Coverage for /root/GitHubProjects/impacket/impacket/krb5/constants.py : 100%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Impacket - Collection of Python classes for working with network protocols.
2#
3# SECUREAUTH LABS. Copyright (C) 2020 SecureAuth Corporation. All rights reserved.
4#
5# This software is provided under a slightly modified version
6# of the Apache Software License. See the accompanying LICENSE file
7# for more information.
8#
9# Description:
10# Constants for krb5.asn1 package. I took them out from the RFC plus
11# some data from [MS-KILE] as well.
12#
13# Author:
14# Alberto Solino (@agsolino)
15#
16from impacket.dcerpc.v5.enum import Enum
18def encodeFlags(flags):
19 finalFlags = list()
21 for i in range(0,32):
22 finalFlags.append(0,)
25 for f in flags:
26 finalFlags[f] = 1
28 return finalFlags
30class ApplicationTagNumbers(Enum):
31 Ticket = 1
32 Authenticator = 2
33 EncTicketPart = 3
34 AS_REQ = 10
35 AS_REP = 11
36 TGS_REQ = 12
37 TGS_REP = 13
38 AP_REQ = 14
39 AP_REP = 15
40 RESERVED16 = 16
41 RESERVED17 = 17
42 KRB_SAFE = 20
43 KRB_PRIV = 21
44 KRB_CRED = 22
45 EncASRepPart = 25
46 EncTGSRepPart = 26
47 EncApRepPart = 27
48 EncKrbPrivPart = 28
49 EncKrbCredPart = 29
50 KRB_ERROR = 30
52class PrincipalNameType(Enum):
53 NT_UNKNOWN = 0
54 NT_PRINCIPAL = 1
55 NT_SRV_INST = 2
56 NT_SRV_HST = 3
57 NT_SRV_XHST = 4
58 NT_UID = 5
59 NT_X500_PRINCIPAL = 6
60 NT_SMTP_NAME = 7
61 NT_ENTERPRISE = 10
62 NT_WELLKNOWN = 11
63 NT_SRV_HST_DOMAIN = 12
64 NT_MS_PRINCIPAL = -128
65 NT_MS_PRINCIPAL_AND_ID = -129
66 NT_ENT_PRINCIPAL_AND_ID = -130
68class PreAuthenticationDataTypes(Enum):
69 PA_TGS_REQ = 1
70 PA_ENC_TIMESTAMP = 2
71 PA_PW_SALT = 3
72 PA_ENC_UNIX_TIME = 5
73 PA_SANDIA_SECUREID = 6
74 PA_SESAME = 7
75 PA_OSF_DCE = 8
76 PA_CYBERSAFE_SECUREID = 9
77 PA_AFS3_SALT = 10
78 PA_ETYPE_INFO = 11
79 PA_SAM_CHALLENGE = 12
80 PA_SAM_RESPONSE = 13
81 PA_PK_AS_REQ_OLD = 14
82 PA_PK_AS_REP_OLD = 15
83 PA_PK_AS_REQ = 16
84 PA_PK_AS_REP = 17
85 PA_ETYPE_INFO2 = 19
86 PA_USE_SPECIFIED_KVNO = 20
87 PA_SAM_REDIRECT = 21
88 PA_GET_FROM_TYPED_DATA = 22
89 TD_PADATA = 22
90 PA_SAM_ETYPE_INFO = 23
91 PA_ALT_PRINC = 24
92 PA_SAM_CHALLENGE2 = 30
93 PA_SAM_RESPONSE2 = 31
94 PA_EXTRA_TGT = 41
95 TD_PKINIT_CMS_CERTIFICATES = 101
96 TD_KRB_PRINCIPAL = 102
97 TD_KRB_REALM = 103
98 TD_TRUSTED_CERTIFIERS = 104
99 TD_CERTIFICATE_INDEX = 105
100 TD_APP_DEFINED_ERROR = 106
101 TD_REQ_NONCE = 107
102 TD_REQ_SEQ = 108
103 PA_PAC_REQUEST = 128
104 PA_FOR_USER = 129
105 PA_FX_COOKIE = 133
106 PA_FX_FAST = 136
107 PA_FX_ERROR = 137
108 PA_ENCRYPTED_CHALLENGE = 138
109 KERB_KEY_LIST_REQ = 161
110 KERB_KEY_LIST_REP = 162
111 PA_SUPPORTED_ENCTYPES = 165
112 PA_PAC_OPTIONS = 167
114class AddressType(Enum):
115 IPv4 = 2
116 Directional = 3
117 ChaosNet = 5
118 XNS = 6
119 ISO = 7
120 DECNET_Phase_IV = 12
121 AppleTalk_DDP = 16
122 NetBios = 20
123 IPv6 = 24
125# 3.1.5.9 Key Usage Numbers
126KERB_NON_KERB_SALT = 16
127KERB_NON_KERB_CKSUM_SALT = 17
129# 7.5.4. Authorization Data Types
130class AuthorizationDataType(Enum):
131 AD_IF_RELEVANT = 1
132 AD_INTENDED_FOR_SERVER = 2
133 AD_INTENDED_FOR_APPLICATION_CLASS = 3
134 AD_KDC_ISSUED = 4
135 AD_AND_OR = 5
136 AD_MANDATORY_TICKET_EXTENSIONS = 6
137 AD_IN_TICKET_EXTENSIONS = 7
138 AD_MANDATORY_FOR_KDC = 8
139 #Reserved values = 9-63
140 OSF_DCE = 64
141 SESAME = 65
142 AD_OSF_DCE_PKI_CERTID = 66
143 AD_WIN2K_PAC = 128
144 AD_ETYPE_NEGOTIATION = 129
146# 7.5.5. Transited Encoding Types
147class TransitedEncodingTypes(Enum):
148 DOMAIN_X500_COMPRESS = 1
150# 7.5.6. Protocol Version Number
151class ProtocolVersionNumber(Enum):
152 pvno = 5
154# 7.5.7. Kerberos Message Types
155class KerberosMessageTypes(Enum):
156 KRB_AS_REQ = 10 # Request for initial authentication
157 KRB_AS_REP = 11 # Response to KRB_AS_REQ request
158 KRB_TGS_REQ = 12 # Request for authentication based on TGT
159 KRB_TGS_REP = 13 # Response to KRB_TGS_REQ request
160 KRB_AP_REQ = 14 # Application request to server
161 KRB_AP_REP = 15 # Response to KRB_AP_REQ_MUTUAL
162 KRB_RESERVED16 = 16 # Reserved for user-to-user krb_tgt_request
163 KRB_RESERVED17 = 17 # Reserved for user-to-user krb_tgt_reply
164 KRB_SAFE = 20 # Safe (checksummed) application message
165 KRB_PRIV = 21 # Private (encrypted) application message
166 KRB_CRED = 22 # Private (encrypted) message to forward
167 # credentials
168 KRB_ERROR = 30 # Error response
170# 7.5.8. Name Types
171class NameTypes(Enum):
172 KRB_NT_UNKNOWN = 0 # Name type not known
173 KRB_NT_PRINCIPAL = 1 # Just the name of the principal as in DCE,
174 # or for users
175 KRB_NT_SRV_INST = 2 # Service and other unique instance (krbtgt)
176 KRB_NT_SRV_HST = 3 # Service with host name as instance
177 # (telnet, rcommands)
178 KRB_NT_SRV_XHST = 4 # Service with host as remaining components
179 KRB_NT_UID = 5 # Unique ID
180 KRB_NT_X500_PRINCIPAL = 6 # Encoded X.509 Distinguished name [RFC2253]
181 KRB_NT_SMTP_NAME = 7 # Name in form of SMTP email name
182 # (e.g., user@example.com)
183 KRB_NT_ENTERPRISE = 10 # Enterprise name; may be mapped to
184 # principal name
185 # Other Name Types
186 KRB_NT_WELLKNOWN = 11
187 KRB_NT_SRV_HST_DOMAIN = 12
188 KRB_NT_MS_PRINCIPAL = -128
189 KRB_NT_MS_PRINCIPAL_AND_ID = -129
190 KRB_NT_ENT_PRINCIPAL_AND_ID = -130
192# 7.5.9. Error Codes
193class ErrorCodes(Enum):
194 KDC_ERR_NONE = 0 # No error
195 KDC_ERR_NAME_EXP = 1 # Client's entry in database
196 # has expired
197 KDC_ERR_SERVICE_EXP = 2 # Server's entry in database
198 # has expired
199 KDC_ERR_BAD_PVNO = 3 # Requested protocol version
200 # number not supported
201 KDC_ERR_C_OLD_MAST_KVNO = 4 # Client's key encrypted in
202 # old master key
203 KDC_ERR_S_OLD_MAST_KVNO = 5 # Server's key encrypted in
204 # old master key
205 KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 # Client not found in
206 # Kerberos database
207 KDC_ERR_S_PRINCIPAL_UNKNOWN = 7 # Server not found in
208 # Kerberos database
209 KDC_ERR_PRINCIPAL_NOT_UNIQUE = 8 # Multiple principal entries
210 # in database
211 KDC_ERR_NULL_KEY = 9 # The client or server has a
212 # null key
213 KDC_ERR_CANNOT_POSTDATE = 10 # Ticket not eligible for
214 # postdating
215 KDC_ERR_NEVER_VALID = 11 # Requested starttime is
216 # later than end time
217 KDC_ERR_POLICY = 12 # KDC policy rejects request
218 KDC_ERR_BADOPTION = 13 # KDC cannot accommodate
219 # requested option
220 KDC_ERR_ETYPE_NOSUPP = 14 # KDC has no support for
221 # encryption type
222 KDC_ERR_SUMTYPE_NOSUPP = 15 # KDC has no support for
223 # checksum type
224 KDC_ERR_PADATA_TYPE_NOSUPP = 16 # KDC has no support for
225 # padata type
226 KDC_ERR_TRTYPE_NOSUPP = 17 # KDC has no support for
227 # transited type
228 KDC_ERR_CLIENT_REVOKED = 18 # Clients credentials have
229 # been revoked
230 KDC_ERR_SERVICE_REVOKED = 19 # Credentials for server have
231 # been revoked
232 KDC_ERR_TGT_REVOKED = 20 # TGT has been revoked
233 KDC_ERR_CLIENT_NOTYET = 21 # Client not yet valid; try
234 # again later
235 KDC_ERR_SERVICE_NOTYET = 22 # Server not yet valid; try
236 # again later
237 KDC_ERR_KEY_EXPIRED = 23 # Password has expired;
238 # change password to reset
239 KDC_ERR_PREAUTH_FAILED = 24 # Pre-authentication
240 # information was invalid
241 KDC_ERR_PREAUTH_REQUIRED = 25 # Additional pre-
242 # authentication required
243 KDC_ERR_SERVER_NOMATCH = 26 # Requested server and ticket
244 # don't match
245 KDC_ERR_MUST_USE_USER2USER = 27 # Server principal valid for
246 # user2user only
247 KDC_ERR_PATH_NOT_ACCEPTED = 28 # KDC Policy rejects
248 # transited path
249 KDC_ERR_SVC_UNAVAILABLE = 29 # A service is not available
250 KRB_AP_ERR_BAD_INTEGRITY = 31 # Integrity check on
251 # decrypted field failed
252 KRB_AP_ERR_TKT_EXPIRED = 32 # Ticket expired
253 KRB_AP_ERR_TKT_NYV = 33 # Ticket not yet valid
254 KRB_AP_ERR_REPEAT = 34 # Request is a replay
255 KRB_AP_ERR_NOT_US = 35 # The ticket isn't for us
256 KRB_AP_ERR_BADMATCH = 36 # Ticket and authenticator
257 # don't match
258 KRB_AP_ERR_SKEW = 37 # Clock skew too great
259 KRB_AP_ERR_BADADDR = 38 # Incorrect net address
260 KRB_AP_ERR_BADVERSION = 39 # Protocol version mismatch
261 KRB_AP_ERR_MSG_TYPE = 40 # Invalid msg type
262 KRB_AP_ERR_MODIFIED = 41 # Message stream modified
263 KRB_AP_ERR_BADORDER = 42 # Message out of order
264 KRB_AP_ERR_BADKEYVER = 44 # Specified version of key is
265 # not available
266 KRB_AP_ERR_NOKEY = 45 # Service key not available
267 KRB_AP_ERR_MUT_FAIL = 46 # Mutual authentication
268 # failed
269 KRB_AP_ERR_BADDIRECTION = 47 # Incorrect message direction
270 KRB_AP_ERR_METHOD = 48 # Alternative authentication
271 # method required
272 KRB_AP_ERR_BADSEQ = 49 # Incorrect sequence number
273 # in message
274 KRB_AP_ERR_INAPP_CKSUM = 50 # Inappropriate type of
275 # checksum in message
276 KRB_AP_PATH_NOT_ACCEPTED = 51 # Policy rejects transited
277 # path
278 KRB_ERR_RESPONSE_TOO_BIG = 52 # Response too big for UDP;
279 # retry with TCP
280 KRB_ERR_GENERIC = 60 # Generic error (description
281 # in e-text)
282 KRB_ERR_FIELD_TOOLONG = 61 # Field is too long for this
283 # implementation
284 KDC_ERROR_CLIENT_NOT_TRUSTED = 62 # Reserved for PKINIT
285 KDC_ERROR_KDC_NOT_TRUSTED = 63 # Reserved for PKINIT
286 KDC_ERROR_INVALID_SIG = 64 # Reserved for PKINIT
287 KDC_ERR_KEY_TOO_WEAK = 65 # Reserved for PKINIT
288 KDC_ERR_CERTIFICATE_MISMATCH = 66 # Reserved for PKINIT
289 KRB_AP_ERR_NO_TGT = 67 # No TGT available to
290 # validate USER-TO-USER
291 KDC_ERR_WRONG_REALM = 68 # Reserved for future use
292 KRB_AP_ERR_USER_TO_USER_REQUIRED = 69 # Ticket must be for
293 # USER-TO-USER
294 KDC_ERR_CANT_VERIFY_CERTIFICATE = 70 # Reserved for PKINIT
295 KDC_ERR_INVALID_CERTIFICATE = 71 # Reserved for PKINIT
296 KDC_ERR_REVOKED_CERTIFICATE = 72 # Reserved for PKINIT
297 KDC_ERR_REVOCATION_STATUS_UNKNOWN = 73 # Reserved for PKINIT
298 KDC_ERR_REVOCATION_STATUS_UNAVAILABLE = 74 # Reserved for PKINIT
299 KDC_ERR_CLIENT_NAME_MISMATCH = 75 # Reserved for PKINIT
300 KDC_ERR_KDC_NAME_MISMATCH = 76 # Reserved for PKINIT
302ERROR_MESSAGES = {
303 0 : ('KDC_ERR_NONE', 'No error'),
304 1 : ('KDC_ERR_NAME_EXP', 'Client\'s entry in database has expired'),
305 2 : ('KDC_ERR_SERVICE_EXP', 'Server\'s entry in database has expired'),
306 3 : ('KDC_ERR_BAD_PVNO', 'Requested protocol version number not supported'),
307 4 : ('KDC_ERR_C_OLD_MAST_KVNO', 'Client\'s key encrypted in old master key'),
308 5 : ('KDC_ERR_S_OLD_MAST_KVNO', 'Server\'s key encrypted in old master key'),
309 6 : ('KDC_ERR_C_PRINCIPAL_UNKNOWN', 'Client not found in Kerberos database'),
310 7 : ('KDC_ERR_S_PRINCIPAL_UNKNOWN', 'Server not found in Kerberos database'),
311 8 : ('KDC_ERR_PRINCIPAL_NOT_UNIQUE', 'Multiple principal entries in database'),
312 9 : ('KDC_ERR_NULL_KEY', 'The client or server has a null key'),
313 10 : ('KDC_ERR_CANNOT_POSTDATE', 'Ticket not eligible for postdating'),
314 11 : ('KDC_ERR_NEVER_VALID', 'Requested starttime is later than end time'),
315 12 : ('KDC_ERR_POLICY', 'KDC policy rejects request'),
316 13 : ('KDC_ERR_BADOPTION', 'KDC cannot accommodate requested option'),
317 14 : ('KDC_ERR_ETYPE_NOSUPP', 'KDC has no support for encryption type'),
318 15 : ('KDC_ERR_SUMTYPE_NOSUPP', 'KDC has no support for checksum type'),
319 16 : ('KDC_ERR_PADATA_TYPE_NOSUPP', 'KDC has no support for padata type'),
320 17 : ('KDC_ERR_TRTYPE_NOSUPP', 'KDC has no support for transited type'),
321 18 : ('KDC_ERR_CLIENT_REVOKED', 'Clients credentials have been revoked'),
322 19 : ('KDC_ERR_SERVICE_REVOKED', 'Credentials for server have been revoked'),
323 20 : ('KDC_ERR_TGT_REVOKED', 'TGT has been revoked'),
324 21 : ('KDC_ERR_CLIENT_NOTYET', 'Client not yet valid; try again later'),
325 22 : ('KDC_ERR_SERVICE_NOTYET', 'Server not yet valid; try again later'),
326 23 : ('KDC_ERR_KEY_EXPIRED', 'Password has expired; change password to reset'),
327 24 : ('KDC_ERR_PREAUTH_FAILED', 'Pre-authentication information was invalid'),
328 25 : ('KDC_ERR_PREAUTH_REQUIRED', 'Additional pre-authentication required'),
329 26 : ('KDC_ERR_SERVER_NOMATCH', 'Requested server and ticket don\'t match'),
330 27 : ('KDC_ERR_MUST_USE_USER2USER', 'Server principal valid for user2user only'),
331 28 : ('KDC_ERR_PATH_NOT_ACCEPTED', 'KDC Policy rejects transited path'),
332 29 : ('KDC_ERR_SVC_UNAVAILABLE', 'A service is not available'),
333 31 : ('KRB_AP_ERR_BAD_INTEGRITY', 'Integrity check on decrypted field failed'),
334 32 : ('KRB_AP_ERR_TKT_EXPIRED', 'Ticket expired'),
335 33 : ('KRB_AP_ERR_TKT_NYV', 'Ticket not yet valid'),
336 34 : ('KRB_AP_ERR_REPEAT', 'Request is a replay'),
337 35 : ('KRB_AP_ERR_NOT_US', 'The ticket isn\'t for us'),
338 36 : ('KRB_AP_ERR_BADMATCH', 'Ticket and authenticator don\'t match'),
339 37 : ('KRB_AP_ERR_SKEW', 'Clock skew too great'),
340 38 : ('KRB_AP_ERR_BADADDR', 'Incorrect net address'),
341 39 : ('KRB_AP_ERR_BADVERSION', 'Protocol version mismatch'),
342 40 : ('KRB_AP_ERR_MSG_TYPE', 'Invalid msg type'),
343 41 : ('KRB_AP_ERR_MODIFIED', 'Message stream modified'),
344 42 : ('KRB_AP_ERR_BADORDER', 'Message out of order'),
345 44 : ('KRB_AP_ERR_BADKEYVER', 'Specified version of key is not available'),
346 45 : ('KRB_AP_ERR_NOKEY', 'Service key not available'),
347 46 : ('KRB_AP_ERR_MUT_FAIL', 'Mutual authentication failed'),
348 47 : ('KRB_AP_ERR_BADDIRECTION', 'Incorrect message direction'),
349 48 : ('KRB_AP_ERR_METHOD', 'Alternative authentication method required'),
350 49 : ('KRB_AP_ERR_BADSEQ', 'Incorrect sequence number in message'),
351 50 : ('KRB_AP_ERR_INAPP_CKSUM', 'Inappropriate type of checksum in message'),
352 51 : ('KRB_AP_PATH_NOT_ACCEPTED', 'Policy rejects transited path'),
353 52 : ('KRB_ERR_RESPONSE_TOO_BIG', 'Response too big for UDP; retry with TCP'),
354 60 : ('KRB_ERR_GENERIC', 'Generic error (description in e-text)'),
355 61 : ('KRB_ERR_FIELD_TOOLONG', 'Field is too long for this implementation'),
356 62 : ('KDC_ERROR_CLIENT_NOT_TRUSTED', 'Reserved for PKINIT'),
357 63 : ('KDC_ERROR_KDC_NOT_TRUSTED', 'Reserved for PKINIT'),
358 64 : ('KDC_ERROR_INVALID_SIG', 'Reserved for PKINIT'),
359 65 : ('KDC_ERR_KEY_TOO_WEAK', 'Reserved for PKINIT'),
360 66 : ('KDC_ERR_CERTIFICATE_MISMATCH', 'Reserved for PKINIT'),
361 67 : ('KRB_AP_ERR_NO_TGT', 'No TGT available to validate USER-TO-USER'),
362 68 : ('KDC_ERR_WRONG_REALM', 'Reserved for future use'),
363 69 : ('KRB_AP_ERR_USER_TO_USER_REQUIRED', 'Ticket must be for USER-TO-USER'),
364 70 : ('KDC_ERR_CANT_VERIFY_CERTIFICATE', 'Reserved for PKINIT'),
365 71 : ('KDC_ERR_INVALID_CERTIFICATE', 'Reserved for PKINIT'),
366 72 : ('KDC_ERR_REVOKED_CERTIFICATE', 'Reserved for PKINIT'),
367 73 : ('KDC_ERR_REVOCATION_STATUS_UNKNOWN', 'Reserved for PKINIT'),
368 74 : ('KDC_ERR_REVOCATION_STATUS_UNAVAILABLE', 'Reserved for PKINIT'),
369 75 : ('KDC_ERR_CLIENT_NAME_MISMATCH', 'Reserved for PKINIT'),
370 76 : ('KDC_ERR_KDC_NAME_MISMATCH', 'Reserved for PKINIT'),
371}
373class TicketFlags(Enum):
374 reserved = 0
375 forwardable = 1
376 forwarded = 2
377 proxiable = 3
378 proxy = 4
379 may_postdate = 5
380 postdated = 6
381 invalid = 7
382 renewable = 8
383 initial = 9
384 pre_authent = 10
385 hw_authent = 11
386 transited_policy_checked = 12
387 ok_as_delegate = 13
388 enc_pa_rep = 15
389 anonymous = 16
391class KDCOptions(Enum):
392 reserved = 0
393 forwardable = 1
394 forwarded = 2
395 proxiable = 3
396 proxy = 4
397 allow_postdate = 5
398 postdated = 6
399 unused7 = 7
400 renewable = 8
401 unused9 = 9
402 unused10 = 10
403 opt_hardware_auth = 11
404 unused12 = 12
405 unused13 = 13
406 cname_in_addl_tkt = 14
407 canonicalize = 15
408 disable_transited_check = 26
409 renewable_ok = 27
410 enc_tkt_in_skey = 28
411 renew = 30
412 validate = 31
414class APOptions(Enum):
415 reserved = 0
416 use_session_key = 1
417 mutual_required = 2
419class PAPacOptions(Enum):
420 # [MS-KILE] 2.2.10
421 claims = 0
422 branch_aware = 1
423 forward_to_full_dc = 2
424 # [MS-SFU] 2.2.5
425 resource_based_constrained_delegation = 3
427class EncryptionTypes(Enum):
428 des_cbc_crc = 1
429 des_cbc_md4 = 2
430 des_cbc_md5 = 3
431 _reserved_4 = 4
432 des3_cbc_md5 = 5
433 _reserved_6 = 6
434 des3_cbc_sha1 = 7
435 dsaWithSHA1_CmsOID = 9
436 md5WithRSAEncryption_CmsOID = 10
437 sha1WithRSAEncryption_CmsOID = 11
438 rc2CBC_EnvOID = 12
439 rsaEncryption_EnvOID = 13
440 rsaES_OAEP_ENV_OID = 14
441 des_ede3_cbc_Env_OID = 15
442 des3_cbc_sha1_kd = 16
443 aes128_cts_hmac_sha1_96 = 17
444 aes256_cts_hmac_sha1_96 = 18
445 rc4_hmac = 23
446 rc4_hmac_exp = 24
447 subkey_keymaterial = 65
448 rc4_hmac_old_exp = -135
450class ChecksumTypes(Enum):
451 rsa_md5_des = 8
452 rsa_md4_des = 4
453 hmac_md5 = -138
454 hmac_sha1_des3_kd = 12
455 hmac_sha1_96_aes128 = 15
456 hmac_sha1_96_aes256 = 16