2 * Routines for Kerberos
3 * Wes Hardaker (c) 2000
4 * wjhardaker@ucdavis.edu
6 * $Id: packet-kerberos.c,v 1.3 2000/08/13 14:08:23 deniel Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@zing.org>
10 * Copyright 1998 Didier Jorand
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
45 #include "packet-kerberos.h"
47 #define UDP_PORT_KERBEROS 88
48 #define TCP_PORT_KERBEROS 88
50 static gint ett_kerberos = -1;
51 static gint ett_preauth = -1;
52 static gint ett_addresses = -1;
53 static gint ett_request = -1;
54 static gint ett_princ = -1;
55 static gint ett_ticket = -1;
56 static gint ett_encrypted = -1;
57 static gint ett_etype = -1;
58 static gint proto_kerberos = -1;
60 #define KRB5_MSG_AS_REQ 0x0a
61 #define KRB5_MSG_AS_RESP 0x0b
62 #define KRB5_MSG_TGS_REQ 0x0c
63 #define KRB5_MSG_TGS_RESP 0x0d
65 #define KRB5_KDC_REQ_PVNO 0x01
66 #define KRB5_KDC_REQ_MSG_TYPE 0x02
67 #define KRB5_KDC_REQ_PADATA 0x03
68 #define KRB5_KDC_REQ_REQBODY 0x04
70 #define KRB5_KDC_RESP_PVNO 0x00
71 #define KRB5_KDC_RESP_MSG_TYPE 0x01
72 #define KRB5_KDC_RESP_PADATA 0x02
73 #define KRB5_KDC_RESP_CREALM 0x03
74 #define KRB5_KDC_RESP_CNAME 0x04
75 #define KRB5_KDC_RESP_TICKET 0x05
76 #define KRB5_KDC_RESP_ENC_PART 0x06
78 #define KRB5_BODY_KDC_OPTIONS 0x00
79 #define KRB5_BODY_CNAME 0x01
80 #define KRB5_BODY_REALM 0x02
81 #define KRB5_BODY_SNAME 0x03
82 #define KRB5_BODY_FROM 0x04
83 #define KRB5_BODY_TILL 0x05
84 #define KRB5_BODY_RTIME 0x06
85 #define KRB5_BODY_NONCE 0x07
86 #define KRB5_BODY_ETYPE 0x08
87 #define KRB5_BODY_ADDRESSES 0x09
88 #define KRB5_BODY_ENC_AUTHORIZATION_DATA 0x0a
89 #define KRB5_BODY_ADDITIONAL_TICKETS 0x0b
91 #define KRB5_ADDR_IPv4 0x02
92 #define KRB5_ADDR_CHAOS 0x05
93 #define KRB5_ADDR_XEROX 0x06
94 #define KRB5_ADDR_ISO 0x07
95 #define KRB5_ADDR_DECNET 0x0c
96 #define KRB5_ADDR_APPLETALK 0x10
98 #define KRB5_ETYPE_NULL 0
99 #define KRB5_ETYPE_DES_CBC_CRC 1
100 #define KRB5_ETYPE_DES_CBC_MD4 2
101 #define KRB5_ETYPE_DES_CBC_MD5 3
103 #define KRB5_PA_TGS_REQ 0x01
104 #define KRB5_PA_ENC_TIMESTAMP 0x02
105 #define KRB5_PA_PW_SALT 0x03
107 static const value_string krb5_preauthentication_types[] = {
108 { KRB5_PA_TGS_REQ , "PA-TGS-REQ" },
109 { KRB5_PA_ENC_TIMESTAMP, "PA-ENC-TIMESTAMP" },
110 { KRB5_PA_PW_SALT , "PA-PW-SALT" },
113 static const value_string krb5_encryption_types[] = {
114 { KRB5_ETYPE_NULL , "NULL" },
115 { KRB5_ETYPE_DES_CBC_CRC , "des-cbc-crc" },
116 { KRB5_ETYPE_DES_CBC_MD4 , "des-cbc-md4" },
117 { KRB5_ETYPE_DES_CBC_MD5 , "des-cbc-md5" },
120 static const value_string krb5_address_types[] = {
121 { KRB5_ADDR_IPv4, "IPv4"},
122 { KRB5_ADDR_CHAOS, "CHAOS"},
123 { KRB5_ADDR_XEROX, "XEROX"},
124 { KRB5_ADDR_ISO, "ISO"},
125 { KRB5_ADDR_DECNET, "DECNET"},
126 { KRB5_ADDR_APPLETALK, "APPLETALK"}
129 static const value_string krb5_msg_types[] = {
130 { KRB5_MSG_TGS_REQ, "TGS-REQ" },
131 { KRB5_MSG_TGS_RESP, "TGS-RESP" },
132 { KRB5_MSG_AS_REQ, "AS-REQ" },
133 { KRB5_MSG_AS_RESP, "AS-RESP" }
137 to_error_str(int ret) {
141 return("Ran out of data");
143 case ASN1_ERR_EOC_MISMATCH:
144 return("EOC mismatch");
146 case ASN1_ERR_WRONG_TYPE:
147 return("Wrong type for that item");
149 case ASN1_ERR_LENGTH_NOT_DEFINITE:
150 return("Length was indefinite");
152 case ASN1_ERR_LENGTH_MISMATCH:
153 return("Length mismatch");
155 case ASN1_ERR_WRONG_LENGTH_FOR_TYPE:
156 return("Wrong length for that item's type");
159 return("Unknown error");
163 krb_proto_tree_add_time(proto_tree *tree, int offset, int str_len,
164 char *name, guchar *str) {
166 proto_tree_add_text(tree, NullTVB, offset, str_len,
167 "%s: %.4s-%.2s-%.2s %.2s:%.2s:%.2s (%.1s)",
168 name, str, str+4, str+6,
169 str+8, str+10, str+12,
175 * You must be kidding. I'm going to actually use a macro to do something?
179 #define KRB_HEAD_DECODE_OR_DIE(token) \
180 start = asn1p->pointer; \
181 ret = asn1_header_decode (asn1p, &cls, &con, &tag, &def, &item_len); \
182 if (ret != ASN1_ERR_NOERROR && ret != ASN1_ERR_EMPTY) {\
183 col_add_fstr(fd, COL_INFO, "ERROR: Problem at %s: %s", \
184 token, to_error_str(ret)); \
188 col_add_fstr(fd, COL_INFO, "not definite: %s", token); \
189 fprintf(stderr,"not definite: %s\n", token); \
192 offset += (asn1p->pointer - start);
195 #define KRB_DECODE_OR_DIE(token, fn, val) \
196 ret = fn (asn1p, &val, &length); \
197 if (ret != ASN1_ERR_NOERROR) { \
198 col_add_fstr(fd, COL_INFO, "ERROR: Problem at %s: %s", \
199 token, to_error_str(ret)); \
203 /* dissect_type_value_pair decodes (roughly) this:
210 which is all over the place in krb5 */
213 dissect_type_value_pair(ASN1_SCK *asn1p, int *inoff,
214 int *type, int *type_len, int *type_off,
215 guchar **val, int *val_len, int *val_off) {
224 start = asn1p->pointer;
225 asn1_header_decode (asn1p, &cls, &con, &tag, &def, &tmp_len);
226 offset += (asn1p->pointer - start);
230 start = asn1p->pointer;
231 asn1_header_decode (asn1p, &cls, &con, &tag, &def, &tmp_len);
232 offset += (asn1p->pointer - start);
238 ret = asn1_int32_decode(asn1p, type, type_len);
239 if (ret != ASN1_ERR_NOERROR) {
240 fprintf(stderr,"die: type_value_pair: type, %s\n", to_error_str(ret));
245 /* OCTET STRING (or generic data) */
247 start = asn1p->pointer;
248 asn1_header_decode (asn1p, &cls, &con, &tag, &def, val_len);
249 asn1_header_decode (asn1p, &cls, &con, &tag, &def, val_len);
250 offset += asn1p->pointer - start;
256 asn1_octet_string_value_decode (asn1p, *val_len, val);
258 *inoff = offset + *val_len;
263 dissect_kerberos(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
265 proto_tree *kerberos_tree = NULL;
266 proto_tree *etype_tree = NULL;
267 proto_tree *preauth_tree = NULL;
268 proto_tree *request_tree = NULL;
269 ASN1_SCK asn1, *asn1p = &asn1;
270 proto_item *item = NULL;
275 guint item_len, total_len;
280 guint protocol_message_type;
290 int tmp_pos1, tmp_pos2;
292 OLD_CHECK_DISPLAY_AS_DATA(proto_kerberos, pd, offset, fd, tree);
294 if (check_col(fd, COL_PROTOCOL))
295 col_add_str(fd, COL_PROTOCOL, "KRB5");
298 item = proto_tree_add_item(tree, proto_kerberos, NullTVB, offset,
299 END_OF_FRAME, FALSE);
300 kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
303 asn1_open(&asn1, &pd[offset], END_OF_FRAME);
306 KRB_HEAD_DECODE_OR_DIE("top");
307 protocol_message_type = tag;
310 KRB_HEAD_DECODE_OR_DIE("top2");
313 KRB_HEAD_DECODE_OR_DIE("version-wrap");
314 KRB_DECODE_OR_DIE("version", asn1_int32_decode, version);
317 proto_tree_add_text(kerberos_tree, NullTVB, offset, length,
324 KRB_HEAD_DECODE_OR_DIE("message-type-wrap");
325 KRB_DECODE_OR_DIE("message-type", asn1_int32_decode, msg_type);
328 proto_tree_add_text(kerberos_tree, NullTVB, offset, length,
330 val_to_str(msg_type, krb5_msg_types,
331 "Unknown msg type %#x"));
335 if (check_col(fd, COL_INFO))
336 col_add_str(fd, COL_INFO, val_to_str(msg_type, krb5_msg_types,
337 "Unknown msg type %#x"));
339 /* is preauthentication present? */
340 KRB_HEAD_DECODE_OR_DIE("padata-or-body");
341 if (((protocol_message_type == KRB5_MSG_AS_REQ ||
342 protocol_message_type == KRB5_MSG_TGS_REQ) &&
343 tag == KRB5_KDC_REQ_PADATA) ||
344 ((protocol_message_type == KRB5_MSG_AS_RESP ||
345 protocol_message_type == KRB5_MSG_TGS_RESP) &&
346 tag == KRB5_KDC_RESP_PADATA)) {
347 /* pre-authentication supplied */
350 item = proto_tree_add_text(kerberos_tree, NullTVB, offset,
351 item_len, "Pre-Authentication");
352 preauth_tree = proto_item_add_subtree(item, ett_preauth);
355 KRB_HEAD_DECODE_OR_DIE("sequence of pa-data");
356 start = asn1p->pointer + item_len;
358 while(start > asn1p->pointer) {
359 dissect_type_value_pair(asn1p, &offset,
360 &preauth_type, &item_len, &tmp_pos1,
361 &str, &str_len, &tmp_pos2);
364 proto_tree_add_text(preauth_tree, NullTVB, tmp_pos1,
365 item_len, "Type: %s",
366 val_to_str(preauth_type,
367 krb5_preauthentication_types,
368 "Unknown preauth type %#x"));
369 proto_tree_add_text(preauth_tree, NullTVB, tmp_pos2,
370 str_len, "Value: %s",
371 bytes_to_str(str, str_len));
374 KRB_HEAD_DECODE_OR_DIE("message-body");
377 if (protocol_message_type == KRB5_MSG_AS_REQ ||
378 protocol_message_type == KRB5_MSG_TGS_REQ) {
381 KRB_HEAD_DECODE_OR_DIE("body-sequence");
383 item = proto_tree_add_text(kerberos_tree, NullTVB, offset,
384 item_len, "Request");
385 request_tree = proto_item_add_subtree(item, ett_request);
389 KRB_HEAD_DECODE_OR_DIE("kdc options");
391 KRB_HEAD_DECODE_OR_DIE("kdc options:bits");
394 proto_tree_add_text(request_tree, NullTVB, offset, item_len,
396 bytes_to_str(asn1.pointer, item_len));
399 asn1.pointer += item_len;
401 KRB_HEAD_DECODE_OR_DIE("Principal Name");
403 if (tag == KRB5_BODY_CNAME) {
404 dissect_PrincipalName("Client Name", asn1p, fd, request_tree,
406 KRB_HEAD_DECODE_OR_DIE("realm name");
409 if (tag == KRB5_BODY_REALM) {
410 dissect_GeneralString(asn1p, &str, &str_len, &item_len);
411 offset += item_len - str_len;
413 proto_tree_add_text(request_tree, NullTVB, offset, str_len,
414 "Realm: %.*s", str_len, str);
417 KRB_HEAD_DECODE_OR_DIE("realm name");
422 if (tag == KRB5_BODY_SNAME) {
423 dissect_PrincipalName("Server Name", asn1p, fd, request_tree, &offset);
424 KRB_HEAD_DECODE_OR_DIE("realm name");
427 if (tag == KRB5_BODY_FROM) {
428 dissect_GeneralString(asn1p, &str, &str_len, &item_len);
429 offset += item_len - str_len;
430 krb_proto_tree_add_time(request_tree, offset, str_len,
433 KRB_HEAD_DECODE_OR_DIE("realm name");
436 if (tag == KRB5_BODY_TILL) {
437 dissect_GeneralString(asn1p, &str, &str_len, &item_len);
438 offset += item_len - str_len;
439 krb_proto_tree_add_time(request_tree, offset, str_len,
442 KRB_HEAD_DECODE_OR_DIE("realm name");
447 if (tag == KRB5_BODY_RTIME) {
448 dissect_GeneralString(asn1p, &str, &str_len, &item_len);
449 offset += item_len - str_len;
450 krb_proto_tree_add_time(request_tree, offset, str_len,
451 "Renewable Until", str);
453 KRB_HEAD_DECODE_OR_DIE("realm name");
456 if (tag == KRB5_BODY_NONCE) {
457 ret = asn1_int32_decode(asn1p, &tmp_int, &length);
458 if (ret != ASN1_ERR_NOERROR) {
459 fprintf(stderr,"die: nonce, %s\n", to_error_str(ret));
463 proto_tree_add_text(request_tree, NullTVB, offset, length,
472 KRB_HEAD_DECODE_OR_DIE("encryption type spot");
473 if (tag == KRB5_BODY_ETYPE) {
474 KRB_HEAD_DECODE_OR_DIE("encryption type list");
476 item = proto_tree_add_text(request_tree, NullTVB, offset,
477 item_len, "Encryption Types");
478 etype_tree = proto_item_add_subtree(item, ett_etype);
480 total_len = item_len;
481 while(total_len > 0) {
482 ret = asn1_int32_decode(asn1p, &tmp_int, &length);
483 if (ret != ASN1_ERR_NOERROR) {
484 fprintf(stderr,"die: etype, %s\n", to_error_str(ret));
488 proto_tree_add_text(etype_tree, NullTVB, offset, length,
491 krb5_encryption_types,
492 "Unknown encryption type %#x"));
501 KRB_HEAD_DECODE_OR_DIE("addresses");
502 if (tag == KRB5_BODY_ADDRESSES) {
503 /* pre-authentication supplied */
505 dissect_Addresses("Addresses", asn1p, fd, kerberos_tree, &offset);
506 KRB_HEAD_DECODE_OR_DIE("auth-data");
508 } else if (protocol_message_type == KRB5_MSG_AS_RESP ||
509 protocol_message_type == KRB5_MSG_TGS_RESP) {
510 if (tag == KRB5_KDC_RESP_CREALM) {
511 dissect_GeneralString(asn1p, &str, &str_len, &item_len);
512 offset += item_len - str_len;
514 proto_tree_add_text(kerberos_tree, NullTVB, offset, str_len,
515 "Realm: %.*s", str_len, str);
522 KRB_HEAD_DECODE_OR_DIE("cname");
523 if (tag == KRB5_KDC_RESP_CNAME) {
524 dissect_PrincipalName("Client Name", asn1p, fd, kerberos_tree,
530 KRB_HEAD_DECODE_OR_DIE("ticket");
531 if (tag == KRB5_KDC_RESP_TICKET) {
532 dissect_ticket("ticket", asn1p, fd, kerberos_tree, &offset);
537 KRB_HEAD_DECODE_OR_DIE("enc-msg-part");
538 if (tag == KRB5_KDC_RESP_TICKET) {
539 dissect_EncryptedData("Encrypted Payload", asn1p, fd, kerberos_tree,
548 dissect_GeneralString(ASN1_SCK *asn1p, guchar **where,
549 guint *item_len, guint *pkt_len)
553 const guchar *start = asn1p->pointer;
555 asn1_header_decode (asn1p, &cls, &con, &tag, &def, item_len);
556 asn1_octet_string_value_decode (asn1p, *item_len, where);
557 *pkt_len = asn1p->pointer - start;
561 dissect_PrincipalName(char *title, ASN1_SCK *asn1p, frame_data *fd,
562 proto_tree *tree, int *inoff) {
563 proto_tree *princ_tree = NULL;
570 guint item_len, total_len, type_len;
573 proto_item *item = NULL;
586 KRB_HEAD_DECODE_OR_DIE("principal section");
588 KRB_HEAD_DECODE_OR_DIE("principal type");
589 KRB_DECODE_OR_DIE("princ-type", asn1_int32_decode, princ_type);
590 type_offset = offset;
594 KRB_HEAD_DECODE_OR_DIE("cname header");
595 total_len = item_len;
597 dissect_GeneralString(asn1p, &name, &name_len, &item_len);
598 offset += item_len - name_len;
601 item = proto_tree_add_text(tree, NullTVB, *inoff, total_len,
602 "%s: %.*s", title, (int) name_len, name);
603 princ_tree = proto_item_add_subtree(item, ett_princ);
605 proto_tree_add_text(princ_tree, NullTVB, type_offset, type_len,
606 "Type: %d", princ_type);
607 proto_tree_add_text(princ_tree, NullTVB, offset, name_len,
608 "Name: %.*s", (int) name_len, name);
611 total_len -= item_len;
614 while(total_len > 0) {
615 dissect_GeneralString(asn1p, &name, &name_len, &item_len);
616 offset += item_len - name_len;
618 proto_tree_add_text(princ_tree, NullTVB, offset, name_len,
619 "Name: %.*s", (int) name_len, name);
621 total_len -= item_len;
629 dissect_Addresses(char *title, ASN1_SCK *asn1p, frame_data *fd,
630 proto_tree *tree, int *inoff) {
631 proto_tree *address_tree = NULL;
639 proto_item *item = NULL;
642 int tmp_pos1, tmp_pos2;
651 KRB_HEAD_DECODE_OR_DIE("sequence of addresses");
653 item = proto_tree_add_text(tree, NullTVB, offset,
654 item_len, "Addresses");
655 address_tree = proto_item_add_subtree(item, ett_addresses);
658 start = asn1p->pointer + item_len;
660 while(start > asn1p->pointer) {
661 dissect_type_value_pair(asn1p, &offset,
662 &address_type, &item_len, &tmp_pos1,
663 &str, &str_len, &tmp_pos2);
666 proto_tree_add_text(address_tree, NullTVB, tmp_pos1,
667 item_len, "Type: %s",
668 val_to_str(address_type, krb5_address_types,
669 "Unknown address type %#x"));
670 switch(address_type) {
672 proto_tree_add_text(address_tree, NullTVB, tmp_pos2,
673 str_len, "Value: %d.%d.%d.%d",
674 str[0], str[1], str[2], str[3]);
678 proto_tree_add_text(address_tree, NullTVB, tmp_pos2,
679 str_len, "Value: %s",
680 bytes_to_str(str, str_len));
690 dissect_EncryptedData(char *title, ASN1_SCK *asn1p, frame_data *fd,
691 proto_tree *tree, int *inoff) {
692 proto_tree *encr_tree = NULL;
700 proto_item *item = NULL;
710 KRB_HEAD_DECODE_OR_DIE("encrypted data section");
713 item = proto_tree_add_text(tree, NullTVB, *inoff, item_len,
714 "Encrypted Data: %s", title);
715 encr_tree = proto_item_add_subtree(item, ett_princ);
719 KRB_HEAD_DECODE_OR_DIE("encryption type");
720 KRB_DECODE_OR_DIE("encr-type", asn1_int32_decode, val);
723 proto_tree_add_text(encr_tree, NullTVB, offset, length,
725 val_to_str(val, krb5_encryption_types,
726 "Unknown encryption type %#x"));
731 KRB_HEAD_DECODE_OR_DIE("kvno-wrap");
732 KRB_DECODE_OR_DIE("kvno", asn1_int32_decode, val);
735 proto_tree_add_text(encr_tree, NullTVB, offset, length,
740 KRB_HEAD_DECODE_OR_DIE("cipher-wrap");
741 KRB_HEAD_DECODE_OR_DIE("cipher");
742 asn1_octet_string_value_decode (asn1p, item_len, &data);
745 proto_tree_add_text(encr_tree, NullTVB, offset, length,
746 "Cipher: %s", bytes_to_str(data, item_len));
755 dissect_ticket(char *title, ASN1_SCK *asn1p, frame_data *fd, proto_tree *tree,
758 Ticket ::= [APPLICATION 1] SEQUENCE {
761 sname[2] PrincipalName,
762 enc-part[3] EncryptedData
765 proto_tree *ticket_tree = NULL;
773 proto_item *item = NULL;
784 KRB_HEAD_DECODE_OR_DIE("ticket section");
785 KRB_HEAD_DECODE_OR_DIE("ticket sequence");
788 item = proto_tree_add_text(tree, NullTVB, *inoff, item_len,
790 ticket_tree = proto_item_add_subtree(item, ett_ticket);
794 KRB_HEAD_DECODE_OR_DIE("ticket type");
795 KRB_DECODE_OR_DIE("ticket-type", asn1_int32_decode, val);
798 proto_tree_add_text(ticket_tree, NullTVB, offset, length,
804 KRB_HEAD_DECODE_OR_DIE("realm");
805 dissect_GeneralString(asn1p, &str, &str_len, &item_len);
806 offset += item_len - str_len;
808 proto_tree_add_text(ticket_tree, NullTVB, offset, str_len,
809 "Realm: %.*s", str_len, str);
813 /* server name (sname) */
814 KRB_HEAD_DECODE_OR_DIE("sname");
815 dissect_PrincipalName("Service Name", asn1p, fd, ticket_tree, &offset);
818 KRB_HEAD_DECODE_OR_DIE("enc-part");
819 dissect_EncryptedData("ticket data", asn1p, fd, ticket_tree, &offset);
827 proto_register_kerberos(void) {
829 static hf_register_info hf[] = {
832 static gint *ett[] = {
842 proto_kerberos = proto_register_protocol("Kerberos", "kerberos");
844 proto_register_field_array(proto_kerberos, hf, array_length(hf));
846 proto_register_subtree_array(ett, array_length(ett));
850 proto_reg_handoff_kerberos(void)
852 old_dissector_add("udp.port", UDP_PORT_KERBEROS, dissect_kerberos);
853 old_dissector_add("tcp.port", TCP_PORT_KERBEROS, dissect_kerberos);
858 MISC definitions from RFC1510:
860 KerberosTime ::= GeneralizedTime
861 Realm ::= GeneralString
862 PrincipalName ::= SEQUENCE {
863 name-type[0] INTEGER,
864 name-string[1] SEQUENCE OF GeneralString
866 HostAddress ::= SEQUENCE {
867 addr-type[0] INTEGER,
868 address[1] OCTET STRING
871 HostAddresses ::= SEQUENCE OF SEQUENCE {
872 addr-type[0] INTEGER,
873 address[1] OCTET STRING
876 AS-REQ ::= [APPLICATION 10] KDC-REQ
877 TGS-REQ ::= [APPLICATION 12] KDC-REQ
879 KDC-REQ ::= SEQUENCE {
882 padata[3] SEQUENCE OF PA-DATA OPTIONAL,
883 req-body[4] KDC-REQ-BODY
886 PA-DATA ::= SEQUENCE {
887 padata-type[1] INTEGER,
888 padata-value[2] OCTET STRING,
889 -- might be encoded AP-REQ
892 KDC-REQ-BODY ::= SEQUENCE {
893 kdc-options[0] KDCOptions,
894 cname[1] PrincipalName OPTIONAL,
895 -- Used only in AS-REQ
896 realm[2] Realm, -- Server's realm
897 -- Also client's in AS-REQ
898 sname[3] PrincipalName OPTIONAL,
899 from[4] KerberosTime OPTIONAL,
900 till[5] KerberosTime,
901 rtime[6] KerberosTime OPTIONAL,
903 etype[8] SEQUENCE OF INTEGER, -- EncryptionType,
904 -- in preference order
905 addresses[9] HostAddresses OPTIONAL,
906 enc-authorization-data[10] EncryptedData OPTIONAL,
907 -- Encrypted AuthorizationData encoding
908 additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
911 AS-REP ::= [APPLICATION 11] KDC-REP
912 TGS-REP ::= [APPLICATION 13] KDC-REP
914 KDC-REP ::= SEQUENCE {
917 padata[2] SEQUENCE OF PA-DATA OPTIONAL,
919 cname[4] PrincipalName,
921 enc-part[6] EncryptedData
924 EncASRepPart ::= [APPLICATION 25[25]] EncKDCRepPart
925 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
927 EncKDCRepPart ::= SEQUENCE {
928 key[0] EncryptionKey,
931 key-expiration[3] KerberosTime OPTIONAL,
932 flags[4] TicketFlags,
933 authtime[5] KerberosTime,
934 starttime[6] KerberosTime OPTIONAL,
935 endtime[7] KerberosTime,
936 renew-till[8] KerberosTime OPTIONAL,
938 sname[10] PrincipalName,
939 caddr[11] HostAddresses OPTIONAL
942 Ticket ::= [APPLICATION 1] SEQUENCE {
945 sname[2] PrincipalName,
946 enc-part[3] EncryptedData