priv_enc_part_4, krb5_priv_enc_part, s_address, 4, address_ptr);
866 DEFFIELD(priv_enc_part_5, krb5_priv_enc_part, r_address, 5, opt_address_ptr);
867 static const struct atype_info *priv_enc_part_fields[] = {
868 &k5_atype_priv_enc_part_0, &k5_atype_priv_enc_part_1,
869 &k5_atype_priv_enc_part_2, &k5_atype_priv_enc_part_3,
870 &k5_atype_priv_enc_part_4, &k5_atype_priv_enc_part_5
872 DEFSEQTYPE(untagged_priv_enc_part, krb5_priv_enc_part, priv_enc_part_fields);
873 DEFAPPTAGGEDTYPE(priv_enc_part, 28, untagged_priv_enc_part);
875 DEFINT_IMMEDIATE(cred_msg_type, ASN1_KRB_CRED, 0);
876 DEFCTAGGEDTYPE(cred_0, 0, krb5_version);
877 DEFCTAGGEDTYPE(cred_1, 1, cred_msg_type);
878 DEFFIELD(cred_2, krb5_cred, tickets, 2, ptr_seqof_ticket);
879 DEFFIELD(cred_3, krb5_cred, enc_part, 3, encrypted_data);
880 static const struct atype_info *cred_fields[] = {
881 &k5_atype_cred_0, &k5_atype_cred_1, &k5_atype_cred_2, &k5_atype_cred_3
883 DEFSEQTYPE(untagged_cred, krb5_cred, cred_fields);
884 DEFAPPTAGGEDTYPE(krb5_cred, 22, untagged_cred);
887 is_cred_timestamp_set(const void *p)
889 const krb5_cred_enc_part *val = p;
890 return (val->timestamp != 0);
892 DEFFIELD(enc_cred_part_0, krb5_cred_enc_part, ticket_info, 0,
894 DEFFIELD(enc_cred_part_1, krb5_cred_enc_part, nonce, 1, opt_int32);
895 DEFFIELD(enc_cred_part_2, krb5_cred_enc_part, timestamp, 2, opt_kerberos_time);
896 DEFFIELD(enc_cred_part_3_def, krb5_cred_enc_part, usec, 3, int32);
897 DEFOPTIONALTYPE(enc_cred_part_3, is_cred_timestamp_set, NULL,
898 enc_cred_part_3_def);
899 DEFFIELD(enc_cred_part_4, krb5_cred_enc_part, s_address, 4, opt_address_ptr);
900 DEFFIELD(enc_cred_part_5, krb5_cred_enc_part, r_address, 5, opt_address_ptr);
901 static const struct atype_info *enc_cred_part_fields[] = {
902 &k5_atype_enc_cred_part_0, &k5_atype_enc_cred_part_1,
903 &k5_atype_enc_cred_part_2, &k5_atype_enc_cred_part_3,
904 &k5_atype_enc_cred_part_4, &k5_atype_enc_cred_part_5
906 DEFSEQTYPE(untagged_enc_cred_part, krb5_cred_enc_part, enc_cred_part_fields);
907 DEFAPPTAGGEDTYPE(enc_cred_part, 29, untagged_enc_cred_part);
909 DEFINT_IMMEDIATE(error_msg_type, ASN1_KRB_ERROR, 0);
910 DEFCTAGGEDTYPE(error_0, 0, krb5_version);
911 DEFCTAGGEDTYPE(error_1, 1, error_msg_type);
912 DEFFIELD(error_2, krb5_error, ctime, 2, opt_kerberos_time);
913 DEFFIELD(error_3, krb5_error, cusec, 3, opt_int32);
914 DEFFIELD(error_4, krb5_error, stime, 4, kerberos_time);
915 DEFFIELD(error_5, krb5_error, susec, 5, int32);
916 DEFFIELD(error_6, krb5_error, error, 6, ui_4);
917 DEFFIELD(error_7, krb5_error, client, 7, opt_realm_of_principal);
918 DEFFIELD(error_8, krb5_error, client, 8, opt_principal);
919 DEFFIELD(error_9, krb5_error, server, 9, realm_of_principal);
920 DEFFIELD(error_10, krb5_error, server, 10, principal);
921 DEFFIELD(error_11, krb5_error, text, 11, opt_gstring_data);
922 DEFFIELD(error_12, krb5_error, e_data, 12, opt_ostring_data);
923 static const struct atype_info *error_fields[] = {
924 &k5_atype_error_0, &k5_atype_error_1, &k5_atype_error_2, &k5_atype_error_3,
925 &k5_atype_error_4, &k5_atype_error_5, &k5_atype_error_6, &k5_atype_error_7,
926 &k5_atype_error_8, &k5_atype_error_9, &k5_atype_error_10,
927 &k5_atype_error_11, &k5_atype_error_12
929 DEFSEQTYPE(untagged_krb5_error, krb5_error, error_fields);
930 DEFAPPTAGGEDTYPE(krb5_error, 30, untagged_krb5_error);
932 DEFFIELD(pa_enc_ts_0, krb5_pa_enc_ts, patimestamp, 0, kerberos_time);
933 DEFFIELD(pa_enc_ts_1, krb5_pa_enc_ts, pausec, 1, opt_int32);
934 static const struct atype_info *pa_enc_ts_fields[] = {
935 &k5_atype_pa_enc_ts_0, &k5_atype_pa_enc_ts_1
937 DEFSEQTYPE(pa_enc_ts, krb5_pa_enc_ts, pa_enc_ts_fields);
939 DEFFIELD(setpw_0, struct krb5_setpw_req, password, 0, ostring_data);
940 DEFFIELD(setpw_1, struct krb5_setpw_req, target, 1, principal);
941 DEFFIELD(setpw_2, struct krb5_setpw_req, target, 2, realm_of_principal);
942 static const struct atype_info *setpw_req_fields[] = {
943 &k5_atype_setpw_0, &k5_atype_setpw_1, &k5_atype_setpw_2
945 DEFSEQTYPE(setpw_req, struct krb5_setpw_req, setpw_req_fields);
947 /* [MS-SFU] Section 2.2.1. */
948 DEFFIELD(pa_for_user_0, krb5_pa_for_user, user, 0, principal);
949 DEFFIELD(pa_for_user_1, krb5_pa_for_user, user, 1, realm_of_principal);
950 DEFFIELD(pa_for_user_2, krb5_pa_for_user, cksum, 2, checksum);
951 DEFFIELD(pa_for_user_3, krb5_pa_for_user, auth_package, 3, gstring_data);
952 static const struct atype_info *pa_for_user_fields[] = {
953 &k5_atype_pa_for_user_0, &k5_atype_pa_for_user_1, &k5_atype_pa_for_user_2,
954 &k5_atype_pa_for_user_3,
956 DEFSEQTYPE(pa_for_user, krb5_pa_for_user, pa_for_user_fields);
958 /* [MS-SFU] Section 2.2.2. */
959 /* The user principal name may be absent, but the realm is required. */
961 is_s4u_principal_present(const void *p)
963 krb5_const_principal val = *(krb5_const_principal *)p;
964 return (val->length != 0);
966 DEFOPTIONALTYPE(opt_s4u_principal, is_s4u_principal_present, NULL, principal);
967 DEFFIELD(s4u_userid_0, krb5_s4u_userid, nonce, 0, int32);
968 DEFFIELD(s4u_userid_1, krb5_s4u_userid, user, 1, opt_s4u_principal);
969 DEFFIELD(s4u_userid_2, krb5_s4u_userid, user, 2, realm_of_principal);
970 DEFFIELD(s4u_userid_3, krb5_s4u_userid, subject_cert, 3, opt_ostring_data);
971 DEFFIELD(s4u_userid_4, krb5_s4u_userid, options, 4, opt_krb5_flags);
972 static const struct atype_info *s4u_userid_fields[] = {
973 &k5_atype_s4u_userid_0, &k5_atype_s4u_userid_1, &k5_atype_s4u_userid_2,
974 &k5_atype_s4u_userid_3, &k5_atype_s4u_userid_4
976 DEFSEQTYPE(s4u_userid, krb5_s4u_userid, s4u_userid_fields);
978 DEFFIELD(pa_s4u_x509_user_0, krb5_pa_s4u_x509_user, user_id, 0, s4u_userid);
979 DEFFIELD(pa_s4u_x509_user_1, krb5_pa_s4u_x509_user, cksum, 1, checksum);
980 static const struct atype_info *pa_s4u_x509_user_fields[] = {
981 &k5_atype_pa_s4u_x509_user_0, &k5_atype_pa_s4u_x509_user_1
983 DEFSEQTYPE(pa_s4u_x509_user, krb5_pa_s4u_x509_user, pa_s4u_x509_user_fields);
985 DEFFIELD(pa_pac_req_0, krb5_pa_pac_req, include_pac, 0, bool);
986 static const struct atype_info *pa_pac_req_fields[] = {
987 &k5_atype_pa_pac_req_0
989 DEFSEQTYPE(pa_pac_req, krb5_pa_pac_req, pa_pac_req_fields);
992 DEFCOUNTEDTYPE(etype_list, krb5_etype_list, etypes, length, cseqof_int32);
994 /* draft-ietf-krb-wg-preauth-framework-09 */
995 DEFFIELD(fast_armor_0, krb5_fast_armor, armor_type, 0, int32);
996 DEFFIELD(fast_armor_1, krb5_fast_armor, armor_value, 1, ostring_data);
997 static const struct atype_info *fast_armor_fields[] = {
998 &k5_atype_fast_armor_0, &k5_atype_fast_armor_1
1000 DEFSEQTYPE(fast_armor, krb5_fast_armor, fast_armor_fields);
1001 DEFPTRTYPE(ptr_fast_armor, fast_armor);
1002 DEFOPTIONALZEROTYPE(opt_ptr_fast_armor, ptr_fast_armor);
1004 DEFFIELD(fast_armored_req_0, krb5_fast_armored_req, armor, 0,
1005 opt_ptr_fast_armor);
1006 DEFFIELD(fast_armored_req_1, krb5_fast_armored_req, req_checksum, 1, checksum);
1007 DEFFIELD(fast_armored_req_2, krb5_fast_armored_req, enc_part, 2,
1009 static const struct atype_info *fast_armored_req_fields[] = {
1010 &k5_atype_fast_armored_req_0, &k5_atype_fast_armored_req_1,
1011 &k5_atype_fast_armored_req_2
1013 DEFSEQTYPE(fast_armored_req, krb5_fast_armored_req, fast_armored_req_fields);
1015 /* This is a CHOICE type with only one choice (so far) and we're not using a
1016 * distinguisher/union for it. */
1017 DEFTAGGEDTYPE(pa_fx_fast_request, CONTEXT_SPECIFIC, CONSTRUCTED, 0, 0,
1020 DEFOFFSETTYPE(fast_req_padata, krb5_kdc_req, padata, ptr_seqof_pa_data);
1021 DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata);
1022 DEFPTRTYPE(ptr_kdc_req_body, kdc_req_body);
1023 DEFFIELD(fast_req_0, krb5_fast_req, fast_options, 0, krb5_flags);
1024 DEFFIELD(fast_req_1, krb5_fast_req, req_body, 1, ptr_fast_req_padata);
1025 DEFFIELD(fast_req_2, krb5_fast_req, req_body, 2, ptr_kdc_req_body);
1026 static const struct atype_info *fast_req_fields[] = {
1027 &k5_atype_fast_req_0, &k5_atype_fast_req_1, &k5_atype_fast_req_2
1029 DEFSEQTYPE(fast_req, krb5_fast_req, fast_req_fields);
1031 DEFFIELD(fast_finished_0, krb5_fast_finished, timestamp, 0, kerberos_time);
1032 DEFFIELD(fast_finished_1, krb5_fast_finished, usec, 1, int32);
1033 DEFFIELD(fast_finished_2, krb5_fast_finished, client, 2, realm_of_principal);
1034 DEFFIELD(fast_finished_3, krb5_fast_finished, client, 3, principal);
1035 DEFFIELD(fast_finished_4, krb5_fast_finished, ticket_checksum, 4, checksum);
1036 static const struct atype_info *fast_finished_fields[] = {
1037 &k5_atype_fast_finished_0, &k5_atype_fast_finished_1,
1038 &k5_atype_fast_finished_2, &k5_atype_fast_finished_3,
1039 &k5_atype_fast_finished_4
1041 DEFSEQTYPE(fast_finished, krb5_fast_finished, fast_finished_fields);
1042 DEFPTRTYPE(ptr_fast_finished, fast_finished);
1043 DEFOPTIONALZEROTYPE(opt_ptr_fast_finished, ptr_fast_finished);
1045 DEFFIELD(fast_response_0, krb5_fast_response, padata, 0, ptr_seqof_pa_data);
1046 DEFFIELD(fast_response_1, krb5_fast_response, strengthen_key, 1,
1047 opt_ptr_encryption_key);
1048 DEFFIELD(fast_response_2, krb5_fast_response, finished, 2,
1049 opt_ptr_fast_finished);
1050 DEFFIELD(fast_response_3, krb5_fast_response, nonce, 3, int32);
1051 static const struct atype_info *fast_response_fields[] = {
1052 &k5_atype_fast_response_0, &k5_atype_fast_response_1,
1053 &k5_atype_fast_response_2, &k5_atype_fast_response_3
1055 DEFSEQTYPE(fast_response, krb5_fast_response, fast_response_fields);
1057 DEFCTAGGEDTYPE(fast_rep_0, 0, encrypted_data);
1058 static const struct atype_info *fast_rep_fields[] = {
1059 &k5_atype_fast_rep_0
1061 DEFSEQTYPE(fast_rep, krb5_enc_data, fast_rep_fields);
1063 /* This is a CHOICE type with only one choice (so far) and we're not using a
1064 * distinguisher/union for it. */
1065 DEFTAGGEDTYPE(pa_fx_fast_reply, CONTEXT_SPECIFIC, CONSTRUCTED, 0, 0,
1068 DEFFIELD(ad_kdcissued_0, krb5_ad_kdcissued, ad_checksum, 0, checksum);
1069 DEFFIELD(ad_kdcissued_1, krb5_ad_kdcissued, i_principal, 1,
1070 opt_realm_of_principal);
1071 DEFFIELD(ad_kdcissued_2, krb5_ad_kdcissued, i_principal, 2, opt_principal);
1072 DEFFIELD(ad_kdcissued_3, krb5_ad_kdcissued, elements, 3, auth_data_ptr);
1073 static const struct atype_info *ad_kdcissued_fields[] = {
1074 &k5_atype_ad_kdcissued_0, &k5_atype_ad_kdcissued_1,
1075 &k5_atype_ad_kdcissued_2, &k5_atype_ad_kdcissued_3
1077 DEFSEQTYPE(ad_kdc_issued, krb5_ad_kdcissued, ad_kdcissued_fields);
1079 DEFCTAGGEDTYPE(princ_plus_realm_0, 0, principal_data);
1080 DEFCTAGGEDTYPE(princ_plus_realm_1, 1, realm_of_principal_data);
1081 static const struct atype_info *princ_plus_realm_fields[] = {
1082 &k5_atype_princ_plus_realm_0, &k5_atype_princ_plus_realm_1
1084 DEFSEQTYPE(princ_plus_realm_data, krb5_principal_data,
1085 princ_plus_realm_fields);
1086 DEFPTRTYPE(princ_plus_realm, princ_plus_realm_data);
1087 DEFNULLTERMSEQOFTYPE(seqof_princ_plus_realm, princ_plus_realm);
1088 DEFPTRTYPE(ptr_seqof_princ_plus_realm, seqof_princ_plus_realm);
1089 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_princ_plus_realm,
1090 ptr_seqof_princ_plus_realm);
1092 DEFFIELD(spdata_0, krb5_ad_signedpath_data, client, 0, princ_plus_realm);
1093 DEFFIELD(spdata_1, krb5_ad_signedpath_data, authtime, 1, kerberos_time);
1094 DEFFIELD(spdata_2, krb5_ad_signedpath_data, delegated, 2,
1095 opt_ptr_seqof_princ_plus_realm);
1096 DEFFIELD(spdata_3, krb5_ad_signedpath_data, method_data, 3,
1097 opt_ptr_seqof_pa_data);
1098 DEFFIELD(spdata_4, krb5_ad_signedpath_data, authorization_data, 4,
1100 static const struct atype_info *ad_signedpath_data_fields[] = {
1101 &k5_atype_spdata_0, &k5_atype_spdata_1, &k5_atype_spdata_2,
1102 &k5_atype_spdata_3, &k5_atype_spdata_4
1104 DEFSEQTYPE(ad_signedpath_data, krb5_ad_signedpath_data,
1105 ad_signedpath_data_fields);
1107 DEFFIELD(signedpath_0, krb5_ad_signedpath, enctype, 0, int32);
1108 DEFFIELD(signedpath_1, krb5_ad_signedpath, checksum, 1, checksum);
1109 DEFFIELD(signedpath_2, krb5_ad_signedpath, delegated, 2,
1110 opt_ptr_seqof_princ_plus_realm);
1111 DEFFIELD(signedpath_3, krb5_ad_signedpath, method_data, 3,
1112 opt_ptr_seqof_pa_data);
1113 static const struct atype_info *ad_signedpath_fields[] = {
1114 &k5_atype_signedpath_0, &k5_atype_signedpath_1, &k5_atype_signedpath_2,
1115 &k5_atype_signedpath_3
1117 DEFSEQTYPE(ad_signedpath, krb5_ad_signedpath, ad_signedpath_fields);
1119 /* First context tag is 1, not 0. */
1120 DEFFIELD(iakerb_header_1, krb5_iakerb_header, target_realm, 1, ostring_data);
1121 DEFFIELD(iakerb_header_2, krb5_iakerb_header, cookie, 2, opt_ostring_data_ptr);
1122 static const struct atype_info *iakerb_header_fields[] = {
1123 &k5_atype_iakerb_header_1, &k5_atype_iakerb_header_2
1125 DEFSEQTYPE(iakerb_header, krb5_iakerb_header, iakerb_header_fields);
1127 /* First context tag is 1, not 0. */
1128 DEFFIELD(iakerb_finished_0, krb5_iakerb_finished, checksum, 1, checksum);
1129 static const struct atype_info *iakerb_finished_fields[] = {
1130 &k5_atype_iakerb_finished_0
1132 DEFSEQTYPE(iakerb_finished, krb5_iakerb_finished, iakerb_finished_fields);
1134 /* Exported complete encoders -- these produce a krb5_data with
1135 the encoding in the correct byte order. */
1137 MAKE_CODEC(krb5_authenticator, authenticator);
1138 MAKE_CODEC(krb5_ticket, ticket);
1139 MAKE_CODEC(krb5_encryption_key, encryption_key);
1140 MAKE_CODEC(krb5_enc_tkt_part, enc_tkt_part);
1142 krb5_error_code KRB5_CALLCONV
1143 krb5_decode_ticket(const krb5_data *code, krb5_ticket **repptr)
1145 return decode_krb5_ticket(code, repptr);
1149 * For backwards compatibility, we encode both EncASRepPart and EncTGSRepPart
1150 * with application tag 26. On decode, we accept either app tag and set the
1151 * msg_type field of the resulting structure. This could be simplified and
1152 * pushed up into libkrb5.
1154 MAKE_ENCODER(encode_krb5_enc_kdc_rep_part, enc_tgs_rep_part);
1156 decode_krb5_enc_kdc_rep_part(const krb5_data *code,
1157 krb5_enc_kdc_rep_part **rep_out)
1159 asn1_error_code ret;
1160 krb5_enc_kdc_rep_part *rep;
1162 krb5_msgtype msg_type = KRB5_TGS_REP;
1165 ret = k5_asn1_full_decode(code, &k5_atype_enc_tgs_rep_part, &rep_ptr);
1166 if (ret == ASN1_BAD_ID) {
1167 msg_type = KRB5_AS_REP;
1168 ret = k5_asn1_full_decode(code, &k5_atype_enc_as_rep_part, &rep_ptr);
1173 rep->msg_type = msg_type;
1178 MAKE_CODEC(krb5_as_rep, as_rep);
1179 MAKE_CODEC(krb5_tgs_rep, tgs_rep);
1180 MAKE_CODEC(krb5_ap_req, ap_req);
1181 MAKE_CODEC(krb5_ap_rep, ap_rep);
1182 MAKE_CODEC(krb5_ap_rep_enc_part, ap_rep_enc_part);
1183 MAKE_ENCODER(encode_krb5_as_req, as_req_encode);
1184 MAKE_DECODER(decode_krb5_as_req, as_req);
1185 MAKE_ENCODER(encode_krb5_tgs_req, tgs_req_encode);
1186 MAKE_DECODER(decode_krb5_tgs_req, tgs_req);
1187 MAKE_CODEC(krb5_kdc_req_body, kdc_req_body);
1188 MAKE_CODEC(krb5_safe, safe);
1190 /* encode_krb5_safe_with_body takes a saved KRB-SAFE-BODY encoding to avoid
1191 * mismatches from re-encoding if the sender isn't quite DER-compliant. */
1192 MAKE_ENCODER(encode_krb5_safe_with_body, safe_with_body);
1195 * decode_krb5_safe_with_body fully decodes a KRB-SAFE, but also returns
1196 * the KRB-SAFE-BODY encoding. This interface was designed for an earlier
1197 * generation of decoder and should probably be re-thought.
1200 decode_krb5_safe_with_body(const krb5_data *code, krb5_safe **rep_out,
1201 krb5_data **body_out)
1203 asn1_error_code ret;
1204 void *swb_ptr, *safe_ptr;
1205 struct krb5_safe_with_body *swb;
1208 ret = k5_asn1_full_decode(code, &k5_atype_safe_with_body, &swb_ptr);
1212 ret = k5_asn1_full_decode(swb->body, &k5_atype_safe_body, &safe_ptr);
1214 krb5_free_safe(NULL, swb->safe);
1215 krb5_free_data(NULL, swb->body);
1220 safe->checksum = swb->safe->checksum;
1223 *body_out = swb->body;
1228 MAKE_CODEC(krb5_priv, priv);
1229 MAKE_CODEC(krb5_enc_priv_part, priv_enc_part);
1230 MAKE_CODEC(krb5_checksum, checksum);
1232 MAKE_CODEC(krb5_cred, krb5_cred);
1233 MAKE_CODEC(krb5_enc_cred_part, enc_cred_part);
1234 MAKE_CODEC(krb5_error, krb5_error);
1235 MAKE_CODEC(krb5_authdata, auth_data);
1236 MAKE_CODEC(krb5_etype_info, etype_info);
1237 MAKE_CODEC(krb5_etype_info2, etype_info2);
1238 MAKE_CODEC(krb5_enc_data, encrypted_data);
1239 MAKE_CODEC(krb5_pa_enc_ts, pa_enc_ts);
1240 MAKE_CODEC(krb5_padata_sequence, seqof_pa_data);
1241 /* sam preauth additions */
1242 MAKE_CODEC(krb5_sam_challenge_2, sam_challenge_2);
1243 MAKE_CODEC(krb5_sam_challenge_2_body, sam_challenge_2_body);
1244 MAKE_CODEC(krb5_enc_sam_response_enc_2, enc_sam_response_enc_2);
1245 MAKE_CODEC(krb5_sam_response_2, sam_response_2);
1247 /* setpw_req has an odd decoder interface which should probably be
1249 MAKE_ENCODER(encode_krb5_setpw_req, setpw_req);
1251 decode_krb5_setpw_req(const krb5_data *code, krb5_data **password_out,
1252 krb5_principal *target_out)
1254 asn1_error_code ret;
1256 struct krb5_setpw_req *req;
1259 *password_out = NULL;
1261 data = malloc(sizeof(*data));
1264 ret = k5_asn1_full_decode(code, &k5_atype_setpw_req, &req_ptr);
1270 *data = req->password;
1271 *password_out = data;
1272 *target_out = req->target;
1276 MAKE_CODEC(krb5_pa_for_user, pa_for_user);
1277 MAKE_ENCODER(encode_krb5_s4u_userid, s4u_userid);
1278 MAKE_CODEC(krb5_pa_s4u_x509_user, pa_s4u_x509_user);
1279 MAKE_DECODER(decode_krb5_pa_pac_req, pa_pac_req);
1280 MAKE_CODEC(krb5_etype_list, etype_list);
1282 MAKE_CODEC(krb5_pa_fx_fast_request, pa_fx_fast_request);
1283 MAKE_CODEC(krb5_fast_req, fast_req);
1284 MAKE_CODEC(krb5_pa_fx_fast_reply, pa_fx_fast_reply);
1285 MAKE_CODEC(krb5_fast_response, fast_response);
1287 MAKE_CODEC(krb5_ad_kdcissued, ad_kdc_issued);
1288 MAKE_ENCODER(encode_krb5_ad_signedpath_data, ad_signedpath_data);
1289 MAKE_CODEC(krb5_ad_signedpath, ad_signedpath);
1290 MAKE_CODEC(krb5_iakerb_header, iakerb_header);
1291 MAKE_CODEC(krb5_iakerb_finished, iakerb_finished);
1293 krb5_error_code KRB5_CALLCONV
1294 krb5int_get_authdata_containee_types(krb5_context context,
1295 const krb5_authdata *authdata,
1296 unsigned int *num_out,
1297 krb5_authdatatype **types_out)
1299 asn1_error_code ret;
1300 struct authdata_types *atypes;
1302 krb5_data d = make_data(authdata->contents, authdata->length);
1304 ret = k5_asn1_full_decode(&d, &k5_atype_authdata_types, &atypes_ptr);
1307 atypes = atypes_ptr;
1308 *num_out = atypes->ntypes;
1309 *types_out = atypes->types;
1318 #ifndef DISABLE_PKINIT
1320 DEFCOUNTEDSTRINGTYPE(object_identifier, char *, unsigned int,
1321 k5_asn1_encode_bytestring, k5_asn1_decode_bytestring,
1322 ASN1_OBJECTIDENTIFIER);
1323 DEFCOUNTEDTYPE(oid_data, krb5_data, data, length, object_identifier);
1324 DEFPTRTYPE(oid_data_ptr, oid_data);
1326 /* RFC 3280. No context tags. */
1327 DEFOFFSETTYPE(algid_0, krb5_algorithm_identifier, algorithm, oid_data);
1328 DEFOFFSETTYPE(algid_1, krb5_algorithm_identifier, parameters, opt_der_data);
1329 static const struct atype_info *algorithm_identifier_fields[] = {
1330 &k5_atype_algid_0, &k5_atype_algid_1
1332 DEFSEQTYPE(algorithm_identifier, krb5_algorithm_identifier,
1333 algorithm_identifier_fields);
1334 DEFPTRTYPE(algorithm_identifier_ptr, algorithm_identifier);
1336 DEFCTAGGEDTYPE(kdf_alg_id_0, 0, oid_data);
1337 static const struct atype_info *kdf_alg_id_fields[] = {
1338 &k5_atype_kdf_alg_id_0
1340 DEFSEQTYPE(kdf_alg_id, krb5_data, kdf_alg_id_fields);
1341 DEFPTRTYPE(ptr_kdf_alg_id, kdf_alg_id);
1342 DEFNONEMPTYNULLTERMSEQOFTYPE(supported_kdfs, ptr_kdf_alg_id);
1343 DEFPTRTYPE(ptr_supported_kdfs, supported_kdfs);
1344 DEFOPTIONALZEROTYPE(opt_ptr_kdf_alg_id, ptr_kdf_alg_id);
1345 DEFOPTIONALZEROTYPE(opt_ptr_supported_kdfs, ptr_supported_kdfs);
1347 /* KRB5PrincipalName from RFC 4556 (*not* PrincipalName from RFC 4120) */
1348 DEFCTAGGEDTYPE(pkinit_princ_0, 0, realm_of_principal_data);
1349 DEFCTAGGEDTYPE(pkinit_princ_1, 1, principal_data);
1350 static const struct atype_info *pkinit_krb5_principal_name_fields[] = {
1351 &k5_atype_pkinit_princ_0, &k5_atype_pkinit_princ_1
1353 DEFSEQTYPE(pkinit_krb5_principal_name_data, krb5_principal_data,
1354 pkinit_krb5_principal_name_fields);
1355 DEFPTRTYPE(pkinit_krb5_principal_name, pkinit_krb5_principal_name_data);
1357 /* SP80056A OtherInfo, for pkinit agility. No context tag on first field. */
1358 DEFTAGGEDTYPE(pkinit_krb5_principal_name_wrapped, UNIVERSAL, PRIMITIVE,
1359 ASN1_OCTETSTRING, 0, pkinit_krb5_principal_name);
1360 DEFOFFSETTYPE(oinfo_notag, krb5_sp80056a_other_info, algorithm_identifier,
1361 algorithm_identifier);
1362 DEFFIELD(oinfo_0, krb5_sp80056a_other_info, party_u_info, 0,
1363 pkinit_krb5_principal_name_wrapped);
1364 DEFFIELD(oinfo_1, krb5_sp80056a_other_info, party_v_info, 1,
1365 pkinit_krb5_principal_name_wrapped);
1366 DEFFIELD(oinfo_2, krb5_sp80056a_other_info, supp_pub_info, 2, ostring_data);
1367 static const struct atype_info *sp80056a_other_info_fields[] = {
1368 &k5_atype_oinfo_notag, &k5_atype_oinfo_0, &k5_atype_oinfo_1,
1371 DEFSEQTYPE(sp80056a_other_info, krb5_sp80056a_other_info,
1372 sp80056a_other_info_fields);
1374 /* For PkinitSuppPubInfo, for pkinit agility */
1375 DEFFIELD(supp_pub_0, krb5_pkinit_supp_pub_info, enctype, 0, int32);
1376 DEFFIELD(supp_pub_1, krb5_pkinit_supp_pub_info, as_req, 1, ostring_data);
1377 DEFFIELD(supp_pub_2, krb5_pkinit_supp_pub_info, pk_as_rep, 2, ostring_data);
1378 static const struct atype_info *pkinit_supp_pub_info_fields[] = {
1379 &k5_atype_supp_pub_0, &k5_atype_supp_pub_1, &k5_atype_supp_pub_2
1381 DEFSEQTYPE(pkinit_supp_pub_info, krb5_pkinit_supp_pub_info,
1382 pkinit_supp_pub_info_fields);
1384 MAKE_ENCODER(encode_krb5_pkinit_supp_pub_info, pkinit_supp_pub_info);
1385 MAKE_ENCODER(encode_krb5_sp80056a_other_info, sp80056a_other_info);
1387 /* A krb5_checksum encoded as an OCTET STRING, for PKAuthenticator. */
1388 DEFCOUNTEDTYPE(ostring_checksum, krb5_checksum, contents, length, octetstring);
1390 DEFFIELD(pk_authenticator_0, krb5_pk_authenticator, cusec, 0, int32);
1391 DEFFIELD(pk_authenticator_1, krb5_pk_authenticator, ctime, 1, kerberos_time);
1392 DEFFIELD(pk_authenticator_2, krb5_pk_authenticator, nonce, 2, int32);
1393 DEFFIELD(pk_authenticator_3, krb5_pk_authenticator, paChecksum, 3,
1395 static const struct atype_info *pk_authenticator_fields[] = {
1396 &k5_atype_pk_authenticator_0, &k5_atype_pk_authenticator_1,
1397 &k5_atype_pk_authenticator_2, &k5_atype_pk_authenticator_3
1399 DEFSEQTYPE(pk_authenticator, krb5_pk_authenticator, pk_authenticator_fields);
1401 DEFFIELD(pkauth9_0, krb5_pk_authenticator_draft9, kdcName, 0, principal);
1402 DEFFIELD(pkauth9_1, krb5_pk_authenticator_draft9, kdcName, 1,
1403 realm_of_principal);
1404 DEFFIELD(pkauth9_2, krb5_pk_authenticator_draft9, cusec, 2, int32);
1405 DEFFIELD(pkauth9_3, krb5_pk_authenticator_draft9, ctime, 3, kerberos_time);
1406 DEFFIELD(pkauth9_4, krb5_pk_authenticator_draft9, nonce, 4, int32);
1407 static const struct atype_info *pk_authenticator_draft9_fields[] = {
1408 &k5_atype_pkauth9_0, &k5_atype_pkauth9_1, &k5_atype_pkauth9_2,
1409 &k5_atype_pkauth9_3, &k5_atype_pkauth9_4
1411 DEFSEQTYPE(pk_authenticator_draft9, krb5_pk_authenticator_draft9,
1412 pk_authenticator_draft9_fields);
1414 DEFCOUNTEDSTRINGTYPE(s_bitstring, char *, unsigned int,
1415 k5_asn1_encode_bitstring, k5_asn1_decode_bitstring,
1417 DEFCOUNTEDTYPE(bitstring_data, krb5_data, data, length, s_bitstring);
1419 /* RFC 3280. No context tags. */
1420 DEFOFFSETTYPE(spki_0, krb5_subject_pk_info, algorithm, algorithm_identifier);
1421 DEFOFFSETTYPE(spki_1, krb5_subject_pk_info, subjectPublicKey, bitstring_data);
1422 static const struct atype_info *subject_pk_info_fields[] = {
1423 &k5_atype_spki_0, &k5_atype_spki_1
1425 DEFSEQTYPE(subject_pk_info, krb5_subject_pk_info, subject_pk_info_fields);
1426 DEFPTRTYPE(subject_pk_info_ptr, subject_pk_info);
1427 DEFOPTIONALZEROTYPE(opt_subject_pk_info_ptr, subject_pk_info_ptr);
1429 DEFNULLTERMSEQOFTYPE(seqof_algorithm_identifier, algorithm_identifier_ptr);
1430 DEFPTRTYPE(ptr_seqof_algorithm_identifier, seqof_algorithm_identifier);
1431 DEFOPTIONALZEROTYPE(opt_ptr_seqof_algorithm_identifier,
1432 ptr_seqof_algorithm_identifier);
1433 DEFFIELD(auth_pack_0, krb5_auth_pack, pkAuthenticator, 0, pk_authenticator);
1434 DEFFIELD(auth_pack_1, krb5_auth_pack, clientPublicValue, 1,
1435 opt_subject_pk_info_ptr);
1436 DEFFIELD(auth_pack_2, krb5_auth_pack, supportedCMSTypes, 2,
1437 opt_ptr_seqof_algorithm_identifier);
1438 DEFFIELD(auth_pack_3, krb5_auth_pack, clientDHNonce, 3, opt_ostring_data);
1439 DEFFIELD(auth_pack_4, krb5_auth_pack, supportedKDFs, 4,
1440 opt_ptr_supported_kdfs);
1441 static const struct atype_info *auth_pack_fields[] = {
1442 &k5_atype_auth_pack_0, &k5_atype_auth_pack_1, &k5_atype_auth_pack_2,
1443 &k5_atype_auth_pack_3, &k5_atype_auth_pack_4
1445 DEFSEQTYPE(auth_pack, krb5_auth_pack, auth_pack_fields);
1447 DEFFIELD(auth_pack9_0, krb5_auth_pack_draft9, pkAuthenticator, 0,
1448 pk_authenticator_draft9);
1449 DEFFIELD(auth_pack9_1, krb5_auth_pack_draft9, clientPublicValue, 1,
1450 opt_subject_pk_info_ptr);
1451 static const struct atype_info *auth_pack_draft9_fields[] = {
1452 &k5_atype_auth_pack9_0, &k5_atype_auth_pack9_1
1454 DEFSEQTYPE(auth_pack_draft9, krb5_auth_pack_draft9, auth_pack_draft9_fields);
1456 DEFFIELD_IMPLICIT(extprinc_0, krb5_external_principal_identifier,
1457 subjectName, 0, opt_ostring_data);
1458 DEFFIELD_IMPLICIT(extprinc_1, krb5_external_principal_identifier,
1459 issuerAndSerialNumber, 1, opt_ostring_data);
1460 DEFFIELD_IMPLICIT(extprinc_2, krb5_external_principal_identifier,
1461 subjectKeyIdentifier, 2, opt_ostring_data);
1462 static const struct atype_info *external_principal_identifier_fields[] = {
1463 &k5_atype_extprinc_0, &k5_atype_extprinc_1, &k5_atype_extprinc_2
1465 DEFSEQTYPE(external_principal_identifier, krb5_external_principal_identifier,
1466 external_principal_identifier_fields);
1467 DEFPTRTYPE(external_principal_identifier_ptr, external_principal_identifier);
1469 DEFNULLTERMSEQOFTYPE(seqof_external_principal_identifier,
1470 external_principal_identifier_ptr);
1471 DEFPTRTYPE(ptr_seqof_external_principal_identifier,
1472 seqof_external_principal_identifier);
1473 DEFOPTIONALZEROTYPE(opt_ptr_seqof_external_principal_identifier,
1474 ptr_seqof_external_principal_identifier);
1476 DEFFIELD_IMPLICIT(pa_pk_as_req_0, krb5_pa_pk_as_req, signedAuthPack, 0,
1478 DEFFIELD(pa_pk_as_req_1, krb5_pa_pk_as_req, trustedCertifiers, 1,
1479 opt_ptr_seqof_external_principal_identifier);
1480 DEFFIELD_IMPLICIT(pa_pk_as_req_2, krb5_pa_pk_as_req, kdcPkId, 2,
1482 static const struct atype_info *pa_pk_as_req_fields[] = {
1483 &k5_atype_pa_pk_as_req_0, &k5_atype_pa_pk_as_req_1,
1484 &k5_atype_pa_pk_as_req_2
1486 DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields);
1489 * In draft-ietf-cat-kerberos-pk-init-09, this sequence has four fields, but we
1490 * only ever use the first and third. The fields are specified as explicitly
1491 * tagged, but our historical behavior is to pretend that they are wrapped in
1492 * IMPLICIT OCTET STRING (i.e., generate primitive context tags), and we don't
1493 * want to change that without interop testing.
1495 DEFFIELD_IMPLICIT(pa_pk_as_req9_0, krb5_pa_pk_as_req_draft9, signedAuthPack, 0,
1497 DEFFIELD_IMPLICIT(pa_pk_as_req9_2, krb5_pa_pk_as_req_draft9, kdcCert, 2,
1499 static const struct atype_info *pa_pk_as_req_draft9_fields[] = {
1500 &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_2
1502 DEFSEQTYPE(pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9,
1503 pa_pk_as_req_draft9_fields);
1504 /* For decoding, we only care about the first field; we can ignore the rest. */
1505 static const struct atype_info *pa_pk_as_req_draft9_decode_fields[] = {
1506 &k5_atype_pa_pk_as_req9_0
1508 DEFSEQTYPE(pa_pk_as_req_draft9_decode, krb5_pa_pk_as_req_draft9,
1509 pa_pk_as_req_draft9_decode_fields);
1511 DEFFIELD_IMPLICIT(dh_rep_info_0, krb5_dh_rep_info, dhSignedData, 0,
1513 DEFFIELD(dh_rep_info_1, krb5_dh_rep_info, serverDHNonce, 1, opt_ostring_data);
1514 DEFFIELD(dh_rep_info_2, krb5_dh_rep_info, kdfID, 2, opt_ptr_kdf_alg_id);
1515 static const struct atype_info *dh_rep_info_fields[] = {
1516 &k5_atype_dh_rep_info_0, &k5_atype_dh_rep_info_1, &k5_atype_dh_rep_info_2
1518 DEFSEQTYPE(dh_rep_info, krb5_dh_rep_info, dh_rep_info_fields);
1520 DEFFIELD(dh_key_0, krb5_kdc_dh_key_info, subjectPublicKey, 0, bitstring_data);
1521 DEFFIELD(dh_key_1, krb5_kdc_dh_key_info, nonce, 1, int32);
1522 DEFFIELD(dh_key_2, krb5_kdc_dh_key_info, dhKeyExpiration, 2,
1524 static const struct atype_info *kdc_dh_key_info_fields[] = {
1525 &k5_atype_dh_key_0, &k5_atype_dh_key_1, &k5_atype_dh_key_2
1527 DEFSEQTYPE(kdc_dh_key_info, krb5_kdc_dh_key_info, kdc_dh_key_info_fields);
1529 DEFFIELD(reply_key_pack_0, krb5_reply_key_pack, replyKey, 0, encryption_key);
1530 DEFFIELD(reply_key_pack_1, krb5_reply_key_pack, asChecksum, 1, checksum);
1531 static const struct atype_info *reply_key_pack_fields[] = {
1532 &k5_atype_reply_key_pack_0, &k5_atype_reply_key_pack_1
1534 DEFSEQTYPE(reply_key_pack, krb5_reply_key_pack, reply_key_pack_fields);
1536 DEFFIELD(key_pack9_0, krb5_reply_key_pack_draft9, replyKey, 0, encryption_key);
1537 DEFFIELD(key_pack9_1, krb5_reply_key_pack_draft9, nonce, 1, int32);
1538 static const struct atype_info *reply_key_pack_draft9_fields[] = {
1539 &k5_atype_key_pack9_0, &k5_atype_key_pack9_1
1541 DEFSEQTYPE(reply_key_pack_draft9, krb5_reply_key_pack_draft9,
1542 reply_key_pack_draft9_fields);
1544 DEFCTAGGEDTYPE(pa_pk_as_rep_0, 0, dh_rep_info);
1545 DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep_1, 1, ostring_data);
1546 static const struct atype_info *pa_pk_as_rep_alternatives[] = {
1547 &k5_atype_pa_pk_as_rep_0, &k5_atype_pa_pk_as_rep_1
1549 DEFCHOICETYPE(pa_pk_as_rep_choice, union krb5_pa_pk_as_rep_choices,
1550 enum krb5_pa_pk_as_rep_selection, pa_pk_as_rep_alternatives);
1551 DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep, krb5_pa_pk_as_rep, u, choice,
1552 pa_pk_as_rep_choice);
1555 * draft-ietf-cat-kerberos-pk-init-09 specifies these alternatives as
1556 * explicitly tagged SignedData and EnvelopedData respectively, which means
1557 * they should have constructed context tags. However, our historical behavior
1558 * is to use primitive context tags, and we don't want to change that behavior
1559 * without interop testing. We have the encodings for each alternative in a
1560 * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in
1561 * order to wrap them in primitive [0] and [1] tags.
1563 DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_0, 0, ostring_data);
1564 DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_1, 1, ostring_data);
1565 static const struct atype_info *pa_pk_as_rep_draft9_alternatives[] = {
1566 &k5_atype_pa_pk_as_rep9_0, &k5_atype_pa_pk_as_rep9_1
1568 DEFCHOICETYPE(pa_pk_as_rep_draft9_choice,
1569 union krb5_pa_pk_as_rep_draft9_choices,
1570 enum krb5_pa_pk_as_rep_draft9_selection,
1571 pa_pk_as_rep_draft9_alternatives);
1572 DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep_draft9, krb5_pa_pk_as_rep_draft9, u, choice,
1573 pa_pk_as_rep_draft9_choice);
1575 MAKE_CODEC(krb5_pa_pk_as_req, pa_pk_as_req);
1576 MAKE_ENCODER(encode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9);
1577 MAKE_DECODER(decode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9_decode);
1578 MAKE_CODEC(krb5_pa_pk_as_rep, pa_pk_as_rep);
1579 MAKE_ENCODER(encode_krb5_pa_pk_as_rep_draft9, pa_pk_as_rep_draft9);
1580 MAKE_CODEC(krb5_auth_pack, auth_pack);
1581 MAKE_CODEC(krb5_auth_pack_draft9, auth_pack_draft9);
1582 MAKE_CODEC(krb5_kdc_dh_key_info, kdc_dh_key_info);
1583 MAKE_CODEC(krb5_reply_key_pack, reply_key_pack);
1584 MAKE_CODEC(krb5_reply_key_pack_draft9, reply_key_pack_draft9);
1585 MAKE_CODEC(krb5_td_trusted_certifiers, seqof_external_principal_identifier);
1586 MAKE_CODEC(krb5_td_dh_parameters, seqof_algorithm_identifier);
1587 MAKE_DECODER(decode_krb5_principal_name, pkinit_krb5_principal_name_data);
1589 #else /* DISABLE_PKINIT */
1591 /* Stubs for exported pkinit encoder functions. */
1594 encode_krb5_sp80056a_other_info(const krb5_sp80056a_other_info *rep,
1601 encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *rep,
1607 #endif /* not DISABLE_PKINIT */
1609 DEFFIELD(typed_data_0, krb5_pa_data, pa_type, 0, int32);
1610 DEFCNFIELD(typed_data_1, krb5_pa_data, contents, length, 1, octetstring);
1611 static const struct atype_info *typed_data_fields[] = {
1612 &k5_atype_typed_data_0, &k5_atype_typed_data_1
1614 DEFSEQTYPE(typed_data, krb5_pa_data, typed_data_fields);
1615 DEFPTRTYPE(typed_data_ptr, typed_data);
1617 DEFNULLTERMSEQOFTYPE(seqof_typed_data, typed_data_ptr);
1618 MAKE_CODEC(krb5_typed_data, seqof_typed_data);