diff options
author | Cy Schubert <cy@FreeBSD.org> | 2017-07-07 17:03:42 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2017-07-07 17:03:42 +0000 |
commit | 33a9b234e7087f573ef08cd7318c6497ba08b439 (patch) | |
tree | d0ea40ad3bf5463a3c55795977c71bcb7d781b4b /doc/html/formats/cookie.html | |
download | src-test2-33a9b234e7087f573ef08cd7318c6497ba08b439.tar.gz src-test2-33a9b234e7087f573ef08cd7318c6497ba08b439.zip |
Import MIT KRB5 1.15.1, which will gracefully replace KTH Heimdal.vendor/krb5/1.15.1
The tarball used in this import is the same tarball used in
ports/krb5-115 r435378.
Obtained from: http://web.mit.edu/kerberos/dist/
Thanks to: pfg (for all your tireless behind-the-scenes effort)
Notes
Notes:
svn path=/vendor-crypto/krb5/dist/; revision=320790
svn path=/vendor-crypto/krb5/1.15.1/; revision=320791; tag=vendor/krb5/1.15.1
Diffstat (limited to 'doc/html/formats/cookie.html')
-rw-r--r-- | doc/html/formats/cookie.html | 197 |
1 files changed, 197 insertions, 0 deletions
diff --git a/doc/html/formats/cookie.html b/doc/html/formats/cookie.html new file mode 100644 index 000000000000..f02cad59eb90 --- /dev/null +++ b/doc/html/formats/cookie.html @@ -0,0 +1,197 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>KDC cookie format — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> + <link rel="up" title="Protocols and file formats" href="index.html" /> + <link rel="next" title="MIT Kerberos features" href="../mitK5features.html" /> + <link rel="prev" title="Keytab file format" href="keytab_file_format.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="keytab_file_format.html" title="Keytab file format" + accesskey="P">previous</a> | + <a href="../mitK5features.html" title="MIT Kerberos features" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__KDC cookie format">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kdc-cookie-format"> +<h1>KDC cookie format<a class="headerlink" href="#kdc-cookie-format" title="Permalink to this headline">¶</a></h1> +<p><span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a> section 5.2 specifies a pa-data type PA-FX-COOKIE, which +clients are required to reflect back to the KDC during +pre-authentication. The MIT krb5 KDC uses the following formats for +cookies.</p> +<div class="section" id="trivial-cookie-version-0"> +<h2>Trivial cookie (version 0)<a class="headerlink" href="#trivial-cookie-version-0" title="Permalink to this headline">¶</a></h2> +<p>If there is no pre-authentication mechanism state information to save, +a trivial cookie containing the value “MIT” is used. A trivial cookie +is needed to indicate that the conversation can continue.</p> +</div> +<div class="section" id="secure-cookie-version-1"> +<h2>Secure cookie (version 1)<a class="headerlink" href="#secure-cookie-version-1" title="Permalink to this headline">¶</a></h2> +<p>In release 1.14 and later, a secure cookie can be sent if there is any +mechanism state to save for the next request. A secure cookie +contains the concatenation of the following:</p> +<ul class="simple"> +<li>the four bytes “MIT1”</li> +<li>a four-byte big-endian kvno value</li> +<li>an <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc3961.html"><strong>RFC 3961</strong></a> ciphertext</li> +</ul> +<p>The ciphertext is encrypted in the cookie key with key usage +number 513. The cookie key is derived from a key in the local krbtgt +principal entry for the realm (e.g. <tt class="docutils literal"><span class="pre">krbtgt/KRBTEST.COM@KRBTEST.COM</span></tt> +if the request is to the <tt class="docutils literal"><span class="pre">KRBTEST.COM</span></tt> realm). The first krbtgt key +for the indicated kvno value is combined with the client principal as +follows:</p> +<div class="highlight-python"><div class="highlight"><pre><span class="n">cookie</span><span class="o">-</span><span class="n">key</span> <span class="o"><-</span> <span class="n">random</span><span class="o">-</span><span class="n">to</span><span class="o">-</span><span class="n">key</span><span class="p">(</span><span class="n">PRF</span><span class="o">+</span><span class="p">(</span><span class="n">tgt</span><span class="o">-</span><span class="n">key</span><span class="p">,</span> <span class="s">"COOKIE"</span> <span class="o">|</span> <span class="n">client</span><span class="o">-</span><span class="n">princ</span><span class="p">))</span> +</pre></div> +</div> +<p>where <strong>random-to-key</strong> is the <span class="target" id="index-2"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc3961.html"><strong>RFC 3961</strong></a> random-to-key operation for +the krbtgt key’s encryption type, <strong>PRF+</strong> is defined in <span class="target" id="index-3"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc6113.html"><strong>RFC 6113</strong></a>, +and <tt class="docutils literal"><span class="pre">|</span></tt> denotes concatenation. <em>client-princ</em> is the request client +principal name with realm, marshalled according to <span class="target" id="index-4"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc1964.html"><strong>RFC 1964</strong></a> section +2.1.1.</p> +<p>The plain text of the encrypted part of a cookie is the DER encoding +of the following ASN.1 type:</p> +<div class="highlight-python"><div class="highlight"><pre>SecureCookie ::= SEQUENCE { + time INTEGER, + data SEQUENCE OF PA-DATA, + ... +} +</pre></div> +</div> +<p>The time field represents the cookie creation time; for brevity, it is +encoded as an integer giving the POSIX timestamp rather than as an +ASN.1 GeneralizedTime value. The data field contains one element for +each pre-authentication type which requires saved state. For +mechanisms which have separate request and reply types, the request +type is used; this allows the KDC to determine whether a cookie is +relevant to a request by comparing the request pa-data types to the +cookie data types.</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">KDC cookie format</a><ul> +<li><a class="reference internal" href="#trivial-cookie-version-0">Trivial cookie (version 0)</a></li> +<li><a class="reference internal" href="#secure-cookie-version-1">Secure cookie (version 1)</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> +<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="">KDC cookie format</a><ul class="simple"> +</ul> +</li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="keytab_file_format.html" title="Keytab file format" + >previous</a> | + <a href="../mitK5features.html" title="MIT Kerberos features" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__KDC cookie format">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |