0fb81e221e
we use to determine how to interpret the token; don't bother fetching the OID attached to the frame or conversation, as we're not using it. Indent code in the .cnf file to match the code generated by asn2eth. The mechListMIC in a NegTokenInit is sometimes a sequence containing a string; check the header of the mechListMIC and dissect it as such a sequence or as a regular item depending on whether it's a sequence or not. If we see a supportedMech in a NegTokenTarg, save next_level_value for that OID with the conversation. Dissect a responseToken in a NegTokenTarg, and a mechListMIC in a NegTokenTarg, appropriately. Get rid of "gssapi_dissector_handle()", and just use next_level_value->handle - it was never being called if next_level_value was null. When we're dissecting a KRB5 blob, just use get_ber_identifier() to get the header, so we don't report an ASN.1 error if there isn't a BER identifier there; dissect the identifier and length only if we know we have them. svn path=/trunk/; revision=15937
102 lines
3 KiB
Groff
102 lines
3 KiB
Groff
Spnego {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) snego(2)}
|
|
-- (1.3.6.1.5.5.2)
|
|
DEFINITIONS ::=
|
|
|
|
BEGIN
|
|
|
|
MechType::= OBJECT IDENTIFIER
|
|
|
|
NegotiationToken ::= CHOICE {
|
|
negTokenInit [0] NegTokenInit,
|
|
negTokenTarg [1] NegTokenTarg }
|
|
|
|
MechTypeList ::= SEQUENCE OF MechType
|
|
|
|
--
|
|
-- In some cases, the mechListMIC is a sequence of GeneralString,
|
|
-- rather than an OCTET STRING. We define that sequence here so
|
|
-- that we can call its dissector.
|
|
-- The IRC discussion at
|
|
--
|
|
-- http://irc.vernstok.nl/samba-technical.dy
|
|
--
|
|
-- seems to suggest that it's a Kerberos principal of some sort, thanks
|
|
-- to some flavor of "embrace, extend, expectorate" sequence from
|
|
-- Microsoft.
|
|
--
|
|
PrincipalSeq ::= SEQUENCE {
|
|
principal [0] GeneralString
|
|
}
|
|
|
|
NegTokenInit ::= SEQUENCE {
|
|
mechTypes [0] MechTypeList OPTIONAL,
|
|
reqFlags [1] ContextFlags OPTIONAL,
|
|
mechToken [2] OCTET STRING OPTIONAL,
|
|
mechListMIC [3] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
ContextFlags ::= BIT STRING {
|
|
delegFlag (0),
|
|
mutualFlag (1),
|
|
replayFlag (2),
|
|
sequenceFlag (3),
|
|
anonFlag (4),
|
|
confFlag (5),
|
|
integFlag (6)
|
|
}
|
|
|
|
NegTokenTarg ::= SEQUENCE {
|
|
negResult [0] ENUMERATED {
|
|
accept-completed (0),
|
|
accept-incomplete (1),
|
|
reject (2) } OPTIONAL,
|
|
supportedMech [1] MechType OPTIONAL,
|
|
responseToken [2] OCTET STRING OPTIONAL,
|
|
mechListMIC [3] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
--GSS-API DEFINITIONS ::=
|
|
--BEGIN
|
|
--MechType ::= OBJECT IDENTIFIER
|
|
-- data structure definitions
|
|
-- callers must be able to distinguish among
|
|
-- InitialContextToken, SubsequentContextToken,
|
|
-- PerMsgToken, and SealedMessage data elements
|
|
-- based on the usage in which they occur
|
|
InitialContextToken ::=
|
|
-- option indication (delegation, etc.) indicated within
|
|
-- mechanism-specific token
|
|
[APPLICATION 0] IMPLICIT SEQUENCE {
|
|
thisMech MechType,
|
|
innerContextToken InnerContextToken
|
|
-- DEFINED BY thisMech
|
|
-- contents mechanism-specific
|
|
-- ASN.1 structure not required
|
|
}
|
|
|
|
-- SubsequentContextToken ::= InnerContextToken
|
|
|
|
InnerContextToken ::= ANY
|
|
-- interpretation based on predecessor InitialContextToken
|
|
-- ASN.1 structure not required
|
|
|
|
-- PerMsgToken ::=
|
|
-- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC
|
|
-- ASN.1 structure not required
|
|
-- InnerMsgToken
|
|
|
|
-- InnerMsgToken ::= ANY
|
|
|
|
-- SealedMessage ::=
|
|
-- as emitted by GSS_Wrap and processed by GSS_Unwrap
|
|
-- includes internal, mechanism-defined indicator
|
|
-- of whether or not encrypted
|
|
-- ASN.1 structure not required
|
|
-- SealedUserData
|
|
|
|
-- SealedUserData ::= ANY
|
|
|
|
-- END GSS-API DEFINITIONS
|
|
|
|
END
|