From 9b261c008a395a323e0516f4cd3f3134aa050577 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 8 Jun 2009 19:06:16 +1000 Subject: s4:heimdal: import lorikeet-heimdal-200906080040 (commit 904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett --- source4/heimdal/lib/asn1/CMS.asn1 | 157 ----- source4/heimdal/lib/asn1/asn1_err.et | 2 + source4/heimdal/lib/asn1/asn1_gen.c | 12 +- source4/heimdal/lib/asn1/canthandle.asn1 | 2 +- source4/heimdal/lib/asn1/cms.asn1 | 157 +++++ source4/heimdal/lib/asn1/cms.opt | 1 + source4/heimdal/lib/asn1/der.h | 2 +- source4/heimdal/lib/asn1/der_get.c | 112 +++- source4/heimdal/lib/asn1/der_locl.h | 4 +- source4/heimdal/lib/asn1/der_put.c | 2 +- source4/heimdal/lib/asn1/digest.asn1 | 2 +- source4/heimdal/lib/asn1/extra.c | 14 +- source4/heimdal/lib/asn1/gen.c | 44 +- source4/heimdal/lib/asn1/gen_copy.c | 2 +- source4/heimdal/lib/asn1/gen_decode.c | 87 ++- source4/heimdal/lib/asn1/gen_encode.c | 4 +- source4/heimdal/lib/asn1/gen_free.c | 2 +- source4/heimdal/lib/asn1/gen_length.c | 2 +- source4/heimdal/lib/asn1/gen_locl.h | 10 +- source4/heimdal/lib/asn1/k5.asn1 | 671 -------------------- source4/heimdal/lib/asn1/krb5.asn1 | 750 ++++++++++++++++++++++ source4/heimdal/lib/asn1/krb5.opt | 6 + source4/heimdal/lib/asn1/kx509.asn1 | 11 + source4/heimdal/lib/asn1/lex.l | 6 +- source4/heimdal/lib/asn1/main.c | 72 ++- source4/heimdal/lib/asn1/parse.y | 1015 ------------------------------ source4/heimdal/lib/asn1/pkcs12.asn1 | 2 +- source4/heimdal/lib/asn1/pkcs8.asn1 | 2 +- source4/heimdal/lib/asn1/pkinit.asn1 | 33 +- source4/heimdal/lib/asn1/rfc2459.asn1 | 74 ++- source4/heimdal/lib/asn1/test.asn1 | 14 +- 31 files changed, 1312 insertions(+), 1962 deletions(-) delete mode 100644 source4/heimdal/lib/asn1/CMS.asn1 create mode 100644 source4/heimdal/lib/asn1/cms.asn1 create mode 100644 source4/heimdal/lib/asn1/cms.opt delete mode 100644 source4/heimdal/lib/asn1/k5.asn1 create mode 100644 source4/heimdal/lib/asn1/krb5.asn1 create mode 100644 source4/heimdal/lib/asn1/krb5.opt delete mode 100644 source4/heimdal/lib/asn1/parse.y (limited to 'source4/heimdal/lib/asn1') diff --git a/source4/heimdal/lib/asn1/CMS.asn1 b/source4/heimdal/lib/asn1/CMS.asn1 deleted file mode 100644 index 65a467521d..0000000000 --- a/source4/heimdal/lib/asn1/CMS.asn1 +++ /dev/null @@ -1,157 +0,0 @@ --- From RFC 3369 -- --- $Id$ -- - -CMS DEFINITIONS ::= BEGIN - -IMPORTS CertificateSerialNumber, AlgorithmIdentifier, Name, - Attribute, Certificate, Name, SubjectKeyIdentifier FROM rfc2459 - heim_any, heim_any_set FROM heim; - -id-pkcs7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) - us(840) rsadsi(113549) pkcs(1) pkcs7(7) } - -id-pkcs7-data OBJECT IDENTIFIER ::= { id-pkcs7 1 } -id-pkcs7-signedData OBJECT IDENTIFIER ::= { id-pkcs7 2 } -id-pkcs7-envelopedData OBJECT IDENTIFIER ::= { id-pkcs7 3 } -id-pkcs7-signedAndEnvelopedData OBJECT IDENTIFIER ::= { id-pkcs7 4 } -id-pkcs7-digestedData OBJECT IDENTIFIER ::= { id-pkcs7 5 } -id-pkcs7-encryptedData OBJECT IDENTIFIER ::= { id-pkcs7 6 } - -CMSVersion ::= INTEGER { - CMSVersion_v0(0), - CMSVersion_v1(1), - CMSVersion_v2(2), - CMSVersion_v3(3), - CMSVersion_v4(4) -} - -DigestAlgorithmIdentifier ::= AlgorithmIdentifier -DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier -SignatureAlgorithmIdentifier ::= AlgorithmIdentifier - -ContentType ::= OBJECT IDENTIFIER -MessageDigest ::= OCTET STRING - -ContentInfo ::= SEQUENCE { - contentType ContentType, - content [0] EXPLICIT heim_any OPTIONAL -- DEFINED BY contentType -} - -EncapsulatedContentInfo ::= SEQUENCE { - eContentType ContentType, - eContent [0] EXPLICIT OCTET STRING OPTIONAL -} - -CertificateSet ::= SET OF heim_any - -CertificateList ::= Certificate - -CertificateRevocationLists ::= SET OF CertificateList - -IssuerAndSerialNumber ::= SEQUENCE { - issuer Name, - serialNumber CertificateSerialNumber -} - --- RecipientIdentifier is same as SignerIdentifier, --- lets glue them togheter and save some bytes and share code for them - -CMSIdentifier ::= CHOICE { - issuerAndSerialNumber IssuerAndSerialNumber, - subjectKeyIdentifier [0] SubjectKeyIdentifier -} - -SignerIdentifier ::= CMSIdentifier -RecipientIdentifier ::= CMSIdentifier - ---- CMSAttributes are the combined UnsignedAttributes and SignedAttributes ---- to store space and share code - -CMSAttributes ::= SET OF Attribute -- SIZE (1..MAX) - -SignatureValue ::= OCTET STRING - -SignerInfo ::= SEQUENCE { - version CMSVersion, - sid SignerIdentifier, - digestAlgorithm DigestAlgorithmIdentifier, - signedAttrs [0] IMPLICIT -- CMSAttributes -- - SET OF Attribute OPTIONAL, - signatureAlgorithm SignatureAlgorithmIdentifier, - signature SignatureValue, - unsignedAttrs [1] IMPLICIT -- CMSAttributes -- - SET OF Attribute OPTIONAL -} - -SignerInfos ::= SET OF SignerInfo - -SignedData ::= SEQUENCE { - version CMSVersion, - digestAlgorithms DigestAlgorithmIdentifiers, - encapContentInfo EncapsulatedContentInfo, - certificates [0] IMPLICIT -- CertificateSet -- - SET OF heim_any OPTIONAL, - crls [1] IMPLICIT -- CertificateRevocationLists -- - heim_any OPTIONAL, - signerInfos SignerInfos -} - -OriginatorInfo ::= SEQUENCE { - certs [0] IMPLICIT -- CertificateSet -- - SET OF heim_any OPTIONAL, - crls [1] IMPLICIT --CertificateRevocationLists -- - heim_any OPTIONAL -} - -KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier -ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier - -EncryptedKey ::= OCTET STRING - -KeyTransRecipientInfo ::= SEQUENCE { - version CMSVersion, -- always set to 0 or 2 - rid RecipientIdentifier, - keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, - encryptedKey EncryptedKey -} - -RecipientInfo ::= KeyTransRecipientInfo - -RecipientInfos ::= SET OF RecipientInfo - -EncryptedContent ::= OCTET STRING - -EncryptedContentInfo ::= SEQUENCE { - contentType ContentType, - contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, - encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL -} - -UnprotectedAttributes ::= SET OF Attribute -- SIZE (1..MAX) - -CMSEncryptedData ::= SEQUENCE { - version CMSVersion, - encryptedContentInfo EncryptedContentInfo, - unprotectedAttrs [1] IMPLICIT -- UnprotectedAttributes -- - heim_any OPTIONAL -} - -EnvelopedData ::= SEQUENCE { - version CMSVersion, - originatorInfo [0] IMPLICIT -- OriginatorInfo -- heim_any OPTIONAL, - recipientInfos RecipientInfos, - encryptedContentInfo EncryptedContentInfo, - unprotectedAttrs [1] IMPLICIT -- UnprotectedAttributes -- - heim_any OPTIONAL -} - --- Data ::= OCTET STRING - -CMSRC2CBCParameter ::= SEQUENCE { - rc2ParameterVersion INTEGER (0..4294967295), - iv OCTET STRING -- exactly 8 octets -} - -CMSCBCParameter ::= OCTET STRING - -END diff --git a/source4/heimdal/lib/asn1/asn1_err.et b/source4/heimdal/lib/asn1/asn1_err.et index 26bda55c19..f1a653b1f9 100644 --- a/source4/heimdal/lib/asn1/asn1_err.et +++ b/source4/heimdal/lib/asn1/asn1_err.et @@ -22,4 +22,6 @@ error_code BAD_CHARACTER, "ASN.1 invalid character in string" error_code MIN_CONSTRAINT, "ASN.1 too few elements" error_code MAX_CONSTRAINT, "ASN.1 too many elements" error_code EXACT_CONSTRAINT, "ASN.1 wrong number of elements" +error_code INDEF_OVERRUN, "ASN.1 BER indefinte encoding overrun" +error_code INDEF_UNDERRUN, "ASN.1 BER indefinte encoding underun" end diff --git a/source4/heimdal/lib/asn1/asn1_gen.c b/source4/heimdal/lib/asn1/asn1_gen.c index e25f6d919e..925cc72cb4 100644 --- a/source4/heimdal/lib/asn1/asn1_gen.c +++ b/source4/heimdal/lib/asn1/asn1_gen.c @@ -119,24 +119,24 @@ doit(const char *fn) &sz); if (ret) errx(1, "der_put_length_and_tag: %d", ret); - + if (fwrite(p + sizeof(p) - sz , sz, 1, fout) != 1) err(1, "fwrite length/tag failed"); offset += sz; - + if (data) { size_t datalen; - + datalen = strlen(data) / 2; pdata = emalloc(sz); - + if (hex_decode(data, pdata, datalen) != datalen) errx(1, "failed to decode data"); - + if (fwrite(pdata, datalen, 1, fout) != 1) err(1, "fwrite data failed"); offset += datalen; - + free(pdata); } } diff --git a/source4/heimdal/lib/asn1/canthandle.asn1 b/source4/heimdal/lib/asn1/canthandle.asn1 index 5c2690f9b6..a335ee89e3 100644 --- a/source4/heimdal/lib/asn1/canthandle.asn1 +++ b/source4/heimdal/lib/asn1/canthandle.asn1 @@ -7,7 +7,7 @@ CANTHANDLE DEFINITIONS ::= BEGIN -- Code the tag [2] but it should be primitive since KAKA3 is -- Workaround: use the INTEGER type directly -Kaka2 ::= SEQUENCE { +Kaka2 ::= SEQUENCE { kaka2-1 [0] INTEGER } diff --git a/source4/heimdal/lib/asn1/cms.asn1 b/source4/heimdal/lib/asn1/cms.asn1 new file mode 100644 index 0000000000..1c13d5f387 --- /dev/null +++ b/source4/heimdal/lib/asn1/cms.asn1 @@ -0,0 +1,157 @@ +-- From RFC 3369 -- +-- $Id$ -- + +CMS DEFINITIONS ::= BEGIN + +IMPORTS CertificateSerialNumber, AlgorithmIdentifier, Name, + Attribute, Certificate, Name, SubjectKeyIdentifier FROM rfc2459 + heim_any, heim_any_set FROM heim; + +id-pkcs7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs7(7) } + +id-pkcs7-data OBJECT IDENTIFIER ::= { id-pkcs7 1 } +id-pkcs7-signedData OBJECT IDENTIFIER ::= { id-pkcs7 2 } +id-pkcs7-envelopedData OBJECT IDENTIFIER ::= { id-pkcs7 3 } +id-pkcs7-signedAndEnvelopedData OBJECT IDENTIFIER ::= { id-pkcs7 4 } +id-pkcs7-digestedData OBJECT IDENTIFIER ::= { id-pkcs7 5 } +id-pkcs7-encryptedData OBJECT IDENTIFIER ::= { id-pkcs7 6 } + +CMSVersion ::= INTEGER { + CMSVersion_v0(0), + CMSVersion_v1(1), + CMSVersion_v2(2), + CMSVersion_v3(3), + CMSVersion_v4(4) +} + +DigestAlgorithmIdentifier ::= AlgorithmIdentifier +DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier +SignatureAlgorithmIdentifier ::= AlgorithmIdentifier + +ContentType ::= OBJECT IDENTIFIER +MessageDigest ::= OCTET STRING + +ContentInfo ::= SEQUENCE { + contentType ContentType, + content [0] EXPLICIT heim_any OPTIONAL -- DEFINED BY contentType +} + +EncapsulatedContentInfo ::= SEQUENCE { + eContentType ContentType, + eContent [0] EXPLICIT OCTET STRING OPTIONAL +} + +CertificateSet ::= SET OF heim_any + +CertificateList ::= Certificate + +CertificateRevocationLists ::= SET OF CertificateList + +IssuerAndSerialNumber ::= SEQUENCE { + issuer Name, + serialNumber CertificateSerialNumber +} + +-- RecipientIdentifier is same as SignerIdentifier, +-- lets glue them togheter and save some bytes and share code for them + +CMSIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier [0] SubjectKeyIdentifier +} + +SignerIdentifier ::= CMSIdentifier +RecipientIdentifier ::= CMSIdentifier + +--- CMSAttributes are the combined UnsignedAttributes and SignedAttributes +--- to store space and share code + +CMSAttributes ::= SET OF Attribute -- SIZE (1..MAX) + +SignatureValue ::= OCTET STRING + +SignerInfo ::= SEQUENCE { + version CMSVersion, + sid SignerIdentifier, + digestAlgorithm DigestAlgorithmIdentifier, + signedAttrs [0] IMPLICIT -- CMSAttributes -- + SET OF Attribute OPTIONAL, + signatureAlgorithm SignatureAlgorithmIdentifier, + signature SignatureValue, + unsignedAttrs [1] IMPLICIT -- CMSAttributes -- + SET OF Attribute OPTIONAL +} + +SignerInfos ::= SET OF SignerInfo + +SignedData ::= SEQUENCE { + version CMSVersion, + digestAlgorithms DigestAlgorithmIdentifiers, + encapContentInfo EncapsulatedContentInfo, + certificates [0] IMPLICIT -- CertificateSet -- + SET OF heim_any OPTIONAL, + crls [1] IMPLICIT -- CertificateRevocationLists -- + heim_any OPTIONAL, + signerInfos SignerInfos +} + +OriginatorInfo ::= SEQUENCE { + certs [0] IMPLICIT -- CertificateSet -- + SET OF heim_any OPTIONAL, + crls [1] IMPLICIT --CertificateRevocationLists -- + heim_any OPTIONAL +} + +KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier +ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier + +EncryptedKey ::= OCTET STRING + +KeyTransRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 or 2 + rid RecipientIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey +} + +RecipientInfo ::= KeyTransRecipientInfo + +RecipientInfos ::= SET OF RecipientInfo + +EncryptedContent ::= OCTET STRING + +EncryptedContentInfo ::= SEQUENCE { + contentType ContentType, + contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, + encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL +} + +UnprotectedAttributes ::= SET OF Attribute -- SIZE (1..MAX) + +CMSEncryptedData ::= SEQUENCE { + version CMSVersion, + encryptedContentInfo EncryptedContentInfo, + unprotectedAttrs [1] IMPLICIT -- UnprotectedAttributes -- + heim_any OPTIONAL +} + +EnvelopedData ::= SEQUENCE { + version CMSVersion, + originatorInfo [0] IMPLICIT -- OriginatorInfo -- heim_any OPTIONAL, + recipientInfos RecipientInfos, + encryptedContentInfo EncryptedContentInfo, + unprotectedAttrs [1] IMPLICIT -- UnprotectedAttributes -- + heim_any OPTIONAL +} + +-- Data ::= OCTET STRING + +CMSRC2CBCParameter ::= SEQUENCE { + rc2ParameterVersion INTEGER (0..4294967295), + iv OCTET STRING -- exactly 8 octets +} + +CMSCBCParameter ::= OCTET STRING + +END diff --git a/source4/heimdal/lib/asn1/cms.opt b/source4/heimdal/lib/asn1/cms.opt new file mode 100644 index 0000000000..bf7d396529 --- /dev/null +++ b/source4/heimdal/lib/asn1/cms.opt @@ -0,0 +1 @@ +--decode-dce-ber diff --git a/source4/heimdal/lib/asn1/der.h b/source4/heimdal/lib/asn1/der.h index 3b6f30887c..5b24b917d8 100644 --- a/source4/heimdal/lib/asn1/der.h +++ b/source4/heimdal/lib/asn1/der.h @@ -52,7 +52,7 @@ typedef enum {PRIM = 0, CONS = 1} Der_type; enum { UT_EndOfContent = 0, UT_Boolean = 1, - UT_Integer = 2, + UT_Integer = 2, UT_BitString = 3, UT_OctetString = 4, UT_Null = 5, diff --git a/source4/heimdal/lib/asn1/der_get.c b/source4/heimdal/lib/asn1/der_get.c index 8a70966413..8144639b9a 100644 --- a/source4/heimdal/lib/asn1/der_get.c +++ b/source4/heimdal/lib/asn1/der_get.c @@ -33,10 +33,6 @@ #include "der_locl.h" -RCSID("$Id$"); - -#include - /* * All decoding functions take a pointer `p' to first position in * which to read, from the left, `len' which means the maximum number @@ -251,6 +247,75 @@ der_get_octet_string (const unsigned char *p, size_t len, return 0; } +int +der_get_octet_string_ber (const unsigned char *p, size_t len, + heim_octet_string *data, size_t *size) +{ + int e; + Der_type type; + Der_class class; + unsigned int tag, depth = 0; + size_t l, datalen, oldlen = len; + + data->length = 0; + data->data = NULL; + + while (len) { + e = der_get_tag (p, len, &class, &type, &tag, &l); + if (e) goto out; + if (class != ASN1_C_UNIV) { + e = ASN1_BAD_ID; + goto out; + } + if (type == PRIM && tag == UT_EndOfContent) { + if (depth == 0) + break; + depth--; + } + if (tag != UT_OctetString) { + e = ASN1_BAD_ID; + goto out; + } + + p += l; + len -= l; + e = der_get_length (p, len, &datalen, &l); + if (e) goto out; + p += l; + len -= l; + + if (datalen > len) + return ASN1_OVERRUN; + + if (type == PRIM) { + void *ptr; + + ptr = realloc(data->data, data->length + datalen); + if (ptr == NULL) { + e = ENOMEM; + goto out; + } + data->data = ptr; + memcpy(((unsigned char *)data->data) + data->length, p, datalen); + data->length += datalen; + } else + depth++; + + p += datalen; + len -= datalen; + } + if (depth != 0) + return ASN1_INDEF_OVERRUN; + if(size) *size = oldlen - len; + return 0; + out: + free(data->data); + data->data = NULL; + data->length = 0; + return e; +} + + int der_get_heim_integer (const unsigned char *p, size_t len, heim_integer *data, size_t *size) @@ -397,7 +462,7 @@ der_get_oid (const unsigned char *p, size_t len, ++p; for (n = 2; len > 0; ++n) { unsigned u = 0, u1; - + do { --len; u1 = u * 128 + (*p++ % 128); @@ -456,16 +521,29 @@ int der_match_tag (const unsigned char *p, size_t len, Der_class class, Der_type type, unsigned int tag, size_t *size) +{ + Der_type thistype; + int e; + + e = der_match_tag2(p, len, class, &thistype, tag, size); + if (e) return e; + if (thistype != type) return ASN1_BAD_ID; + return 0; +} + +int +der_match_tag2 (const unsigned char *p, size_t len, + Der_class class, Der_type *type, + unsigned int tag, size_t *size) { size_t l; Der_class thisclass; - Der_type thistype; unsigned int thistag; int e; - e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l); + e = der_get_tag (p, len, &thisclass, type, &thistag, &l); if (e) return e; - if (class != thisclass || type != thistype) + if (class != thisclass) return ASN1_BAD_ID; if(tag > thistag) return ASN1_MISPLACED_FIELD; @@ -477,26 +555,25 @@ der_match_tag (const unsigned char *p, size_t len, int der_match_tag_and_length (const unsigned char *p, size_t len, - Der_class class, Der_type type, unsigned int tag, + Der_class class, Der_type *type, unsigned int tag, size_t *length_ret, size_t *size) { size_t l, ret = 0; int e; - e = der_match_tag (p, len, class, type, tag, &l); + e = der_match_tag2 (p, len, class, type, tag, &l); if (e) return e; p += l; len -= l; ret += l; e = der_get_length (p, len, length_ret, &l); if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; + if(size) *size = ret + l; return 0; } + + /* * Old versions of DCE was based on a very early beta of the MIT code, * which used MAVROS for ASN.1 encoding. MAVROS had the interesting @@ -539,8 +616,11 @@ der_get_bit_string (const unsigned char *p, size_t len, data->data = malloc(len - 1); if (data->data == NULL && (len - 1) != 0) return ENOMEM; - memcpy (data->data, p + 1, len - 1); - data->length -= p[0]; + /* copy data is there is data to copy */ + if (len - 1 != 0) { + memcpy (data->data, p + 1, len - 1); + data->length -= p[0]; + } if(size) *size = len; return 0; } diff --git a/source4/heimdal/lib/asn1/der_locl.h b/source4/heimdal/lib/asn1/der_locl.h index f8a21de71c..1f27e72903 100644 --- a/source4/heimdal/lib/asn1/der_locl.h +++ b/source4/heimdal/lib/asn1/der_locl.h @@ -36,9 +36,9 @@ #ifndef __DER_LOCL_H__ #define __DER_LOCL_H__ -#ifdef HAVE_CONFIG_H + #include -#endif + #include #include #include diff --git a/source4/heimdal/lib/asn1/der_put.c b/source4/heimdal/lib/asn1/der_put.c index 5afddb1d05..7e71443da5 100644 --- a/source4/heimdal/lib/asn1/der_put.c +++ b/source4/heimdal/lib/asn1/der_put.c @@ -384,7 +384,7 @@ der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type, } else { size_t ret = 0; unsigned int continuation = 0; - + do { if (len < 1) return ASN1_OVERFLOW; diff --git a/source4/heimdal/lib/asn1/digest.asn1 b/source4/heimdal/lib/asn1/digest.asn1 index 1cf58b4638..5ee5bd4a99 100644 --- a/source4/heimdal/lib/asn1/digest.asn1 +++ b/source4/heimdal/lib/asn1/digest.asn1 @@ -139,7 +139,7 @@ DigestREP ::= [APPLICATION 129] SEQUENCE { -- qop == auth -- A2 = Method ":" digest-uri-value -- qop == auth-int --- A2 = Method ":" digest-uri-value ":" H(entity-body) +-- A2 = Method ":" digest-uri-value ":" H(entity-body) -- request-digest = HEX(KD(HEX(H(A1)), -- unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2)))) diff --git a/source4/heimdal/lib/asn1/extra.c b/source4/heimdal/lib/asn1/extra.c index 49240605c8..b244dbb52a 100644 --- a/source4/heimdal/lib/asn1/extra.c +++ b/source4/heimdal/lib/asn1/extra.c @@ -67,15 +67,21 @@ decode_heim_any(const unsigned char *p, size_t len, return ASN1_OVERFLOW; e = der_get_length(p + l, len - l, &length, &len_len); if (e) return e; - if (length + len_len + l > len) - return ASN1_OVERFLOW; - + if (length == ASN1_INDEFINITE) { + if (len < len_len + l) + return ASN1_OVERFLOW; + length = len - (len_len + l); + } else { + if (len < length + len_len + l) + return ASN1_OVERFLOW; + } + data->data = malloc(length + len_len + l); if (data->data == NULL) return ENOMEM; data->length = length + len_len + l; memcpy(data->data, p, length + len_len + l); - + if (size) *size = length + len_len + l; diff --git a/source4/heimdal/lib/asn1/gen.c b/source4/heimdal/lib/asn1/gen.c index 52fd0d393b..e156c7cefb 100644 --- a/source4/heimdal/lib/asn1/gen.c +++ b/source4/heimdal/lib/asn1/gen.c @@ -83,12 +83,19 @@ init_generate (const char *filename, const char *base) if (headerbase == NULL) errx(1, "strdup"); } + + /* public header file */ asprintf(&header, "%s.h", headerbase); if (header == NULL) errx(1, "malloc"); - headerfile = fopen (header, "w"); + asprintf(&fn, "%s.hx", headerbase); + if (fn == NULL) + errx(1, "malloc"); + headerfile = fopen (fn, "w"); if (headerfile == NULL) - err (1, "open %s", header); + err (1, "open %s", fn); + free(fn); + fprintf (headerfile, "/* Generated from %s */\n" "/* Do not edit */\n\n", @@ -229,7 +236,7 @@ gen_compare_defval(const char *var, struct value *val) } } -static void +void generate_header_of_codefile(const char *name) { char *filename; @@ -267,7 +274,7 @@ generate_header_of_codefile(const char *name) } -static void +void close_codefile(void) { if (codefile == NULL) @@ -296,7 +303,8 @@ generate_constant (const Symbol *s) struct objid *o, **list; unsigned int i, len; - generate_header_of_codefile(s->gen_name); + if (!one_code_file) + generate_header_of_codefile(s->gen_name); len = 0; for (o = s->value->u.objectidentifiervalue; o != NULL; o = o->next) @@ -320,9 +328,13 @@ generate_constant (const Symbol *s) } fprintf (headerfile, "} */\n"); - fprintf (headerfile, "const heim_oid *oid_%s(void);\n\n", + fprintf (headerfile, "const heim_oid *oid_%s(void);\n", + s->gen_name); + fprintf (headerfile, + "extern const heim_oid asn1_oid_%s;\n\n", s->gen_name); + fprintf (codefile, "static unsigned oid_%s_variable_num[%d] = {", s->gen_name, len); for (i = len ; i > 0; i--) { @@ -330,17 +342,20 @@ generate_constant (const Symbol *s) } fprintf(codefile, "};\n"); - fprintf (codefile, "static const heim_oid oid_%s_variable = " + fprintf (codefile, "const heim_oid asn1_oid_%s = " "{ %d, oid_%s_variable_num };\n\n", s->gen_name, len, s->gen_name); fprintf (codefile, "const heim_oid *oid_%s(void)\n" "{\n" - "return &oid_%s_variable;\n" + "return &asn1_oid_%s;\n" "}\n\n", s->gen_name, s->gen_name); - close_codefile(); + free(list); + + if (!one_code_file) + close_codefile(); break; } @@ -587,7 +602,7 @@ define_type (int level, const char *name, Type *t, int typedefp, int preservep) fprintf (headerfile, "struct %s {\n", typedefp ? name : ""); ASN1_TAILQ_FOREACH(m, t->members, members) { char *n; - + asprintf (&n, "%s:1", m->gen_name); if (n == NULL) errx(1, "malloc"); @@ -787,7 +802,8 @@ generate_type_header (const Symbol *s) void generate_type (const Symbol *s) { - generate_header_of_codefile(s->gen_name); + if (!one_code_file) + generate_header_of_codefile(s->gen_name); generate_type_header (s); generate_type_encode (s); @@ -798,5 +814,9 @@ generate_type (const Symbol *s) generate_type_seq (s); generate_glue (s->type, s->gen_name); fprintf(headerfile, "\n\n"); - close_codefile(); + + if (!one_code_file) { + fprintf(codefile, "\n\n"); + close_codefile(); + } } diff --git a/source4/heimdal/lib/asn1/gen_copy.c b/source4/heimdal/lib/asn1/gen_copy.c index 37c9304779..5042ed64ed 100644 --- a/source4/heimdal/lib/asn1/gen_copy.c +++ b/source4/heimdal/lib/asn1/gen_copy.c @@ -149,7 +149,7 @@ copy_type (const char *from, const char *to, const Type *t, int preserve) to, have_ellipsis->gen_name); used_fail++; } - fprintf(codefile, "}\n"); + fprintf(codefile, "}\n"); } break; } diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c index 2bd5acb47e..cf7f0b05dc 100644 --- a/source4/heimdal/lib/asn1/gen_decode.c +++ b/source4/heimdal/lib/asn1/gen_decode.c @@ -230,7 +230,7 @@ range_check(const char *name, static int decode_type (const char *name, const Type *t, int optional, - const char *forwstr, const char *tmpstr) + const char *forwstr, const char *tmpstr, const char *dertype) { switch (t->type) { case TType: { @@ -289,7 +289,17 @@ decode_type (const char *name, const Type *t, int optional, decode_primitive ("enumerated", name, forwstr); break; case TOctetString: + if (dertype) { + fprintf(codefile, + "if (%s == CONS) {\n", + dertype); + decode_primitive("octet_string_ber", name, forwstr); + fprintf(codefile, + "} else {\n"); + } decode_primitive ("octet_string", name, forwstr); + if (dertype) + fprintf(codefile, "}\n"); if (t->range) range_check(name, "length", forwstr, t->range); break; @@ -340,10 +350,10 @@ decode_type (const char *name, const Type *t, int optional, name, m->gen_name); if (s == NULL) errx(1, "malloc"); - decode_type (s, m->type, m->optional, forwstr, m->gen_name); + decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL); free (s); } - + break; } case TSet: { @@ -382,7 +392,7 @@ decode_type (const char *name, const Type *t, int optional, "%s = calloc(1, sizeof(*%s));\n" "if (%s == NULL) { e = ENOMEM; %s; }\n", s, s, s, forwstr); - decode_type (s, m->type, 0, forwstr, m->gen_name); + decode_type (s, m->type, 0, forwstr, m->gen_name, NULL); free (s); fprintf(codefile, "members |= (1 << %d);\n", memno); @@ -458,7 +468,7 @@ decode_type (const char *name, const Type *t, int optional, asprintf (&sname, "%s_s_of", tmpstr); if (sname == NULL) errx(1, "malloc"); - decode_type (n, t->subtype, 0, forwstr, sname); + decode_type (n, t->subtype, 0, forwstr, sname, NULL); fprintf (codefile, "(%s)->len++;\n" "len = %s_origlen - ret;\n" @@ -480,21 +490,37 @@ decode_type (const char *name, const Type *t, int optional, decode_primitive ("general_string", name, forwstr); break; case TTag:{ - char *tname; + char *tname, *typestring; + char *ide = NULL; + + asprintf(&typestring, "%s_type", tmpstr); fprintf(codefile, "{\n" - "size_t %s_datalen, %s_oldlen;\n", - tmpstr, tmpstr); - if(dce_fix) + "size_t %s_datalen, %s_oldlen;\n" + "Der_type %s;\n", + tmpstr, tmpstr, typestring); + if(support_ber) fprintf(codefile, - "int dce_fix;\n"); - fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, %s, %s, " + "int is_indefinite;\n"); + + fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, " "&%s_datalen, &l);\n", classname(t->tag.tagclass), - is_primitive_type(t->subtype->type) ? "PRIM" : "CONS", + typestring, valuename(t->tag.tagclass, t->tag.tagvalue), tmpstr); + + /* XXX hardcode for now */ + if (support_ber && t->subtype->type == TOctetString) { + ide = typestring; + } else { + fprintf(codefile, + "if (e == 0 && %s != %s) { e = ASN1_BAD_ID; }\n", + typestring, + is_primitive_type(t->subtype->type) ? "PRIM" : "CONS"); + } + if(optional) { fprintf(codefile, "if(e) {\n" @@ -510,11 +536,12 @@ decode_type (const char *name, const Type *t, int optional, "p += l; len -= l; ret += l;\n" "%s_oldlen = len;\n", tmpstr); - if(dce_fix) + if(support_ber) fprintf (codefile, - "if((dce_fix = _heim_fix_dce(%s_datalen, &len)) < 0)\n" - "{ e = ASN1_BAD_FORMAT; %s; }\n", - tmpstr, forwstr); + "if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n" + "{ e = ASN1_BAD_FORMAT; %s; }\n" + "if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }", + tmpstr, forwstr, forwstr); else fprintf(codefile, "if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n" @@ -522,15 +549,22 @@ decode_type (const char *name, const Type *t, int optional, asprintf (&tname, "%s_Tag", tmpstr); if (tname == NULL) errx(1, "malloc"); - decode_type (name, t->subtype, 0, forwstr, tname); - if(dce_fix) + decode_type (name, t->subtype, 0, forwstr, tname, ide); + if(support_ber) fprintf(codefile, - "if(dce_fix){\n" - "e = der_match_tag_and_length (p, len, " - "(Der_class)0,(Der_type)0, UT_EndOfContent, " + "if(is_indefinite){\n" + "len += 2;\n" + "e = der_match_tag_and_length(p, len, " + "(Der_class)0, &%s, UT_EndOfContent, " "&%s_datalen, &l);\n" - "if(e) %s;\np += l; len -= l; ret += l;\n" - "} else \n", tmpstr, forwstr); + "if(e) %s;\n" + "p += l; len -= l; ret += l;\n" + "if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n" + "} else \n", + typestring, + tmpstr, + forwstr, + typestring, forwstr); fprintf(codefile, "len = %s_oldlen - %s_datalen;\n", tmpstr, tmpstr); @@ -540,6 +574,7 @@ decode_type (const char *name, const Type *t, int optional, fprintf(codefile, "}\n"); free(tname); + free(typestring); break; } case TChoice: { @@ -555,7 +590,7 @@ decode_type (const char *name, const Type *t, int optional, Der_class cl; Der_type ty; unsigned tag; - + if (m->ellipsis) { have_ellipsis = m; continue; @@ -573,7 +608,7 @@ decode_type (const char *name, const Type *t, int optional, name, m->gen_name); if (s == NULL) errx(1, "malloc"); - decode_type (s, m->type, m->optional, forwstr, m->gen_name); + decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL); fprintf(codefile, "(%s)->element = %s;\n", name, m->label); @@ -695,7 +730,7 @@ generate_type_decode (const Symbol *s) fprintf (codefile, "\n"); fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */ - decode_type ("data", s->type, 0, "goto fail", "Top"); + decode_type ("data", s->type, 0, "goto fail", "Top", NULL); if (preserve) fprintf (codefile, "data->_save.data = calloc(1, ret);\n" diff --git a/source4/heimdal/lib/asn1/gen_encode.c b/source4/heimdal/lib/asn1/gen_encode.c index d80a2f8d1f..1f8078a0ee 100644 --- a/source4/heimdal/lib/asn1/gen_encode.c +++ b/source4/heimdal/lib/asn1/gen_encode.c @@ -257,7 +257,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) if (t->members == NULL) break; - + ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) { char *s; @@ -388,7 +388,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) int c; asprintf (&tname, "%s_tag", tmpstr); if (tname == NULL) - errx(1, "malloc"); + errx(1, "malloc"); c = encode_type (name, t->subtype, tname); fprintf (codefile, "e = der_put_length_and_tag (p, len, ret, %s, %s, %s, &l);\n" diff --git a/source4/heimdal/lib/asn1/gen_free.c b/source4/heimdal/lib/asn1/gen_free.c index 305d7de247..fac1f6da5d 100644 --- a/source4/heimdal/lib/asn1/gen_free.c +++ b/source4/heimdal/lib/asn1/gen_free.c @@ -110,7 +110,7 @@ free_type (const char *name, const Type *t, int preserve) if(t->type == TChoice) fprintf(codefile, "break;\n"); } - + if(t->type == TChoice) { if (have_ellipsis) fprintf(codefile, diff --git a/source4/heimdal/lib/asn1/gen_length.c b/source4/heimdal/lib/asn1/gen_length.c index a1df4eef6b..7f9755e2da 100644 --- a/source4/heimdal/lib/asn1/gen_length.c +++ b/source4/heimdal/lib/asn1/gen_length.c @@ -139,7 +139,7 @@ length_type (const char *name, const Type *t, ASN1_TAILQ_FOREACH(m, t->members, members) { char *s; - + if (m->ellipsis) { have_ellipsis = m; continue; diff --git a/source4/heimdal/lib/asn1/gen_locl.h b/source4/heimdal/lib/asn1/gen_locl.h index c8b3896314..2bb64b5a38 100644 --- a/source4/heimdal/lib/asn1/gen_locl.h +++ b/source4/heimdal/lib/asn1/gen_locl.h @@ -36,9 +36,8 @@ #ifndef __GEN_LOCL_H__ #define __GEN_LOCL_H__ -#ifdef HAVE_CONFIG_H #include -#endif + #include #include #include @@ -80,9 +79,14 @@ int yyparse(void); int preserve_type(const char *); int seq_type(const char *); +void generate_header_of_codefile(const char *); +void close_codefile(void); + + extern FILE *headerfile, *codefile, *logfile; -extern int dce_fix; +extern int support_ber; extern int rfc1510_bitstring; +extern int one_code_file; extern int error_flag; diff --git a/source4/heimdal/lib/asn1/k5.asn1 b/source4/heimdal/lib/asn1/k5.asn1 deleted file mode 100644 index 9b36498161..0000000000 --- a/source4/heimdal/lib/asn1/k5.asn1 +++ /dev/null @@ -1,671 +0,0 @@ --- $Id$ - -KERBEROS5 DEFINITIONS ::= -BEGIN - -NAME-TYPE ::= INTEGER { - KRB5_NT_UNKNOWN(0), -- Name type not known - KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in - KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) - KRB5_NT_SRV_HST(3), -- Service with host name as instance - KRB5_NT_SRV_XHST(4), -- Service with host as remaining components - KRB5_NT_UID(5), -- Unique ID - KRB5_NT_X500_PRINCIPAL(6), -- PKINIT - KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name - KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN - KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID - KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name - KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID -} - --- message types - -MESSAGE-TYPE ::= INTEGER { - krb-as-req(10), -- Request for initial authentication - krb-as-rep(11), -- Response to KRB_AS_REQ request - krb-tgs-req(12), -- Request for authentication based on TGT - krb-tgs-rep(13), -- Response to KRB_TGS_REQ request - krb-ap-req(14), -- application request to server - krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL - krb-safe(20), -- Safe (checksummed) application message - krb-priv(21), -- Private (encrypted) application message - krb-cred(22), -- Private (encrypted) message to forward credentials - krb-error(30) -- Error response -} - - --- pa-data types - -PADATA-TYPE ::= INTEGER { - KRB5-PADATA-NONE(0), - KRB5-PADATA-TGS-REQ(1), - KRB5-PADATA-AP-REQ(1), - KRB5-PADATA-ENC-TIMESTAMP(2), - KRB5-PADATA-PW-SALT(3), - KRB5-PADATA-ENC-UNIX-TIME(5), - KRB5-PADATA-SANDIA-SECUREID(6), - KRB5-PADATA-SESAME(7), - KRB5-PADATA-OSF-DCE(8), - KRB5-PADATA-CYBERSAFE-SECUREID(9), - KRB5-PADATA-AFS3-SALT(10), - KRB5-PADATA-ETYPE-INFO(11), - KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) - KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) - KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) - KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) - KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) - KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) - KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) - KRB5-PADATA-PA-PK-OCSP-RESPONSE(18), - KRB5-PADATA-ETYPE-INFO2(19), - KRB5-PADATA-USE-SPECIFIED-KVNO(20), - KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number - KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) - KRB5-PADATA-GET-FROM-TYPED-DATA(22), - KRB5-PADATA-SAM-ETYPE-INFO(23), - KRB5-PADATA-SERVER-REFERRAL(25), - KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName - KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT - KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT - KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific - KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER - KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER - KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com - KRB5-PADATA-S4U2SELF(129), - KRB5-PADATA-EPAC(130), -- EPAK - KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to - -- tell KDC that is supports - -- the asCheckSum in the - -- PK-AS-REP - KRB5-PADATA-CLIENT-CANONICALIZED(133) -- -} - -AUTHDATA-TYPE ::= INTEGER { - KRB5-AUTHDATA-IF-RELEVANT(1), - KRB5-AUTHDATA-INTENDED-FOR_SERVER(2), - KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), - KRB5-AUTHDATA-KDC-ISSUED(4), - KRB5-AUTHDATA-AND-OR(5), - KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), - KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), - KRB5-AUTHDATA-MANDATORY-FOR-KDC(8), - KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), - KRB5-AUTHDATA-OSF-DCE(64), - KRB5-AUTHDATA-SESAME(65), - KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), - KRB5-AUTHDATA-WIN2K-PAC(128), - KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only - KRB5-AUTHDATA-SIGNTICKET-OLD(-17), - KRB5-AUTHDATA-SIGNTICKET(142) -} - --- checksumtypes - -CKSUMTYPE ::= INTEGER { - CKSUMTYPE_NONE(0), - CKSUMTYPE_CRC32(1), - CKSUMTYPE_RSA_MD4(2), - CKSUMTYPE_RSA_MD4_DES(3), - CKSUMTYPE_DES_MAC(4), - CKSUMTYPE_DES_MAC_K(5), - CKSUMTYPE_RSA_MD4_DES_K(6), - CKSUMTYPE_RSA_MD5(7), - CKSUMTYPE_RSA_MD5_DES(8), - CKSUMTYPE_RSA_MD5_DES3(9), - CKSUMTYPE_SHA1_OTHER(10), - CKSUMTYPE_HMAC_SHA1_DES3(12), - CKSUMTYPE_SHA1(14), - CKSUMTYPE_HMAC_SHA1_96_AES_128(15), - CKSUMTYPE_HMAC_SHA1_96_AES_256(16), - CKSUMTYPE_GSSAPI(0x8003), - CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number - CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial -} - ---enctypes -ENCTYPE ::= INTEGER { - ETYPE_NULL(0), - ETYPE_DES_CBC_CRC(1), - ETYPE_DES_CBC_MD4(2), - ETYPE_DES_CBC_MD5(3), - ETYPE_DES3_CBC_MD5(5), - ETYPE_OLD_DES3_CBC_SHA1(7), - ETYPE_SIGN_DSA_GENERATE(8), - ETYPE_ENCRYPT_RSA_PRIV(9), - ETYPE_ENCRYPT_RSA_PUB(10), - ETYPE_DES3_CBC_SHA1(16), -- with key derivation - ETYPE_AES128_CTS_HMAC_SHA1_96(17), - ETYPE_AES256_CTS_HMAC_SHA1_96(18), - ETYPE_ARCFOUR_HMAC_MD5(23), - ETYPE_ARCFOUR_HMAC_MD5_56(24), - ETYPE_ENCTYPE_PK_CROSS(48), --- some "old" windows types - ETYPE_ARCFOUR_MD4(-128), - ETYPE_ARCFOUR_HMAC_OLD(-133), - ETYPE_ARCFOUR_HMAC_OLD_EXP(-135), --- these are for Heimdal internal use - ETYPE_DES_CBC_NONE(-0x1000), - ETYPE_DES3_CBC_NONE(-0x1001), - ETYPE_DES_CFB64_NONE(-0x1002), - ETYPE_DES_PCBC_NONE(-0x1003), - ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com - ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com -} - - - - --- this is sugar to make something ASN1 does not have: unsigned - -krb5uint32 ::= INTEGER (0..4294967295) -krb5int32 ::= INTEGER (-2147483648..2147483647) - -KerberosString ::= GeneralString - -Realm ::= GeneralString -PrincipalName ::= SEQUENCE { - name-type[0] NAME-TYPE, - name-string[1] SEQUENCE OF GeneralString -} - --- this is not part of RFC1510 -Principal ::= SEQUENCE { - name[0] PrincipalName, - realm[1] Realm -} - -HostAddress ::= SEQUENCE { - addr-type[0] krb5int32, - address[1] OCTET STRING -} - --- This is from RFC1510. --- --- HostAddresses ::= SEQUENCE OF SEQUENCE { --- addr-type[0] krb5int32, --- address[1] OCTET STRING --- } - --- This seems much better. -HostAddresses ::= SEQUENCE OF HostAddress - - -KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) - -AuthorizationDataElement ::= SEQUENCE { - ad-type[0] krb5int32, - ad-data[1] OCTET STRING -} - -AuthorizationData ::= SEQUENCE OF AuthorizationDataElement - -APOptions ::= BIT STRING { - reserved(0), - use-session-key(1), - mutual-required(2) -} - -TicketFlags ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - may-postdate(5), - postdated(6), - invalid(7), - renewable(8), - initial(9), - pre-authent(10), - hw-authent(11), - transited-policy-checked(12), - ok-as-delegate(13), - anonymous(14) -} - -KDCOptions ::= BIT STRING { - reserved(0), - forwardable(1), - forwarded(2), - proxiable(3), - proxy(4), - allow-postdate(5), - postdated(6), - unused7(7), - renewable(8), - unused9(9), - unused10(10), - unused11(11), - request-anonymous(14), - canonicalize(15), - constrained-delegation(16), -- ms extension - disable-transited-check(26), - renewable-ok(27), - enc-tkt-in-skey(28), - renew(30), - validate(31) -} - -LR-TYPE ::= INTEGER { - LR_NONE(0), -- no information - LR_INITIAL_TGT(1), -- last initial TGT request - LR_INITIAL(2), -- last initial request - LR_ISSUE_USE_TGT(3), -- time of newest TGT used - LR_RENEWAL(4), -- time of last renewal - LR_REQUEST(5), -- time of last request (of any type) - LR_PW_EXPTIME(6), -- expiration time of password - LR_ACCT_EXPTIME(7) -- expiration time of account -} - -LastReq ::= SEQUENCE OF SEQUENCE { - lr-type[0] LR-TYPE, - lr-value[1] KerberosTime -} - - -EncryptedData ::= SEQUENCE { - etype[0] ENCTYPE, -- EncryptionType - kvno[1] krb5int32 OPTIONAL, - cipher[2] OCTET STRING -- ciphertext -} - -EncryptionKey ::= SEQUENCE { - keytype[0] krb5int32, - keyvalue[1] OCTET STRING -} - --- encoded Transited field -TransitedEncoding ::= SEQUENCE { - tr-type[0] krb5int32, -- must be registered - contents[1] OCTET STRING -} - -Ticket ::= [APPLICATION 1] SEQUENCE { - tkt-vno[0] krb5int32, - realm[1] Realm, - sname[2] PrincipalName, - enc-part[3] EncryptedData -} --- Encrypted part of ticket -EncTicketPart ::= [APPLICATION 3] SEQUENCE { - flags[0] TicketFlags, - key[1] EncryptionKey, - crealm[2] Realm, - cname[3] PrincipalName, - transited[4] TransitedEncoding, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - caddr[9] HostAddresses OPTIONAL, - authorization-data[10] AuthorizationData OPTIONAL -} - -Checksum ::= SEQUENCE { - cksumtype[0] CKSUMTYPE, - checksum[1] OCTET STRING -} - -Authenticator ::= [APPLICATION 2] SEQUENCE { - authenticator-vno[0] krb5int32, - crealm[1] Realm, - cname[2] PrincipalName, - cksum[3] Checksum OPTIONAL, - cusec[4] krb5int32, - ctime[5] KerberosTime, - subkey[6] EncryptionKey OPTIONAL, - seq-number[7] krb5uint32 OPTIONAL, - authorization-data[8] AuthorizationData OPTIONAL -} - -PA-DATA ::= SEQUENCE { - -- might be encoded AP-REQ - padata-type[1] PADATA-TYPE, - padata-value[2] OCTET STRING -} - -ETYPE-INFO-ENTRY ::= SEQUENCE { - etype[0] ENCTYPE, - salt[1] OCTET STRING OPTIONAL, - salttype[2] krb5int32 OPTIONAL -} - -ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY - -ETYPE-INFO2-ENTRY ::= SEQUENCE { - etype[0] ENCTYPE, - salt[1] KerberosString OPTIONAL, - s2kparams[2] OCTET STRING OPTIONAL -} - -ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY - -METHOD-DATA ::= SEQUENCE OF PA-DATA - -TypedData ::= SEQUENCE { - data-type[0] krb5int32, - data-value[1] OCTET STRING OPTIONAL -} - -TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData - -KDC-REQ-BODY ::= SEQUENCE { - kdc-options[0] KDCOptions, - cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ - realm[2] Realm, -- Server's realm - -- Also client's in AS-REQ - sname[3] PrincipalName OPTIONAL, - from[4] KerberosTime OPTIONAL, - till[5] KerberosTime OPTIONAL, - rtime[6] KerberosTime OPTIONAL, - nonce[7] krb5int32, - etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, - -- in preference order - addresses[9] HostAddresses OPTIONAL, - enc-authorization-data[10] EncryptedData OPTIONAL, - -- Encrypted AuthorizationData encoding - additional-tickets[11] SEQUENCE OF Ticket OPTIONAL -} - -KDC-REQ ::= SEQUENCE { - pvno[1] krb5int32, - msg-type[2] MESSAGE-TYPE, - padata[3] METHOD-DATA OPTIONAL, - req-body[4] KDC-REQ-BODY -} - -AS-REQ ::= [APPLICATION 10] KDC-REQ -TGS-REQ ::= [APPLICATION 12] KDC-REQ - --- padata-type ::= PA-ENC-TIMESTAMP --- padata-value ::= EncryptedData - PA-ENC-TS-ENC - -PA-ENC-TS-ENC ::= SEQUENCE { - patimestamp[0] KerberosTime, -- client's time - pausec[1] krb5int32 OPTIONAL -} - --- draft-brezak-win2k-krb-authz-01 -PA-PAC-REQUEST ::= SEQUENCE { - include-pac[0] BOOLEAN -- Indicates whether a PAC - -- should be included or not -} - --- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf -PROV-SRV-LOCATION ::= GeneralString - -KDC-REP ::= SEQUENCE { - pvno[0] krb5int32, - msg-type[1] MESSAGE-TYPE, - padata[2] METHOD-DATA OPTIONAL, - crealm[3] Realm, - cname[4] PrincipalName, - ticket[5] Ticket, - enc-part[6] EncryptedData -} - -AS-REP ::= [APPLICATION 11] KDC-REP -TGS-REP ::= [APPLICATION 13] KDC-REP - -EncKDCRepPart ::= SEQUENCE { - key[0] EncryptionKey, - last-req[1] LastReq, - nonce[2] krb5int32, - key-expiration[3] KerberosTime OPTIONAL, - flags[4] TicketFlags, - authtime[5] KerberosTime, - starttime[6] KerberosTime OPTIONAL, - endtime[7] KerberosTime, - renew-till[8] KerberosTime OPTIONAL, - srealm[9] Realm, - sname[10] PrincipalName, - caddr[11] HostAddresses OPTIONAL, - encrypted-pa-data[12] METHOD-DATA OPTIONAL -} - -EncASRepPart ::= [APPLICATION 25] EncKDCRepPart -EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart - -AP-REQ ::= [APPLICATION 14] SEQUENCE { - pvno[0] krb5int32, - msg-type[1] MESSAGE-TYPE, - ap-options[2] APOptions, - ticket[3] Ticket, - authenticator[4] EncryptedData -} - -AP-REP ::= [APPLICATION 15] SEQUENCE { - pvno[0] krb5int32, - msg-type[1] MESSAGE-TYPE, - enc-part[2] EncryptedData -} - -EncAPRepPart ::= [APPLICATION 27] SEQUENCE { - ctime[0] KerberosTime, - cusec[1] krb5int32, - subkey[2] EncryptionKey OPTIONAL, - seq-number[3] krb5uint32 OPTIONAL -} - -KRB-SAFE-BODY ::= SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] krb5int32 OPTIONAL, - seq-number[3] krb5uint32 OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KRB-SAFE ::= [APPLICATION 20] SEQUENCE { - pvno[0] krb5int32, - msg-type[1] MESSAGE-TYPE, - safe-body[2] KRB-SAFE-BODY, - cksum[3] Checksum -} - -KRB-PRIV ::= [APPLICATION 21] SEQUENCE { - pvno[0] krb5int32, - msg-type[1] MESSAGE-TYPE, - enc-part[3] EncryptedData -} -EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { - user-data[0] OCTET STRING, - timestamp[1] KerberosTime OPTIONAL, - usec[2] krb5int32 OPTIONAL, - seq-number[3] krb5uint32 OPTIONAL, - s-address[4] HostAddress OPTIONAL, -- sender's addr - r-address[5] HostAddress OPTIONAL -- recip's addr -} - -KRB-CRED ::= [APPLICATION 22] SEQUENCE { - pvno[0] krb5int32, - msg-type[1] MESSAGE-TYPE, -- KRB_CRED - tickets[2] SEQUENCE OF Ticket, - enc-part[3] EncryptedData -} - -KrbCredInfo ::= SEQUENCE { - key[0] EncryptionKey, - prealm[1] Realm OPTIONAL, - pname[2] PrincipalName OPTIONAL, - flags[3] TicketFlags OPTIONAL, - authtime[4] KerberosTime OPTIONAL, - starttime[5] KerberosTime OPTIONAL, - endtime[6] KerberosTime OPTIONAL, - renew-till[7] KerberosTime OPTIONAL, - srealm[8] Realm OPTIONAL, - sname[9] PrincipalName OPTIONAL, - caddr[10] HostAddresses OPTIONAL -} - -EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { - ticket-info[0] SEQUENCE OF KrbCredInfo, - nonce[1] krb5int32 OPTIONAL, - timestamp[2] KerberosTime OPTIONAL, - usec[3] krb5int32 OPTIONAL, - s-address[4] HostAddress OPTIONAL, - r-address[5] HostAddress OPTIONAL -} - -KRB-ERROR ::= [APPLICATION 30] SEQUENCE { - pvno[0] krb5int32, - msg-type[1] MESSAGE-TYPE, - ctime[2] KerberosTime OPTIONAL, - cusec[3] krb5int32 OPTIONAL, - stime[4] KerberosTime, - susec[5] krb5int32, - error-code[6] krb5int32, - crealm[7] Realm OPTIONAL, - cname[8] PrincipalName OPTIONAL, - realm[9] Realm, -- Correct realm - sname[10] PrincipalName, -- Correct name - e-text[11] GeneralString OPTIONAL, - e-data[12] OCTET STRING OPTIONAL -} - -ChangePasswdDataMS ::= SEQUENCE { - newpasswd[0] OCTET STRING, - targname[1] PrincipalName OPTIONAL, - targrealm[2] Realm OPTIONAL -} - -EtypeList ::= SEQUENCE OF krb5int32 - -- the client's proposed enctype list in - -- decreasing preference order, favorite choice first - -krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number - --- transited encodings - -DOMAIN-X500-COMPRESS krb5int32 ::= 1 - --- authorization data primitives - -AD-IF-RELEVANT ::= AuthorizationData - -AD-KDCIssued ::= SEQUENCE { - ad-checksum[0] Checksum, - i-realm[1] Realm OPTIONAL, - i-sname[2] PrincipalName OPTIONAL, - elements[3] AuthorizationData -} - -AD-AND-OR ::= SEQUENCE { - condition-count[0] INTEGER, - elements[1] AuthorizationData -} - -AD-MANDATORY-FOR-KDC ::= AuthorizationData - --- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 - -PA-SAM-TYPE ::= INTEGER { - PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic - PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways - PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0 - PA_SAM_TYPE_SKEY(4), -- Traditional S/Key - PA_SAM_TYPE_SECURID(5), -- Security Dynamics - PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard -} - -PA-SAM-REDIRECT ::= HostAddresses - -SAMFlags ::= BIT STRING { - use-sad-as-key(0), - send-encrypted-sad(1), - must-pk-encrypt-sad(2) -} - -PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { - sam-type[0] krb5int32, - sam-flags[1] SAMFlags, - sam-type-name[2] GeneralString OPTIONAL, - sam-track-id[3] GeneralString OPTIONAL, - sam-challenge-label[4] GeneralString OPTIONAL, - sam-challenge[5] GeneralString OPTIONAL, - sam-response-prompt[6] GeneralString OPTIONAL, - sam-pk-for-sad[7] EncryptionKey OPTIONAL, - sam-nonce[8] krb5int32, - sam-etype[9] krb5int32, - ... -} - -PA-SAM-CHALLENGE-2 ::= SEQUENCE { - sam-body[0] PA-SAM-CHALLENGE-2-BODY, - sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) - ... -} - -PA-SAM-RESPONSE-2 ::= SEQUENCE { - sam-type[0] krb5int32, - sam-flags[1] SAMFlags, - sam-track-id[2] GeneralString OPTIONAL, - sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC - sam-nonce[4] krb5int32, - ... -} - -PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { - sam-nonce[0] krb5int32, - sam-sad[1] GeneralString OPTIONAL, - ... -} - -PA-S4U2Self ::= SEQUENCE { - name[0] PrincipalName, - realm[1] Realm, - cksum[2] Checksum, - auth[3] GeneralString -} - -KRB5SignedPathPrincipals ::= SEQUENCE OF Principal - --- never encoded on the wire, just used to checksum over -KRB5SignedPathData ::= SEQUENCE { - encticket[0] EncTicketPart, - delegated[1] KRB5SignedPathPrincipals OPTIONAL -} - -KRB5SignedPath ::= SEQUENCE { - -- DERcoded KRB5SignedPathData - -- krbtgt key (etype), KeyUsage = XXX - etype[0] ENCTYPE, - cksum[1] Checksum, - -- srvs delegated though - delegated[2] KRB5SignedPathPrincipals OPTIONAL -} - -PA-ClientCanonicalizedNames ::= SEQUENCE{ - requested-name [0] PrincipalName, - mapped-name [1] PrincipalName -} - -PA-ClientCanonicalized ::= SEQUENCE { - names [0] PA-ClientCanonicalizedNames, - canon-checksum [1] Checksum -} - -AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- - login-alias [0] PrincipalName, - checksum [1] Checksum -} - --- old ms referral -PA-SvrReferralData ::= SEQUENCE { - referred-name [1] PrincipalName OPTIONAL, - referred-realm [0] Realm -} - -PA-SERVER-REFERRAL-DATA ::= EncryptedData - -PA-ServerReferralData ::= SEQUENCE { - referred-realm [0] Realm OPTIONAL, - true-principal-name [1] PrincipalName OPTIONAL, - requested-principal-name [2] PrincipalName OPTIONAL, - referral-valid-until [3] KerberosTime OPTIONAL, - ... -} - -END - --- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 diff --git a/source4/heimdal/lib/asn1/krb5.asn1 b/source4/heimdal/lib/asn1/krb5.asn1 new file mode 100644 index 0000000000..8edb0fde69 --- /dev/null +++ b/source4/heimdal/lib/asn1/krb5.asn1 @@ -0,0 +1,750 @@ +-- $Id$ + +KERBEROS5 DEFINITIONS ::= +BEGIN + +NAME-TYPE ::= INTEGER { + KRB5_NT_UNKNOWN(0), -- Name type not known + KRB5_NT_PRINCIPAL(1), -- Just the name of the principal as in + KRB5_NT_SRV_INST(2), -- Service and other unique instance (krbtgt) + KRB5_NT_SRV_HST(3), -- Service with host name as instance + KRB5_NT_SRV_XHST(4), -- Service with host as remaining components + KRB5_NT_UID(5), -- Unique ID + KRB5_NT_X500_PRINCIPAL(6), -- PKINIT + KRB5_NT_SMTP_NAME(7), -- Name in form of SMTP email name + KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN + KRB5_NT_WELLKNOWN(11), -- Wellknown + KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID + KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name + KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID +} + +-- message types + +MESSAGE-TYPE ::= INTEGER { + krb-as-req(10), -- Request for initial authentication + krb-as-rep(11), -- Response to KRB_AS_REQ request + krb-tgs-req(12), -- Request for authentication based on TGT + krb-tgs-rep(13), -- Response to KRB_TGS_REQ request + krb-ap-req(14), -- application request to server + krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL + krb-safe(20), -- Safe (checksummed) application message + krb-priv(21), -- Private (encrypted) application message + krb-cred(22), -- Private (encrypted) message to forward credentials + krb-error(30) -- Error response +} + + +-- pa-data types + +PADATA-TYPE ::= INTEGER { + KRB5-PADATA-NONE(0), + KRB5-PADATA-TGS-REQ(1), + KRB5-PADATA-AP-REQ(1), + KRB5-PADATA-ENC-TIMESTAMP(2), + KRB5-PADATA-PW-SALT(3), + KRB5-PADATA-ENC-UNIX-TIME(5), + KRB5-PADATA-SANDIA-SECUREID(6), + KRB5-PADATA-SESAME(7), + KRB5-PADATA-OSF-DCE(8), + KRB5-PADATA-CYBERSAFE-SECUREID(9), + KRB5-PADATA-AFS3-SALT(10), + KRB5-PADATA-ETYPE-INFO(11), + KRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) + KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) + KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) + KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) + KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number) + KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) + KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) + KRB5-PADATA-PA-PK-OCSP-RESPONSE(18), + KRB5-PADATA-ETYPE-INFO2(19), + KRB5-PADATA-USE-SPECIFIED-KVNO(20), + KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number + KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) + KRB5-PADATA-GET-FROM-TYPED-DATA(22), + KRB5-PADATA-SAM-ETYPE-INFO(23), + KRB5-PADATA-SERVER-REFERRAL(25), + KRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) + KRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) + KRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) + KRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT + KRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName + KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT + KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT + KRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific + KRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER + KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER + KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com + KRB5-PADATA-FOR-USER(129), -- MS-KILE + KRB5-PADATA-FOR-X509-USER(130), -- MS-KILE + KRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE + KRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE + KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to + -- tell KDC that is supports + -- the asCheckSum in the + -- PK-AS-REP + KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals + KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework + KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework + KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework + KRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework + KRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework + KRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework + KRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) + KRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) + KBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) + KRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) + KRB5-PADATA-EPAK-AS-REQ(145), + KRB5-PADATA-EPAK-AS-REP(146), + KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon + KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u + KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE +} + +AUTHDATA-TYPE ::= INTEGER { + KRB5-AUTHDATA-IF-RELEVANT(1), + KRB5-AUTHDATA-INTENDED-FOR_SERVER(2), + KRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), + KRB5-AUTHDATA-KDC-ISSUED(4), + KRB5-AUTHDATA-AND-OR(5), + KRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), + KRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), + KRB5-AUTHDATA-MANDATORY-FOR-KDC(8), + KRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), + KRB5-AUTHDATA-OSF-DCE(64), + KRB5-AUTHDATA-SESAME(65), + KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), + KRB5-AUTHDATA-WIN2K-PAC(128), + KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only + KRB5-AUTHDATA-SIGNTICKET-OLD(-17), + KRB5-AUTHDATA-SIGNTICKET(142) +} + +-- checksumtypes + +CKSUMTYPE ::= INTEGER { + CKSUMTYPE_NONE(0), + CKSUMTYPE_CRC32(1), + CKSUMTYPE_RSA_MD4(2), + CKSUMTYPE_RSA_MD4_DES(3), + CKSUMTYPE_DES_MAC(4), + CKSUMTYPE_DES_MAC_K(5), + CKSUMTYPE_RSA_MD4_DES_K(6), + CKSUMTYPE_RSA_MD5(7), + CKSUMTYPE_RSA_MD5_DES(8), + CKSUMTYPE_RSA_MD5_DES3(9), + CKSUMTYPE_SHA1_OTHER(10), + CKSUMTYPE_HMAC_SHA1_DES3(12), + CKSUMTYPE_SHA1(14), + CKSUMTYPE_HMAC_SHA1_96_AES_128(15), + CKSUMTYPE_HMAC_SHA1_96_AES_256(16), + CKSUMTYPE_GSSAPI(0x8003), + CKSUMTYPE_HMAC_MD5(-138), -- unofficial microsoft number + CKSUMTYPE_HMAC_MD5_ENC(-1138) -- even more unofficial +} + +--enctypes +ENCTYPE ::= INTEGER { + ETYPE_NULL(0), + ETYPE_DES_CBC_CRC(1), + ETYPE_DES_CBC_MD4(2), + ETYPE_DES_CBC_MD5(3), + ETYPE_DES3_CBC_MD5(5), + ETYPE_OLD_DES3_CBC_SHA1(7), + ETYPE_SIGN_DSA_GENERATE(8), + ETYPE_ENCRYPT_RSA_PRIV(9), + ETYPE_ENCRYPT_RSA_PUB(10), + ETYPE_DES3_CBC_SHA1(16), -- with key derivation + ETYPE_AES128_CTS_HMAC_SHA1_96(17), + ETYPE_AES256_CTS_HMAC_SHA1_96(18), + ETYPE_ARCFOUR_HMAC_MD5(23), + ETYPE_ARCFOUR_HMAC_MD5_56(24), + ETYPE_ENCTYPE_PK_CROSS(48), +-- some "old" windows types + ETYPE_ARCFOUR_MD4(-128), + ETYPE_ARCFOUR_HMAC_OLD(-133), + ETYPE_ARCFOUR_HMAC_OLD_EXP(-135), +-- these are for Heimdal internal use + ETYPE_DES_CBC_NONE(-0x1000), + ETYPE_DES3_CBC_NONE(-0x1001), + ETYPE_DES_CFB64_NONE(-0x1002), + ETYPE_DES_PCBC_NONE(-0x1003), + ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com + ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com +} + + + + +-- this is sugar to make something ASN1 does not have: unsigned + +krb5uint32 ::= INTEGER (0..4294967295) +krb5int32 ::= INTEGER (-2147483648..2147483647) + +KerberosString ::= GeneralString + +Realm ::= GeneralString +PrincipalName ::= SEQUENCE { + name-type[0] NAME-TYPE, + name-string[1] SEQUENCE OF GeneralString +} + +-- this is not part of RFC1510 +Principal ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm +} + +Principals ::= SEQUENCE OF Principal + +HostAddress ::= SEQUENCE { + addr-type[0] krb5int32, + address[1] OCTET STRING +} + +-- This is from RFC1510. +-- +-- HostAddresses ::= SEQUENCE OF SEQUENCE { +-- addr-type[0] krb5int32, +-- address[1] OCTET STRING +-- } + +-- This seems much better. +HostAddresses ::= SEQUENCE OF HostAddress + + +KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z) + +AuthorizationDataElement ::= SEQUENCE { + ad-type[0] krb5int32, + ad-data[1] OCTET STRING +} + +AuthorizationData ::= SEQUENCE OF AuthorizationDataElement + +APOptions ::= BIT STRING { + reserved(0), + use-session-key(1), + mutual-required(2) +} + +TicketFlags ::= BIT STRING { + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + may-postdate(5), + postdated(6), + invalid(7), + renewable(8), + initial(9), + pre-authent(10), + hw-authent(11), + transited-policy-checked(12), + ok-as-delegate(13), + anonymous(14) +} + +KDCOptions ::= BIT STRING { + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + allow-postdate(5), + postdated(6), + unused7(7), + renewable(8), + unused9(9), + unused10(10), + unused11(11), + request-anonymous(14), + canonicalize(15), + constrained-delegation(16), -- ms extension + disable-transited-check(26), + renewable-ok(27), + enc-tkt-in-skey(28), + renew(30), + validate(31) +} + +LR-TYPE ::= INTEGER { + LR_NONE(0), -- no information + LR_INITIAL_TGT(1), -- last initial TGT request + LR_INITIAL(2), -- last initial request + LR_ISSUE_USE_TGT(3), -- time of newest TGT used + LR_RENEWAL(4), -- time of last renewal + LR_REQUEST(5), -- time of last request (of any type) + LR_PW_EXPTIME(6), -- expiration time of password + LR_ACCT_EXPTIME(7) -- expiration time of account +} + +LastReq ::= SEQUENCE OF SEQUENCE { + lr-type[0] LR-TYPE, + lr-value[1] KerberosTime +} + + +EncryptedData ::= SEQUENCE { + etype[0] ENCTYPE, -- EncryptionType + kvno[1] krb5int32 OPTIONAL, + cipher[2] OCTET STRING -- ciphertext +} + +EncryptionKey ::= SEQUENCE { + keytype[0] krb5int32, + keyvalue[1] OCTET STRING +} + +-- encoded Transited field +TransitedEncoding ::= SEQUENCE { + tr-type[0] krb5int32, -- must be registered + contents[1] OCTET STRING +} + +Ticket ::= [APPLICATION 1] SEQUENCE { + tkt-vno[0] krb5int32, + realm[1] Realm, + sname[2] PrincipalName, + enc-part[3] EncryptedData +} +-- Encrypted part of ticket +EncTicketPart ::= [APPLICATION 3] SEQUENCE { + flags[0] TicketFlags, + key[1] EncryptionKey, + crealm[2] Realm, + cname[3] PrincipalName, + transited[4] TransitedEncoding, + authtime[5] KerberosTime, + starttime[6] KerberosTime OPTIONAL, + endtime[7] KerberosTime, + renew-till[8] KerberosTime OPTIONAL, + caddr[9] HostAddresses OPTIONAL, + authorization-data[10] AuthorizationData OPTIONAL +} + +Checksum ::= SEQUENCE { + cksumtype[0] CKSUMTYPE, + checksum[1] OCTET STRING +} + +Authenticator ::= [APPLICATION 2] SEQUENCE { + authenticator-vno[0] krb5int32, + crealm[1] Realm, + cname[2] PrincipalName, + cksum[3] Checksum OPTIONAL, + cusec[4] krb5int32, + ctime[5] KerberosTime, + subkey[6] EncryptionKey OPTIONAL, + seq-number[7] krb5uint32 OPTIONAL, + authorization-data[8] AuthorizationData OPTIONAL +} + +PA-DATA ::= SEQUENCE { + -- might be encoded AP-REQ + padata-type[1] PADATA-TYPE, + padata-value[2] OCTET STRING +} + +ETYPE-INFO-ENTRY ::= SEQUENCE { + etype[0] ENCTYPE, + salt[1] OCTET STRING OPTIONAL, + salttype[2] krb5int32 OPTIONAL +} + +ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +ETYPE-INFO2-ENTRY ::= SEQUENCE { + etype[0] ENCTYPE, + salt[1] KerberosString OPTIONAL, + s2kparams[2] OCTET STRING OPTIONAL +} + +ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +METHOD-DATA ::= SEQUENCE OF PA-DATA + +TypedData ::= SEQUENCE { + data-type[0] krb5int32, + data-value[1] OCTET STRING OPTIONAL +} + +TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData + +KDC-REQ-BODY ::= SEQUENCE { + kdc-options[0] KDCOptions, + cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ + realm[2] Realm, -- Server's realm + -- Also client's in AS-REQ + sname[3] PrincipalName OPTIONAL, + from[4] KerberosTime OPTIONAL, + till[5] KerberosTime OPTIONAL, + rtime[6] KerberosTime OPTIONAL, + nonce[7] krb5int32, + etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, + -- in preference order + addresses[9] HostAddresses OPTIONAL, + enc-authorization-data[10] EncryptedData OPTIONAL, + -- Encrypted AuthorizationData encoding + additional-tickets[11] SEQUENCE OF Ticket OPTIONAL +} + +KDC-REQ ::= SEQUENCE { + pvno[1] krb5int32, + msg-type[2] MESSAGE-TYPE, + padata[3] METHOD-DATA OPTIONAL, + req-body[4] KDC-REQ-BODY +} + +AS-REQ ::= [APPLICATION 10] KDC-REQ +TGS-REQ ::= [APPLICATION 12] KDC-REQ + +-- padata-type ::= PA-ENC-TIMESTAMP +-- padata-value ::= EncryptedData - PA-ENC-TS-ENC + +PA-ENC-TS-ENC ::= SEQUENCE { + patimestamp[0] KerberosTime, -- client's time + pausec[1] krb5int32 OPTIONAL +} + +-- draft-brezak-win2k-krb-authz-01 +PA-PAC-REQUEST ::= SEQUENCE { + include-pac[0] BOOLEAN -- Indicates whether a PAC + -- should be included or not +} + +-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf +PROV-SRV-LOCATION ::= GeneralString + +KDC-REP ::= SEQUENCE { + pvno[0] krb5int32, + msg-type[1] MESSAGE-TYPE, + padata[2] METHOD-DATA OPTIONAL, + crealm[3] Realm, + cname[4] PrincipalName, + ticket[5] Ticket, + enc-part[6] EncryptedData +} + +AS-REP ::= [APPLICATION 11] KDC-REP +TGS-REP ::= [APPLICATION 13] KDC-REP + +EncKDCRepPart ::= SEQUENCE { + key[0] EncryptionKey, + last-req[1] LastReq, + nonce[2] krb5int32, + key-expiration[3] KerberosTime OPTIONAL, + flags[4] TicketFlags, + authtime[5] KerberosTime, + starttime[6] KerberosTime OPTIONAL, + endtime[7] KerberosTime, + renew-till[8] KerberosTime OPTIONAL, + srealm[9] Realm, + sname[10] PrincipalName, + caddr[11] HostAddresses OPTIONAL, + encrypted-pa-data[12] METHOD-DATA OPTIONAL +} + +EncASRepPart ::= [APPLICATION 25] EncKDCRepPart +EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +AP-REQ ::= [APPLICATION 14] SEQUENCE { + pvno[0] krb5int32, + msg-type[1] MESSAGE-TYPE, + ap-options[2] APOptions, + ticket[3] Ticket, + authenticator[4] EncryptedData +} + +AP-REP ::= [APPLICATION 15] SEQUENCE { + pvno[0] krb5int32, + msg-type[1] MESSAGE-TYPE, + enc-part[2] EncryptedData +} + +EncAPRepPart ::= [APPLICATION 27] SEQUENCE { + ctime[0] KerberosTime, + cusec[1] krb5int32, + subkey[2] EncryptionKey OPTIONAL, + seq-number[3] krb5uint32 OPTIONAL +} + +KRB-SAFE-BODY ::= SEQUENCE { + user-data[0] OCTET STRING, + timestamp[1] KerberosTime OPTIONAL, + usec[2] krb5int32 OPTIONAL, + seq-number[3] krb5uint32 OPTIONAL, + s-address[4] HostAddress OPTIONAL, + r-address[5] HostAddress OPTIONAL +} + +KRB-SAFE ::= [APPLICATION 20] SEQUENCE { + pvno[0] krb5int32, + msg-type[1] MESSAGE-TYPE, + safe-body[2] KRB-SAFE-BODY, + cksum[3] Checksum +} + +KRB-PRIV ::= [APPLICATION 21] SEQUENCE { + pvno[0] krb5int32, + msg-type[1] MESSAGE-TYPE, + enc-part[3] EncryptedData +} +EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { + user-data[0] OCTET STRING, + timestamp[1] KerberosTime OPTIONAL, + usec[2] krb5int32 OPTIONAL, + seq-number[3] krb5uint32 OPTIONAL, + s-address[4] HostAddress OPTIONAL, -- sender's addr + r-address[5] HostAddress OPTIONAL -- recip's addr +} + +KRB-CRED ::= [APPLICATION 22] SEQUENCE { + pvno[0] krb5int32, + msg-type[1] MESSAGE-TYPE, -- KRB_CRED + tickets[2] SEQUENCE OF Ticket, + enc-part[3] EncryptedData +} + +KrbCredInfo ::= SEQUENCE { + key[0] EncryptionKey, + prealm[1] Realm OPTIONAL, + pname[2] PrincipalName OPTIONAL, + flags[3] TicketFlags OPTIONAL, + authtime[4] KerberosTime OPTIONAL, + starttime[5] KerberosTime OPTIONAL, + endtime[6] KerberosTime OPTIONAL, + renew-till[7] KerberosTime OPTIONAL, + srealm[8] Realm OPTIONAL, + sname[9] PrincipalName OPTIONAL, + caddr[10] HostAddresses OPTIONAL +} + +EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { + ticket-info[0] SEQUENCE OF KrbCredInfo, + nonce[1] krb5int32 OPTIONAL, + timestamp[2] KerberosTime OPTIONAL, + usec[3] krb5int32 OPTIONAL, + s-address[4] HostAddress OPTIONAL, + r-address[5] HostAddress OPTIONAL +} + +KRB-ERROR ::= [APPLICATION 30] SEQUENCE { + pvno[0] krb5int32, + msg-type[1] MESSAGE-TYPE, + ctime[2] KerberosTime OPTIONAL, + cusec[3] krb5int32 OPTIONAL, + stime[4] KerberosTime, + susec[5] krb5int32, + error-code[6] krb5int32, + crealm[7] Realm OPTIONAL, + cname[8] PrincipalName OPTIONAL, + realm[9] Realm, -- Correct realm + sname[10] PrincipalName, -- Correct name + e-text[11] GeneralString OPTIONAL, + e-data[12] OCTET STRING OPTIONAL +} + +ChangePasswdDataMS ::= SEQUENCE { + newpasswd[0] OCTET STRING, + targname[1] PrincipalName OPTIONAL, + targrealm[2] Realm OPTIONAL +} + +EtypeList ::= SEQUENCE OF krb5int32 + -- the client's proposed enctype list in + -- decreasing preference order, favorite choice first + +krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number + +-- transited encodings + +DOMAIN-X500-COMPRESS krb5int32 ::= 1 + +-- authorization data primitives + +AD-IF-RELEVANT ::= AuthorizationData + +AD-KDCIssued ::= SEQUENCE { + ad-checksum[0] Checksum, + i-realm[1] Realm OPTIONAL, + i-sname[2] PrincipalName OPTIONAL, + elements[3] AuthorizationData +} + +AD-AND-OR ::= SEQUENCE { + condition-count[0] INTEGER, + elements[1] AuthorizationData +} + +AD-MANDATORY-FOR-KDC ::= AuthorizationData + +-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2 + +PA-SAM-TYPE ::= INTEGER { + PA_SAM_TYPE_ENIGMA(1), -- Enigma Logic + PA_SAM_TYPE_DIGI_PATH(2), -- Digital Pathways + PA_SAM_TYPE_SKEY_K0(3), -- S/key where KDC has key 0 + PA_SAM_TYPE_SKEY(4), -- Traditional S/Key + PA_SAM_TYPE_SECURID(5), -- Security Dynamics + PA_SAM_TYPE_CRYPTOCARD(6) -- CRYPTOCard +} + +PA-SAM-REDIRECT ::= HostAddresses + +SAMFlags ::= BIT STRING { + use-sad-as-key(0), + send-encrypted-sad(1), + must-pk-encrypt-sad(2) +} + +PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE { + sam-type[0] krb5int32, + sam-flags[1] SAMFlags, + sam-type-name[2] GeneralString OPTIONAL, + sam-track-id[3] GeneralString OPTIONAL, + sam-challenge-label[4] GeneralString OPTIONAL, + sam-challenge[5] GeneralString OPTIONAL, + sam-response-prompt[6] GeneralString OPTIONAL, + sam-pk-for-sad[7] EncryptionKey OPTIONAL, + sam-nonce[8] krb5int32, + sam-etype[9] krb5int32, + ... +} + +PA-SAM-CHALLENGE-2 ::= SEQUENCE { + sam-body[0] PA-SAM-CHALLENGE-2-BODY, + sam-cksum[1] SEQUENCE OF Checksum, -- (1..MAX) + ... +} + +PA-SAM-RESPONSE-2 ::= SEQUENCE { + sam-type[0] krb5int32, + sam-flags[1] SAMFlags, + sam-track-id[2] GeneralString OPTIONAL, + sam-enc-nonce-or-sad[3] EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC + sam-nonce[4] krb5int32, + ... +} + +PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE { + sam-nonce[0] krb5int32, + sam-sad[1] GeneralString OPTIONAL, + ... +} + +PA-S4U2Self ::= SEQUENCE { + name[0] PrincipalName, + realm[1] Realm, + cksum[2] Checksum, + auth[3] GeneralString +} + +-- never encoded on the wire, just used to checksum over +KRB5SignedPathData ::= SEQUENCE { + encticket[0] EncTicketPart, + delegated[1] Principals OPTIONAL +} + +KRB5SignedPath ::= SEQUENCE { + -- DERcoded KRB5SignedPathData + -- krbtgt key (etype), KeyUsage = XXX + etype[0] ENCTYPE, + cksum[1] Checksum, + -- srvs delegated though + delegated[2] Principals OPTIONAL +} + +PA-ClientCanonicalizedNames ::= SEQUENCE{ + requested-name [0] PrincipalName, + mapped-name [1] PrincipalName +} + +PA-ClientCanonicalized ::= SEQUENCE { + names [0] PA-ClientCanonicalizedNames, + canon-checksum [1] Checksum +} + +AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- + login-alias [0] PrincipalName, + checksum [1] Checksum +} + +-- old ms referral +PA-SvrReferralData ::= SEQUENCE { + referred-name [1] PrincipalName OPTIONAL, + referred-realm [0] Realm +} + +PA-SERVER-REFERRAL-DATA ::= EncryptedData + +PA-ServerReferralData ::= SEQUENCE { + referred-realm [0] Realm OPTIONAL, + true-principal-name [1] PrincipalName OPTIONAL, + requested-principal-name [2] PrincipalName OPTIONAL, + referral-valid-until [3] KerberosTime OPTIONAL, + ... +} + +FastOptions ::= BIT STRING { + reserved(0), + hide-client-names(1), + kdc-follow--referrals(16) +} + +KrbFastReq ::= SEQUENCE { + fast-options [0] FastOptions, + padata [1] SEQUENCE OF PA-DATA, + req-body [2] KDC-REQ-BODY, + ... +} + +KrbFastArmor ::= SEQUENCE { + armor-type [0] krb5int32, + armor-value [1] OCTET STRING, + ... +} + +KrbFastArmoredReq ::= SEQUENCE { + armor [0] KrbFastArmor OPTIONAL, + req-checksum [1] Checksum, + enc-fast-req [2] EncryptedData -- KrbFastReq -- +} + +PA-FX-FAST-REQUEST ::= CHOICE { + armored-data [0] KrbFastArmoredReq, + ... +} + +KrbFastFinished ::= SEQUENCE { + timestamp [0] KerberosTime, + usec [1] krb5int32, + crealm [2] Realm, + cname [3] PrincipalName, + checksum [4] Checksum, + ticket-checksum [5] Checksum, + ... +} + +KrbFastResponse ::= SEQUENCE { + padata [0] SEQUENCE OF PA-DATA, + rep-key [1] EncryptionKey OPTIONAL, + finished [2] KrbFastFinished OPTIONAL, + ... +} + +KrbFastArmoredRep ::= SEQUENCE { + enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- + ... +} + +PA-FX-FAST-REPLY ::= CHOICE { + armored-data [0] KrbFastArmoredRep, + ... +} + +END + +-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt new file mode 100644 index 0000000000..1d6d5e8989 --- /dev/null +++ b/source4/heimdal/lib/asn1/krb5.opt @@ -0,0 +1,6 @@ +--encode-rfc1510-bit-string +--sequence=Principals +--sequence=AuthorizationData +--sequence=METHOD-DATA +--sequence=ETYPE-INFO +--sequence=ETYPE-INFO2 diff --git a/source4/heimdal/lib/asn1/kx509.asn1 b/source4/heimdal/lib/asn1/kx509.asn1 index 820abc8106..14ebf50ecd 100644 --- a/source4/heimdal/lib/asn1/kx509.asn1 +++ b/source4/heimdal/lib/asn1/kx509.asn1 @@ -3,6 +3,17 @@ KX509 DEFINITIONS ::= BEGIN +KX509-ERROR-CODE ::= INTEGER { + KX509-STATUS-GOOD(0), + KX509-STATUS-CLIENT-BAD(1), + KX509-STATUS-CLIENT-FIX(2), + KX509-STATUS-CLIENT-TEMP(3), + KX509-STATUS-SERVER-BAD(4), + KX509-STATUS-SERVER-TEMP(5), + -- 6 is used internally in the umich client, avoid that + KX509-STATUS-SERVER-KEY(7) +} + Kx509Request ::= SEQUENCE { authenticator OCTET STRING, pk-hash OCTET STRING, diff --git a/source4/heimdal/lib/asn1/lex.l b/source4/heimdal/lib/asn1/lex.l index 1198ef16a6..7bd442bc50 100644 --- a/source4/heimdal/lib/asn1/lex.l +++ b/source4/heimdal/lib/asn1/lex.l @@ -46,7 +46,7 @@ #endif #undef ECHO #include "symbol.h" -#include "parse.h" +#include "asn1parse.h" #include "lex.h" #include "gen_locl.h" @@ -216,7 +216,7 @@ WITH { return kw_WITH; } char *p = buf; int f = 0; int skip_ws = 0; - + while((c = input()) != EOF) { if(isspace(c) && skip_ws) { if(c == '\n') @@ -224,7 +224,7 @@ WITH { return kw_WITH; } continue; } skip_ws = 0; - + if(c == '"') { if(f) { *p++ = '"'; diff --git a/source4/heimdal/lib/asn1/main.c b/source4/heimdal/lib/asn1/main.c index 6a97634310..115c82a9c7 100644 --- a/source4/heimdal/lib/asn1/main.c +++ b/source4/heimdal/lib/asn1/main.c @@ -62,15 +62,20 @@ seq_type(const char *p) return 0; } -int dce_fix; +int support_ber; int rfc1510_bitstring; +int one_code_file; +char *option_file; int version_flag; int help_flag; struct getargs args[] = { { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring }, - { "decode-dce-ber", 0, arg_flag, &dce_fix }, + { "decode-dce-ber", 0, arg_flag, &support_ber }, + { "support-ber", 0, arg_flag, &support_ber }, { "preserve-binary", 0, arg_strings, &preserve }, { "sequence", 0, arg_strings, &seq }, + { "one-code-file", 0, arg_flag, &one_code_file }, + { "option-file", 0, arg_string, &option_file }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -92,6 +97,8 @@ main(int argc, char **argv) const char *file; const char *name = NULL; int optidx = 0; + char **arg = NULL; + size_t len = 0, i; setprogname(argv[0]); if(getarg(args, num_args, argc, argv, &optidx)) @@ -121,7 +128,58 @@ main(int argc, char **argv) name = argv[optidx + 1]; } + /* + * Parse extra options file + */ + if (option_file) { + char buf[1024]; + FILE *opt; + + opt = fopen(option_file, "r"); + if (opt == NULL) { + perror("open"); + exit(1); + } + + arg = calloc(2, sizeof(arg[0])); + arg[0] = option_file; + arg[1] = NULL; + len = 1; + + while (fgets(buf, sizeof(buf), opt) != NULL) { + buf[strcspn(buf, "\n\r")] = '\0'; + + arg = realloc(arg, (len + 2) * sizeof(arg[0])); + if (argv == NULL) { + perror("malloc"); + exit(1); + } + arg[len] = strdup(buf); + if (arg[len] == NULL) { + perror("strdup"); + exit(1); + } + arg[len + 1] = NULL; + len++; + } + fclose(opt); + + optidx = 0; + if(getarg(args, num_args, len, arg, &optidx)) + usage(1); + + if (len != optidx) { + fprintf(stderr, "extra args"); + exit(1); + } + } + + init_generate (file, name); + + if (one_code_file) + generate_header_of_codefile(name); + initsym (); ret = yyparse (); if(ret != 0 || error_flag != 0) @@ -129,5 +187,15 @@ main(int argc, char **argv) close_generate (); if (argc != optidx) fclose(yyin); + + if (one_code_file) + close_codefile(); + + if (arg) { + for (i = 1; i < len; i++) + free(arg[i]); + free(arg); + } + return 0; } diff --git a/source4/heimdal/lib/asn1/parse.y b/source4/heimdal/lib/asn1/parse.y deleted file mode 100644 index aca4a062b8..0000000000 --- a/source4/heimdal/lib/asn1/parse.y +++ /dev/null @@ -1,1015 +0,0 @@ -/* - * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -%{ -#ifdef HAVE_CONFIG_H -#include -#endif -#include -#include -#include -#include "symbol.h" -#include "lex.h" -#include "gen_locl.h" -#include "der.h" - -RCSID("$Id$"); - -static Type *new_type (Typetype t); -static struct constraint_spec *new_constraint_spec(enum ctype); -static Type *new_tag(int tagclass, int tagvalue, int tagenv, Type *oldtype); -void yyerror (const char *); -static struct objid *new_objid(const char *label, int value); -static void add_oid_to_tail(struct objid *, struct objid *); -static void fix_labels(Symbol *s); - -struct string_list { - char *string; - struct string_list *next; -}; - -%} - -%union { - int constant; - struct value *value; - struct range *range; - char *name; - Type *type; - Member *member; - struct objid *objid; - char *defval; - struct string_list *sl; - struct tagtype tag; - struct memhead *members; - struct constraint_spec *constraint_spec; -} - -%token kw_ABSENT -%token kw_ABSTRACT_SYNTAX -%token kw_ALL -%token kw_APPLICATION -%token kw_AUTOMATIC -%token kw_BEGIN -%token kw_BIT -%token kw_BMPString -%token kw_BOOLEAN -%token kw_BY -%token kw_CHARACTER -%token kw_CHOICE -%token kw_CLASS -%token kw_COMPONENT -%token kw_COMPONENTS -%token kw_CONSTRAINED -%token kw_CONTAINING -%token kw_DEFAULT -%token kw_DEFINITIONS -%token kw_EMBEDDED -%token kw_ENCODED -%token kw_END -%token kw_ENUMERATED -%token kw_EXCEPT -%token kw_EXPLICIT -%token kw_EXPORTS -%token kw_EXTENSIBILITY -%token kw_EXTERNAL -%token kw_FALSE -%token kw_FROM -%token kw_GeneralString -%token kw_GeneralizedTime -%token kw_GraphicString -%token kw_IA5String -%token kw_IDENTIFIER -%token kw_IMPLICIT -%token kw_IMPLIED -%token kw_IMPORTS -%token kw_INCLUDES -%token kw_INSTANCE -%token kw_INTEGER -%token kw_INTERSECTION -%token kw_ISO646String -%token kw_MAX -%token kw_MIN -%token kw_MINUS_INFINITY -%token kw_NULL -%token kw_NumericString -%token kw_OBJECT -%token kw_OCTET -%token kw_OF -%token kw_OPTIONAL -%token kw_ObjectDescriptor -%token kw_PATTERN -%token kw_PDV -%token kw_PLUS_INFINITY -%token kw_PRESENT -%token kw_PRIVATE -%token kw_PrintableString -%token kw_REAL -%token kw_RELATIVE_OID -%token kw_SEQUENCE -%token kw_SET -%token kw_SIZE -%token kw_STRING -%token kw_SYNTAX -%token kw_T61String -%token kw_TAGS -%token kw_TRUE -%token kw_TYPE_IDENTIFIER -%token kw_TeletexString -%token kw_UNION -%token kw_UNIQUE -%token kw_UNIVERSAL -%token kw_UTCTime -%token kw_UTF8String -%token kw_UniversalString -%token kw_VideotexString -%token kw_VisibleString -%token kw_WITH - -%token RANGE -%token EEQUAL -%token ELLIPSIS - -%token IDENTIFIER referencename -%token STRING - -%token NUMBER -%type SignedNumber -%type Class tagenv - -%type Value -%type BuiltinValue -%type IntegerValue -%type BooleanValue -%type ObjectIdentifierValue -%type CharacterStringValue -%type NullValue -%type DefinedValue -%type ReferencedValue -%type Valuereference - -%type Type -%type BuiltinType -%type BitStringType -%type BooleanType -%type ChoiceType -%type ConstrainedType -%type EnumeratedType -%type IntegerType -%type NullType -%type OctetStringType -%type SequenceType -%type SequenceOfType -%type SetType -%type SetOfType -%type TaggedType -%type ReferencedType -%type DefinedType -%type UsefulType -%type ObjectIdentifierType -%type CharacterStringType -%type RestrictedCharactedStringType - -%type Tag - -%type ComponentType -%type NamedBit -%type NamedNumber -%type NamedType -%type ComponentTypeList -%type Enumerations -%type NamedBitList -%type NamedNumberList - -%type objid objid_list objid_element objid_opt -%type range size - -%type referencenames - -%type Constraint -%type ConstraintSpec -%type GeneralConstraint -%type ContentsConstraint -%type UserDefinedConstraint - - - -%start ModuleDefinition - -%% - -ModuleDefinition: IDENTIFIER objid_opt kw_DEFINITIONS TagDefault ExtensionDefault - EEQUAL kw_BEGIN ModuleBody kw_END - { - checkundefined(); - } - ; - -TagDefault : kw_EXPLICIT kw_TAGS - | kw_IMPLICIT kw_TAGS - { error_message("implicit tagging is not supported"); } - | kw_AUTOMATIC kw_TAGS - { error_message("automatic tagging is not supported"); } - | /* empty */ - ; - -ExtensionDefault: kw_EXTENSIBILITY kw_IMPLIED - { error_message("no extensibility options supported"); } - | /* empty */ - ; - -ModuleBody : /* Exports */ Imports AssignmentList - | /* empty */ - ; - -Imports : kw_IMPORTS SymbolsImported ';' - | /* empty */ - ; - -SymbolsImported : SymbolsFromModuleList - | /* empty */ - ; - -SymbolsFromModuleList: SymbolsFromModule - | SymbolsFromModuleList SymbolsFromModule - ; - -SymbolsFromModule: referencenames kw_FROM IDENTIFIER objid_opt - { - struct string_list *sl; - for(sl = $1; sl != NULL; sl = sl->next) { - Symbol *s = addsym(sl->string); - s->stype = Stype; - } - add_import($3); - } - ; - -AssignmentList : Assignment - | Assignment AssignmentList - ; - -Assignment : TypeAssignment - | ValueAssignment - ; - -referencenames : IDENTIFIER ',' referencenames - { - $$ = emalloc(sizeof(*$$)); - $$->string = $1; - $$->next = $3; - } - | IDENTIFIER - { - $$ = emalloc(sizeof(*$$)); - $$->string = $1; - $$->next = NULL; - } - ; - -TypeAssignment : IDENTIFIER EEQUAL Type - { - Symbol *s = addsym ($1); - s->stype = Stype; - s->type = $3; - fix_labels(s); - generate_type (s); - } - ; - -Type : BuiltinType - | ReferencedType - | ConstrainedType - ; - -BuiltinType : BitStringType - | BooleanType - | CharacterStringType - | ChoiceType - | EnumeratedType - | IntegerType - | NullType - | ObjectIdentifierType - | OctetStringType - | SequenceType - | SequenceOfType - | SetType - | SetOfType - | TaggedType - ; - -BooleanType : kw_BOOLEAN - { - $$ = new_tag(ASN1_C_UNIV, UT_Boolean, - TE_EXPLICIT, new_type(TBoolean)); - } - ; - -range : '(' Value RANGE Value ')' - { - if($2->type != integervalue) - error_message("Non-integer used in first part of range"); - if($2->type != integervalue) - error_message("Non-integer in second part of range"); - $$ = ecalloc(1, sizeof(*$$)); - $$->min = $2->u.integervalue; - $$->max = $4->u.integervalue; - } - | '(' Value RANGE kw_MAX ')' - { - if($2->type != integervalue) - error_message("Non-integer in first part of range"); - $$ = ecalloc(1, sizeof(*$$)); - $$->min = $2->u.integervalue; - $$->max = $2->u.integervalue - 1; - } - | '(' kw_MIN RANGE Value ')' - { - if($4->type != integervalue) - error_message("Non-integer in second part of range"); - $$ = ecalloc(1, sizeof(*$$)); - $$->min = $4->u.integervalue + 2; - $$->max = $4->u.integervalue; - } - | '(' Value ')' - { - if($2->type != integervalue) - error_message("Non-integer used in limit"); - $$ = ecalloc(1, sizeof(*$$)); - $$->min = $2->u.integervalue; - $$->max = $2->u.integervalue; - } - ; - - -IntegerType : kw_INTEGER - { - $$ = new_tag(ASN1_C_UNIV, UT_Integer, - TE_EXPLICIT, new_type(TInteger)); - } - | kw_INTEGER range - { - $$ = new_type(TInteger); - $$->range = $2; - $$ = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, $$); - } - | kw_INTEGER '{' NamedNumberList '}' - { - $$ = new_type(TInteger); - $$->members = $3; - $$ = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, $$); - } - ; - -NamedNumberList : NamedNumber - { - $$ = emalloc(sizeof(*$$)); - ASN1_TAILQ_INIT($$); - ASN1_TAILQ_INSERT_HEAD($$, $1, members); - } - | NamedNumberList ',' NamedNumber - { - ASN1_TAILQ_INSERT_TAIL($1, $3, members); - $$ = $1; - } - | NamedNumberList ',' ELLIPSIS - { $$ = $1; } /* XXX used for Enumerations */ - ; - -NamedNumber : IDENTIFIER '(' SignedNumber ')' - { - $$ = emalloc(sizeof(*$$)); - $$->name = $1; - $$->gen_name = estrdup($1); - output_name ($$->gen_name); - $$->val = $3; - $$->optional = 0; - $$->ellipsis = 0; - $$->type = NULL; - } - ; - -EnumeratedType : kw_ENUMERATED '{' Enumerations '}' - { - $$ = new_type(TInteger); - $$->members = $3; - $$ = new_tag(ASN1_C_UNIV, UT_Enumerated, TE_EXPLICIT, $$); - } - ; - -Enumerations : NamedNumberList /* XXX */ - ; - -BitStringType : kw_BIT kw_STRING - { - $$ = new_type(TBitString); - $$->members = emalloc(sizeof(*$$->members)); - ASN1_TAILQ_INIT($$->members); - $$ = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, $$); - } - | kw_BIT kw_STRING '{' NamedBitList '}' - { - $$ = new_type(TBitString); - $$->members = $4; - $$ = new_tag(ASN1_C_UNIV, UT_BitString, TE_EXPLICIT, $$); - } - ; - -ObjectIdentifierType: kw_OBJECT kw_IDENTIFIER - { - $$ = new_tag(ASN1_C_UNIV, UT_OID, - TE_EXPLICIT, new_type(TOID)); - } - ; -OctetStringType : kw_OCTET kw_STRING size - { - Type *t = new_type(TOctetString); - t->range = $3; - $$ = new_tag(ASN1_C_UNIV, UT_OctetString, - TE_EXPLICIT, t); - } - ; - -NullType : kw_NULL - { - $$ = new_tag(ASN1_C_UNIV, UT_Null, - TE_EXPLICIT, new_type(TNull)); - } - ; - -size : - { $$ = NULL; } - | kw_SIZE range - { $$ = $2; } - ; - - -SequenceType : kw_SEQUENCE '{' /* ComponentTypeLists */ ComponentTypeList '}' - { - $$ = new_type(TSequence); - $$->members = $3; - $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$); - } - | kw_SEQUENCE '{' '}' - { - $$ = new_type(TSequence); - $$->members = NULL; - $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$); - } - ; - -SequenceOfType : kw_SEQUENCE size kw_OF Type - { - $$ = new_type(TSequenceOf); - $$->range = $2; - $$->subtype = $4; - $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$); - } - ; - -SetType : kw_SET '{' /* ComponentTypeLists */ ComponentTypeList '}' - { - $$ = new_type(TSet); - $$->members = $3; - $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$); - } - | kw_SET '{' '}' - { - $$ = new_type(TSet); - $$->members = NULL; - $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$); - } - ; - -SetOfType : kw_SET kw_OF Type - { - $$ = new_type(TSetOf); - $$->subtype = $3; - $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$); - } - ; - -ChoiceType : kw_CHOICE '{' /* AlternativeTypeLists */ ComponentTypeList '}' - { - $$ = new_type(TChoice); - $$->members = $3; - } - ; - -ReferencedType : DefinedType - | UsefulType - ; - -DefinedType : IDENTIFIER - { - Symbol *s = addsym($1); - $$ = new_type(TType); - if(s->stype != Stype && s->stype != SUndefined) - error_message ("%s is not a type\n", $1); - else - $$->symbol = s; - } - ; - -UsefulType : kw_GeneralizedTime - { - $$ = new_tag(ASN1_C_UNIV, UT_GeneralizedTime, - TE_EXPLICIT, new_type(TGeneralizedTime)); - } - | kw_UTCTime - { - $$ = new_tag(ASN1_C_UNIV, UT_UTCTime, - TE_EXPLICIT, new_type(TUTCTime)); - } - ; - -ConstrainedType : Type Constraint - { - /* if (Constraint.type == contentConstrant) { - assert(Constraint.u.constraint.type == octetstring|bitstring-w/o-NamedBitList); // remember to check type reference too - if (Constraint.u.constraint.type) { - assert((Constraint.u.constraint.type.length % 8) == 0); - } - } - if (Constraint.u.constraint.encoding) { - type == der-oid|ber-oid - } - */ - } - ; - - -Constraint : '(' ConstraintSpec ')' - { - $$ = $2; - } - ; - -ConstraintSpec : GeneralConstraint - ; - -GeneralConstraint: ContentsConstraint - | UserDefinedConstraint - ; - -ContentsConstraint: kw_CONTAINING Type - { - $$ = new_constraint_spec(CT_CONTENTS); - $$->u.content.type = $2; - $$->u.content.encoding = NULL; - } - | kw_ENCODED kw_BY Value - { - if ($3->type != objectidentifiervalue) - error_message("Non-OID used in ENCODED BY constraint"); - $$ = new_constraint_spec(CT_CONTENTS); - $$->u.content.type = NULL; - $$->u.content.encoding = $3; - } - | kw_CONTAINING Type kw_ENCODED kw_BY Value - { - if ($5->type != objectidentifiervalue) - error_message("Non-OID used in ENCODED BY constraint"); - $$ = new_constraint_spec(CT_CONTENTS); - $$->u.content.type = $2; - $$->u.content.encoding = $5; - } - ; - -UserDefinedConstraint: kw_CONSTRAINED kw_BY '{' '}' - { - $$ = new_constraint_spec(CT_USER); - } - ; - -TaggedType : Tag tagenv Type - { - $$ = new_type(TTag); - $$->tag = $1; - $$->tag.tagenv = $2; - if($3->type == TTag && $2 == TE_IMPLICIT) { - $$->subtype = $3->subtype; - free($3); - } else - $$->subtype = $3; - } - ; - -Tag : '[' Class NUMBER ']' - { - $$.tagclass = $2; - $$.tagvalue = $3; - $$.tagenv = TE_EXPLICIT; - } - ; - -Class : /* */ - { - $$ = ASN1_C_CONTEXT; - } - | kw_UNIVERSAL - { - $$ = ASN1_C_UNIV; - } - | kw_APPLICATION - { - $$ = ASN1_C_APPL; - } - | kw_PRIVATE - { - $$ = ASN1_C_PRIVATE; - } - ; - -tagenv : /* */ - { - $$ = TE_EXPLICIT; - } - | kw_EXPLICIT - { - $$ = TE_EXPLICIT; - } - | kw_IMPLICIT - { - $$ = TE_IMPLICIT; - } - ; - - -ValueAssignment : IDENTIFIER Type EEQUAL Value - { - Symbol *s; - s = addsym ($1); - - s->stype = SValue; - s->value = $4; - generate_constant (s); - } - ; - -CharacterStringType: RestrictedCharactedStringType - ; - -RestrictedCharactedStringType: kw_GeneralString - { - $$ = new_tag(ASN1_C_UNIV, UT_GeneralString, - TE_EXPLICIT, new_type(TGeneralString)); - } - | kw_UTF8String - { - $$ = new_tag(ASN1_C_UNIV, UT_UTF8String, - TE_EXPLICIT, new_type(TUTF8String)); - } - | kw_PrintableString - { - $$ = new_tag(ASN1_C_UNIV, UT_PrintableString, - TE_EXPLICIT, new_type(TPrintableString)); - } - | kw_VisibleString - { - $$ = new_tag(ASN1_C_UNIV, UT_VisibleString, - TE_EXPLICIT, new_type(TVisibleString)); - } - | kw_IA5String - { - $$ = new_tag(ASN1_C_UNIV, UT_IA5String, - TE_EXPLICIT, new_type(TIA5String)); - } - | kw_BMPString - { - $$ = new_tag(ASN1_C_UNIV, UT_BMPString, - TE_EXPLICIT, new_type(TBMPString)); - } - | kw_UniversalString - { - $$ = new_tag(ASN1_C_UNIV, UT_UniversalString, - TE_EXPLICIT, new_type(TUniversalString)); - } - - ; - -ComponentTypeList: ComponentType - { - $$ = emalloc(sizeof(*$$)); - ASN1_TAILQ_INIT($$); - ASN1_TAILQ_INSERT_HEAD($$, $1, members); - } - | ComponentTypeList ',' ComponentType - { - ASN1_TAILQ_INSERT_TAIL($1, $3, members); - $$ = $1; - } - | ComponentTypeList ',' ELLIPSIS - { - struct member *m = ecalloc(1, sizeof(*m)); - m->name = estrdup("..."); - m->gen_name = estrdup("asn1_ellipsis"); - m->ellipsis = 1; - ASN1_TAILQ_INSERT_TAIL($1, m, members); - $$ = $1; - } - ; - -NamedType : IDENTIFIER Type - { - $$ = emalloc(sizeof(*$$)); - $$->name = $1; - $$->gen_name = estrdup($1); - output_name ($$->gen_name); - $$->type = $2; - $$->ellipsis = 0; - } - ; - -ComponentType : NamedType - { - $$ = $1; - $$->optional = 0; - $$->defval = NULL; - } - | NamedType kw_OPTIONAL - { - $$ = $1; - $$->optional = 1; - $$->defval = NULL; - } - | NamedType kw_DEFAULT Value - { - $$ = $1; - $$->optional = 0; - $$->defval = $3; - } - ; - -NamedBitList : NamedBit - { - $$ = emalloc(sizeof(*$$)); - ASN1_TAILQ_INIT($$); - ASN1_TAILQ_INSERT_HEAD($$, $1, members); - } - | NamedBitList ',' NamedBit - { - ASN1_TAILQ_INSERT_TAIL($1, $3, members); - $$ = $1; - } - ; - -NamedBit : IDENTIFIER '(' NUMBER ')' - { - $$ = emalloc(sizeof(*$$)); - $$->name = $1; - $$->gen_name = estrdup($1); - output_name ($$->gen_name); - $$->val = $3; - $$->optional = 0; - $$->ellipsis = 0; - $$->type = NULL; - } - ; - -objid_opt : objid - | /* empty */ { $$ = NULL; } - ; - -objid : '{' objid_list '}' - { - $$ = $2; - } - ; - -objid_list : /* empty */ - { - $$ = NULL; - } - | objid_element objid_list - { - if ($2) { - $$ = $2; - add_oid_to_tail($2, $1); - } else { - $$ = $1; - } - } - ; - -objid_element : IDENTIFIER '(' NUMBER ')' - { - $$ = new_objid($1, $3); - } - | IDENTIFIER - { - Symbol *s = addsym($1); - if(s->stype != SValue || - s->value->type != objectidentifiervalue) { - error_message("%s is not an object identifier\n", - s->name); - exit(1); - } - $$ = s->value->u.objectidentifiervalue; - } - | NUMBER - { - $$ = new_objid(NULL, $1); - } - ; - -Value : BuiltinValue - | ReferencedValue - ; - -BuiltinValue : BooleanValue - | CharacterStringValue - | IntegerValue - | ObjectIdentifierValue - | NullValue - ; - -ReferencedValue : DefinedValue - ; - -DefinedValue : Valuereference - ; - -Valuereference : IDENTIFIER - { - Symbol *s = addsym($1); - if(s->stype != SValue) - error_message ("%s is not a value\n", - s->name); - else - $$ = s->value; - } - ; - -CharacterStringValue: STRING - { - $$ = emalloc(sizeof(*$$)); - $$->type = stringvalue; - $$->u.stringvalue = $1; - } - ; - -BooleanValue : kw_TRUE - { - $$ = emalloc(sizeof(*$$)); - $$->type = booleanvalue; - $$->u.booleanvalue = 0; - } - | kw_FALSE - { - $$ = emalloc(sizeof(*$$)); - $$->type = booleanvalue; - $$->u.booleanvalue = 0; - } - ; - -IntegerValue : SignedNumber - { - $$ = emalloc(sizeof(*$$)); - $$->type = integervalue; - $$->u.integervalue = $1; - } - ; - -SignedNumber : NUMBER - ; - -NullValue : kw_NULL - { - } - ; - -ObjectIdentifierValue: objid - { - $$ = emalloc(sizeof(*$$)); - $$->type = objectidentifiervalue; - $$->u.objectidentifiervalue = $1; - } - ; - -%% - -void -yyerror (const char *s) -{ - error_message ("%s\n", s); -} - -static Type * -new_tag(int tagclass, int tagvalue, int tagenv, Type *oldtype) -{ - Type *t; - if(oldtype->type == TTag && oldtype->tag.tagenv == TE_IMPLICIT) { - t = oldtype; - oldtype = oldtype->subtype; /* XXX */ - } else - t = new_type (TTag); - - t->tag.tagclass = tagclass; - t->tag.tagvalue = tagvalue; - t->tag.tagenv = tagenv; - t->subtype = oldtype; - return t; -} - -static struct objid * -new_objid(const char *label, int value) -{ - struct objid *s; - s = emalloc(sizeof(*s)); - s->label = label; - s->value = value; - s->next = NULL; - return s; -} - -static void -add_oid_to_tail(struct objid *head, struct objid *tail) -{ - struct objid *o; - o = head; - while (o->next) - o = o->next; - o->next = tail; -} - -static Type * -new_type (Typetype tt) -{ - Type *t = ecalloc(1, sizeof(*t)); - t->type = tt; - return t; -} - -static struct constraint_spec * -new_constraint_spec(enum ctype ct) -{ - struct constraint_spec *c = ecalloc(1, sizeof(*c)); - c->ctype = ct; - return c; -} - -static void fix_labels2(Type *t, const char *prefix); -static void fix_labels1(struct memhead *members, const char *prefix) -{ - Member *m; - - if(members == NULL) - return; - ASN1_TAILQ_FOREACH(m, members, members) { - asprintf(&m->label, "%s_%s", prefix, m->gen_name); - if (m->label == NULL) - errx(1, "malloc"); - if(m->type != NULL) - fix_labels2(m->type, m->label); - } -} - -static void fix_labels2(Type *t, const char *prefix) -{ - for(; t; t = t->subtype) - fix_labels1(t->members, prefix); -} - -static void -fix_labels(Symbol *s) -{ - char *p; - asprintf(&p, "choice_%s", s->gen_name); - if (p == NULL) - errx(1, "malloc"); - fix_labels2(s->type, p); - free(p); -} diff --git a/source4/heimdal/lib/asn1/pkcs12.asn1 b/source4/heimdal/lib/asn1/pkcs12.asn1 index 4d6454a08f..8b604c68d7 100644 --- a/source4/heimdal/lib/asn1/pkcs12.asn1 +++ b/source4/heimdal/lib/asn1/pkcs12.asn1 @@ -50,7 +50,7 @@ PKCS12-AuthenticatedSafe ::= SEQUENCE OF ContentInfo PKCS12-Attribute ::= SEQUENCE { attrId OBJECT IDENTIFIER, - attrValues -- SET OF -- heim_any_set + attrValues -- SET OF -- heim_any_set } PKCS12-Attributes ::= SET OF PKCS12-Attribute diff --git a/source4/heimdal/lib/asn1/pkcs8.asn1 b/source4/heimdal/lib/asn1/pkcs8.asn1 index 203d91eef8..45a7d715df 100644 --- a/source4/heimdal/lib/asn1/pkcs8.asn1 +++ b/source4/heimdal/lib/asn1/pkcs8.asn1 @@ -24,7 +24,7 @@ PKCS8EncryptedData ::= OCTET STRING PKCS8EncryptedPrivateKeyInfo ::= SEQUENCE { encryptionAlgorithm AlgorithmIdentifier, - encryptedData PKCS8EncryptedData + encryptedData PKCS8EncryptedData } END diff --git a/source4/heimdal/lib/asn1/pkinit.asn1 b/source4/heimdal/lib/asn1/pkinit.asn1 index 758af6f86e..f36ebf0b32 100644 --- a/source4/heimdal/lib/asn1/pkinit.asn1 +++ b/source4/heimdal/lib/asn1/pkinit.asn1 @@ -27,11 +27,11 @@ id-pkinit-san OBJECT IDENTIFIER ::= x509-sanan(2) } id-pkinit-ms-eku OBJECT IDENTIFIER ::= - { iso(1) org(3) dod(6) internet(1) private(4) + { iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 20 2 2 } id-pkinit-ms-san OBJECT IDENTIFIER ::= - { iso(1) org(3) dod(6) internet(1) private(4) + { iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 20 2 3 } MS-UPN-SAN ::= UTF8String @@ -152,19 +152,18 @@ TrustedCA-Win2k ::= CHOICE { issuerAndSerial [2] IssuerAndSerialNumber } -PA-PK-AS-REQ-Win2k ::= SEQUENCE { - signed-auth-pack [0] IMPLICIT OCTET STRING, - trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL, - kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, +PA-PK-AS-REQ-Win2k ::= SEQUENCE { + signed-auth-pack [0] IMPLICIT OCTET STRING, + trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL, + kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL } PA-PK-AS-REP-Win2k ::= CHOICE { - dhSignedData [0] IMPLICIT OCTET STRING, + dhSignedData [0] IMPLICIT OCTET STRING, encKeyPack [1] IMPLICIT OCTET STRING } - KDCDHKeyInfo-Win2k ::= SEQUENCE { nonce [0] INTEGER (-2147483648..2147483647), subjectPublicKey [2] BIT STRING @@ -176,12 +175,18 @@ ReplyKeyPack-Win2k ::= SEQUENCE { ... } -PkinitSP80056AOtherInfo ::= SEQUENCE { - algorithmID AlgorithmIdentifier, - partyUInfo [0] OCTET STRING, - partyVInfo [1] OCTET STRING, - suppPubInfo [2] OCTET STRING OPTIONAL, - suppPrivInfo [3] OCTET STRING OPTIONAL +PA-PK-AS-REP-BTMM ::= SEQUENCE { + dhSignedData [0] heim_any OPTIONAL, + encKeyPack [1] heim_any OPTIONAL +} + + +PkinitSP80056AOtherInfo ::= SEQUENCE { + algorithmID AlgorithmIdentifier, + partyUInfo [0] OCTET STRING, + partyVInfo [1] OCTET STRING, + suppPubInfo [2] OCTET STRING OPTIONAL, + suppPrivInfo [3] OCTET STRING OPTIONAL } PkinitSuppPubInfo ::= SEQUENCE { diff --git a/source4/heimdal/lib/asn1/rfc2459.asn1 b/source4/heimdal/lib/asn1/rfc2459.asn1 index 8e24f0740b..51cac55cc0 100644 --- a/source4/heimdal/lib/asn1/rfc2459.asn1 +++ b/source4/heimdal/lib/asn1/rfc2459.asn1 @@ -6,7 +6,7 @@ RFC2459 DEFINITIONS ::= BEGIN IMPORTS heim_any FROM heim; Version ::= INTEGER { - rfc3280_version_1(0), + rfc3280_version_1(0), rfc3280_version_2(1), rfc3280_version_3(2) } @@ -29,7 +29,7 @@ id-pkcs2-md2 OBJECT IDENTIFIER ::= { id-pkcs-2 2 } id-pkcs2-md4 OBJECT IDENTIFIER ::= { id-pkcs-2 4 } id-pkcs2-md5 OBJECT IDENTIFIER ::= { id-pkcs-2 5 } -id-rsa-digestAlgorithm OBJECT IDENTIFIER ::= +id-rsa-digestAlgorithm OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 2 } id-rsa-digest-md2 OBJECT IDENTIFIER ::= { id-rsa-digestAlgorithm 2 } @@ -54,7 +54,7 @@ id-secsig-sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) id-nistAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } - + id-nist-aes-algs OBJECT IDENTIFIER ::= { id-nistAlgorithm 1 } id-aes-128-cbc OBJECT IDENTIFIER ::= { id-nist-aes-algs 2 } @@ -72,9 +72,42 @@ id-dhpublicnumber OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } +-- ECC + +id-ecPublicKey OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } + +id-ecDH OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) schemes(1) + ecdh(12) } + +id-ecMQV OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) schemes(1) + ecmqv(13) } + +id-ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) + ecdsa-with-SHA2(3) 2 } + +id-ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } + +-- some EC group ids + +id-ec-group-secp256r1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) + prime(1) 7 } + +id-ec-group-secp160r1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) 0 8 } + +id-ec-group-secp160r2 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) certicom(132) 0 30 } + +-- DSA + id-x9-57 OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) ansi-x942(10046) - 4 } + iso(1) member-body(2) us(840) ansi-x942(10046) 4 } id-dsa OBJECT IDENTIFIER ::= { id-x9-57 1 } id-dsa-with-sha1 OBJECT IDENTIFIER ::= { id-x9-57 3 } @@ -256,8 +289,8 @@ KeyIdentifier ::= OCTET STRING AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] IMPLICIT OCTET STRING OPTIONAL, - authorityCertIssuer [1] IMPLICIT -- GeneralName -- - SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL, + authorityCertIssuer [1] IMPLICIT -- GeneralName -- + SEQUENCE -- SIZE (1..MAX) -- OF GeneralName OPTIONAL, authorityCertSerialNumber [2] IMPLICIT INTEGER OPTIONAL } @@ -269,7 +302,7 @@ id-x509-ce-basicConstraints OBJECT IDENTIFIER ::= { id-x509-ce 19 } BasicConstraints ::= SEQUENCE { cA BOOLEAN OPTIONAL -- DEFAULT FALSE --, - pathLenConstraint INTEGER (0..4294967295) OPTIONAL + pathLenConstraint INTEGER (0..4294967295) OPTIONAL } id-x509-ce-nameConstraints OBJECT IDENTIFIER ::= { id-x509-ce 30 } @@ -350,6 +383,21 @@ DSAParams ::= SEQUENCE { g INTEGER } +-- draft-ietf-pkix-ecc-subpubkeyinfo-11 + +ECPoint ::= OCTET STRING + +ECParameters ::= CHOICE { + namedCurve OBJECT IDENTIFIER + -- implicitCurve NULL + -- specifiedCurve SpecifiedECDomain +} + +ECDSA-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER +} + -- really pkcs1 RSAPublicKey ::= SEQUENCE { @@ -382,7 +430,7 @@ DigestInfo ::= SEQUENCE { -- szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" is Encoded as: --- TemplateVersion ::= INTEGER (0..4294967295) +-- TemplateVersion ::= INTEGER (0..4294967295) -- CertificateTemplate ::= SEQUENCE { -- templateID OBJECT IDENTIFIER, @@ -393,7 +441,7 @@ DigestInfo ::= SEQUENCE { -- -- CRL --- +-- TBSCRLCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, MUST be v2 @@ -489,16 +537,16 @@ id-uspkicommon-piv-interim OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 } --- Netscape extentions -id-netscape OBJECT IDENTIFIER ::= +id-netscape OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) } id-netscape-cert-comment OBJECT IDENTIFIER ::= { id-netscape 1 13 } --- MS extentions -id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::= +id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 311 20 2 } -id-ms-client-authentication OBJECT IDENTIFIER ::= +id-ms-client-authentication OBJECT IDENTIFIER ::= { 1 3 6 1 5 5 7 3 2 } -- DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72 diff --git a/source4/heimdal/lib/asn1/test.asn1 b/source4/heimdal/lib/asn1/test.asn1 index d07bba6185..f6237b85b8 100644 --- a/source4/heimdal/lib/asn1/test.asn1 +++ b/source4/heimdal/lib/asn1/test.asn1 @@ -20,12 +20,12 @@ TESTSeq ::= SEQUENCE { TESTChoice1 ::= CHOICE { i1[1] INTEGER (-2147483648..2147483647), i2[2] INTEGER (-2147483648..2147483647), - ... + ... } TESTChoice2 ::= CHOICE { i1[1] INTEGER (-2147483648..2147483647), - ... + ... } TESTInteger ::= INTEGER (-2147483648..2147483647) @@ -35,7 +35,7 @@ TESTInteger3 ::= [5] IMPLICIT TESTInteger2 TESTImplicit ::= SEQUENCE { ti1[0] IMPLICIT INTEGER (-2147483648..2147483647), - ti2[1] IMPLICIT SEQUENCE { + ti2[1] IMPLICIT SEQUENCE { foo[127] INTEGER (-2147483648..2147483647) }, ti3[2] IMPLICIT [5] IMPLICIT [4] IMPLICIT INTEGER (-2147483648..2147483647) @@ -59,19 +59,19 @@ TESTAlloc ::= SEQUENCE { TESTCONTAINING ::= OCTET STRING ( CONTAINING INTEGER ) -TESTENCODEDBY ::= OCTET STRING ( ENCODED BY +TESTENCODEDBY ::= OCTET STRING ( ENCODED BY { joint-iso-itu-t(2) asn(1) ber-derived(2) distinguished-encoding(1) } ) -TESTDer OBJECT IDENTIFIER ::= { +TESTDer OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) asn(1) ber-derived(2) distinguished-encoding(1) } -TESTCONTAININGENCODEDBY ::= OCTET STRING ( CONTAINING INTEGER ENCODED BY +TESTCONTAININGENCODEDBY ::= OCTET STRING ( CONTAINING INTEGER ENCODED BY { joint-iso-itu-t(2) asn(1) ber-derived(2) distinguished-encoding(1) } ) -TESTCONTAININGENCODEDBY2 ::= OCTET STRING ( +TESTCONTAININGENCODEDBY2 ::= OCTET STRING ( CONTAINING INTEGER ENCODED BY TESTDer ) -- cgit