diff options
Diffstat (limited to 'crypto/krb5/doc/html/formats')
| -rw-r--r-- | crypto/krb5/doc/html/formats/ccache_file_format.html | 294 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/cookie.html | 229 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/database_formats.html | 587 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/freshness_token.html | 148 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/index.html | 142 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/keytab_file_format.html | 178 | ||||
| -rw-r--r-- | crypto/krb5/doc/html/formats/rcache_file_format.html | 172 |
7 files changed, 0 insertions, 1750 deletions
diff --git a/crypto/krb5/doc/html/formats/ccache_file_format.html b/crypto/krb5/doc/html/formats/ccache_file_format.html deleted file mode 100644 index 2ef78d2d26f0..000000000000 --- a/crypto/krb5/doc/html/formats/ccache_file_format.html +++ /dev/null @@ -1,294 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Credential cache file format — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Keytab file format" href="keytab_file_format.html" /> - <link rel="prev" title="Protocols and file formats" href="index.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="index.html" title="Protocols and file formats" - accesskey="P">previous</a> | - <a href="keytab_file_format.html" title="Keytab file format" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Credential cache file format">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="credential-cache-file-format"> -<span id="ccache-file-format"></span><h1>Credential cache file format<a class="headerlink" href="#credential-cache-file-format" title="Link to this heading">¶</a></h1> -<p>There are four versions of the file format used by the FILE credential -cache type. The first byte of the file always has the value 5, and -the value of the second byte contains the version number (1 through -4). Versions 1 and 2 of the file format use native byte order for integer -representations. Versions 3 and 4 always use big-endian byte order.</p> -<p>After the two-byte version indicator, the file has three parts: the -header (in version 4 only), the default principal name, and a sequence -of credentials.</p> -<section id="header-format"> -<h2>Header format<a class="headerlink" href="#header-format" title="Link to this heading">¶</a></h2> -<p>The header appears only in format version 4. It begins with a 16-bit -integer giving the length of the entire header, followed by a sequence -of fields. Each field consists of a 16-bit tag, a 16-bit length, and -a value of the given length. A file format implementation should -ignore fields with unknown tags.</p> -<p>At this time there is only one defined header field. Its tag value is -1, its length is always 8, and its contents are two 32-bit integers -giving the seconds and microseconds of the time offset of the KDC -relative to the client. Adding this offset to the current time on the -client should give the current time on the KDC, if that offset has not -changed since the initial authentication.</p> -</section> -<section id="principal-format"> -<span id="cache-principal-format"></span><h2>Principal format<a class="headerlink" href="#principal-format" title="Link to this heading">¶</a></h2> -<p>The default principal is marshalled using the following informal -grammar:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">principal</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">name</span> <span class="nb">type</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> <span class="p">[</span><span class="n">omitted</span> <span class="ow">in</span> <span class="n">version</span> <span class="mi">1</span><span class="p">]</span> - <span class="n">count</span> <span class="n">of</span> <span class="n">components</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> <span class="p">[</span><span class="n">includes</span> <span class="n">realm</span> <span class="ow">in</span> <span class="n">version</span> <span class="mi">1</span><span class="p">]</span> - <span class="n">realm</span> <span class="p">(</span><span class="n">data</span><span class="p">)</span> - <span class="n">component1</span> <span class="p">(</span><span class="n">data</span><span class="p">)</span> - <span class="n">component2</span> <span class="p">(</span><span class="n">data</span><span class="p">)</span> - <span class="o">...</span> - -<span class="n">data</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">length</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">value</span> <span class="p">(</span><span class="n">length</span> <span class="nb">bytes</span><span class="p">)</span> -</pre></div> -</div> -<p>There is no external framing on the default principal, so it must be -parsed according to the above grammar in order to find the sequence of -credentials which follows.</p> -</section> -<section id="credential-format"> -<span id="ccache-credential-format"></span><h2>Credential format<a class="headerlink" href="#credential-format" title="Link to this heading">¶</a></h2> -<p>The credential format uses the following informal grammar (referencing -the <code class="docutils literal notranslate"><span class="pre">principal</span></code> and <code class="docutils literal notranslate"><span class="pre">data</span></code> types from the previous section):</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">credential</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">client</span> <span class="p">(</span><span class="n">principal</span><span class="p">)</span> - <span class="n">server</span> <span class="p">(</span><span class="n">principal</span><span class="p">)</span> - <span class="n">keyblock</span> <span class="p">(</span><span class="n">keyblock</span><span class="p">)</span> - <span class="n">authtime</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">starttime</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">endtime</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">renew_till</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">is_skey</span> <span class="p">(</span><span class="mi">1</span> <span class="n">byte</span><span class="p">,</span> <span class="mi">0</span> <span class="ow">or</span> <span class="mi">1</span><span class="p">)</span> - <span class="n">ticket_flags</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">addresses</span> <span class="p">(</span><span class="n">addresses</span><span class="p">)</span> - <span class="n">authdata</span> <span class="p">(</span><span class="n">authdata</span><span class="p">)</span> - <span class="n">ticket</span> <span class="p">(</span><span class="n">data</span><span class="p">)</span> - <span class="n">second_ticket</span> <span class="p">(</span><span class="n">data</span><span class="p">)</span> - -<span class="n">keyblock</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">enctype</span> <span class="p">(</span><span class="mi">16</span> <span class="n">bits</span><span class="p">)</span> <span class="p">[</span><span class="n">repeated</span> <span class="n">twice</span> <span class="ow">in</span> <span class="n">version</span> <span class="mi">3</span><span class="p">]</span> - <span class="n">data</span> - -<span class="n">addresses</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">count</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">address1</span> - <span class="n">address2</span> - <span class="o">...</span> - -<span class="n">address</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">addrtype</span> <span class="p">(</span><span class="mi">16</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">data</span> - -<span class="n">authdata</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">count</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">authdata1</span> - <span class="n">authdata2</span> - <span class="o">...</span> - -<span class="n">authdata</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">ad_type</span> <span class="p">(</span><span class="mi">16</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">data</span> -</pre></div> -</div> -<p>There is no external framing on a marshalled credential, so it must be -parsed according to the above grammar in order to find the next -credential. There is also no count of credentials or marker at the -end of the sequence of credentials; the sequence ends when the file -ends.</p> -</section> -<section id="credential-cache-configuration-entries"> -<h2>Credential cache configuration entries<a class="headerlink" href="#credential-cache-configuration-entries" title="Link to this heading">¶</a></h2> -<p>Configuration entries are encoded as credential entries. The client -principal of the entry is the default principal of the cache. The -server principal has the realm <code class="docutils literal notranslate"><span class="pre">X-CACHECONF:</span></code> and two or three -components, the first of which is <code class="docutils literal notranslate"><span class="pre">krb5_ccache_conf_data</span></code>. The -server principal’s second component is the configuration key. The -third component, if it exists, is a principal to which the -configuration key is associated. The configuration value is stored in -the ticket field of the entry. All other entry fields are zeroed.</p> -<p>Programs using credential caches must be aware of configuration -entries for several reasons:</p> -<ul class="simple"> -<li><p>A program which displays the contents of a cache should not -generally display configuration entries.</p></li> -<li><p>The ticket field of a configuration entry is not (usually) a valid -encoding of a Kerberos ticket. An implementation must not treat the -cache file as malformed if it cannot decode the ticket field.</p></li> -<li><p>Configuration entries have an endtime field of 0 and might therefore -always be considered expired, but they should not be treated as -unimportant as a result. For instance, a program which copies -credentials from one cache to another should not omit configuration -entries because of the endtime.</p></li> -</ul> -<p>The following configuration keys are currently used in MIT krb5:</p> -<dl class="simple"> -<dt>fast_avail</dt><dd><p>The presence of this key with a non-empty value indicates that the -KDC asserted support for FAST (see <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6113.html"><strong>RFC 6113</strong></a>) during the initial -authentication, using the negotiation method described in -<span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6806.html"><strong>RFC 6806</strong></a> section 11. This key is not associated with any -principal.</p> -</dd> -<dt>pa_config_data</dt><dd><p>The value of this key contains a JSON object representation of -parameters remembered by the preauthentication mechanism used -during the initial authentication. These parameters may be used -when refreshing credentials. This key is associated with the -server principal of the initial authentication (usually the local -krbtgt principal of the client realm).</p> -</dd> -<dt>pa_type</dt><dd><p>The value of this key is the ASCII decimal representation of the -preauth type number used during the initial authentication. This -key is associated with the server principal of the initial -authentication.</p> -</dd> -<dt>proxy_impersonator</dt><dd><p>The presence of this key indicates that the cache is a synthetic -delegated credential for use with S4U2Proxy. The value is the -name of the intermediate service whose TGT can be used to make -S4U2Proxy requests for target services. This key is not -associated with any principal.</p> -</dd> -<dt>refresh_time</dt><dd><p>The presence of this key indicates that the cache was acquired by -the GSS mechanism using a client keytab. The value is the ASCII -decimal representation of a timestamp at which the GSS mechanism -should attempt to refresh the credential cache from the client -keytab.</p> -</dd> -<dt>start_realm</dt><dd><p>This key indicates the realm of the ticket-granting ticket to be -used for TGS requests, when making a referrals request or -beginning a cross-realm request. If it is not present, the client -realm is used.</p> -</dd> -</dl> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Credential cache file format</a><ul> -<li><a class="reference internal" href="#header-format">Header format</a></li> -<li><a class="reference internal" href="#principal-format">Principal format</a></li> -<li><a class="reference internal" href="#credential-format">Credential format</a></li> -<li><a class="reference internal" href="#credential-cache-configuration-entries">Credential cache configuration entries</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current"> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Credential cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> -<li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> -<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="index.html" title="Protocols and file formats" - >previous</a> | - <a href="keytab_file_format.html" title="Keytab file format" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Credential cache file format">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/formats/cookie.html b/crypto/krb5/doc/html/formats/cookie.html deleted file mode 100644 index e5f148c4758c..000000000000 --- a/crypto/krb5/doc/html/formats/cookie.html +++ /dev/null @@ -1,229 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>KDC cookie format — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="PKINIT freshness tokens" href="freshness_token.html" /> - <link rel="prev" title="Replay cache file format" href="rcache_file_format.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="rcache_file_format.html" title="Replay cache file format" - accesskey="P">previous</a> | - <a href="freshness_token.html" title="PKINIT freshness tokens" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__KDC cookie format">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kdc-cookie-format"> -<h1>KDC cookie format<a class="headerlink" href="#kdc-cookie-format" title="Link to this heading">¶</a></h1> -<p><span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6113.html"><strong>RFC 6113</strong></a> section 5.2 specifies a pa-data type PA-FX-COOKIE, which -clients are required to reflect back to the KDC during -pre-authentication. The MIT krb5 KDC uses the following formats for -cookies.</p> -<section id="trivial-cookie-version-0"> -<h2>Trivial cookie (version 0)<a class="headerlink" href="#trivial-cookie-version-0" title="Link to this heading">¶</a></h2> -<p>If there is no pre-authentication mechanism state information to save, -a trivial cookie containing the value “MIT” is used. A trivial cookie -is needed to indicate that the conversation can continue.</p> -</section> -<section id="secure-cookie-version-1"> -<h2>Secure cookie (version 1)<a class="headerlink" href="#secure-cookie-version-1" title="Link to this heading">¶</a></h2> -<p>In release 1.14 and later, a secure cookie can be sent if there is any -mechanism state to save for the next request. A secure cookie -contains the concatenation of the following:</p> -<ul class="simple"> -<li><p>the four bytes “MIT1”</p></li> -<li><p>a four-byte big-endian kvno value</p></li> -<li><p>an <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc3961.html"><strong>RFC 3961</strong></a> ciphertext</p></li> -</ul> -<p>The ciphertext is encrypted in the cookie key with key usage -number 513. The cookie key is derived from a key in the local krbtgt -principal entry for the realm (e.g. <code class="docutils literal notranslate"><span class="pre">krbtgt/KRBTEST.COM@KRBTEST.COM</span></code> -if the request is to the <code class="docutils literal notranslate"><span class="pre">KRBTEST.COM</span></code> realm). The first krbtgt key -for the indicated kvno value is combined with the client principal as -follows:</p> -<div class="highlight-abnf notranslate"><div class="highlight"><pre><span></span><span class="nc">cookie-key</span><span class="w"> </span><-<span class="w"> </span><span class="nc">random-to-key</span><span class="p">(</span><span class="nc">PRF</span>+<span class="p">(</span><span class="nc">tgt-key</span>,<span class="w"> </span><span class="l">"COOKIE"</span><span class="w"> </span>|<span class="w"> </span><span class="nc">client-princ</span><span class="p">))</span> -</pre></div> -</div> -<p>where <strong>random-to-key</strong> is the <span class="target" id="index-2"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc3961.html"><strong>RFC 3961</strong></a> random-to-key operation for -the krbtgt key’s encryption type, <strong>PRF+</strong> is defined in <span class="target" id="index-3"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6113.html"><strong>RFC 6113</strong></a>, -and <code class="docutils literal notranslate"><span class="pre">|</span></code> denotes concatenation. <em>client-princ</em> is the request client -principal name with realm, marshalled according to <span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc1964.html"><strong>RFC 1964</strong></a> section -2.1.1.</p> -<p>The plain text of the encrypted part of a cookie is the DER encoding -of the following ASN.1 type:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>SecureCookie <span class="o">::=</span> SEQUENCE { - time INTEGER, - data SEQUENCE OF PA-DATA, - ... -} -</pre></div> -</div> -<p>The time field represents the cookie creation time; for brevity, it is -encoded as an integer giving the POSIX timestamp rather than as an -ASN.1 GeneralizedTime value. The data field contains one element for -each pre-authentication type which requires saved state. For -mechanisms which have separate request and reply types, the request -type is used; this allows the KDC to determine whether a cookie is -relevant to a request by comparing the request pa-data types to the -cookie data types.</p> -</section> -<section id="spake-cookie-format-version-1"> -<h2>SPAKE cookie format (version 1)<a class="headerlink" href="#spake-cookie-format-version-1" title="Link to this heading">¶</a></h2> -<p>Inside the SecureCookie wrapper, a data value of type 151 contains -state for SPAKE pre-authentication. This data has the following -binary format with big-endian integer encoding:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>cookie <span class="o">::=</span> - version (16 bits) [with the value 1] - stage number (16 bits) - group number (32 bits) - SPAKE value length (32 bits) - SPAKE value - transcript hash length (32 bits) - transcript hash - second factor record 1 (factor-record) - second factor record 2 (factor-record) - ... - -factor-record <span class="o">::=</span> - second factor type (32 bits) - second factor data length (32 bits) - second factor data -</pre></div> -</div> -<p>The stage value is 0 if the cookie was sent with a challenge message. -Otherwise it is 1 for the first encdata message sent by the KDC during -an exchange, 2 for the second, etc..</p> -<p>The group value indicates the group number used in the SPAKE challenge.</p> -<p>For a stage-0 cookie, the SPAKE value is the KDC private key, -represented in the scalar marshalling form of the group. For other -cookies, the SPAKE value is the SPAKE result K, represented in the -group element marshalling form.</p> -<p>For a stage-0 cookie, the transcript hash is the intermediate hash -after updating with the client support message (if one was sent) and -challenge. For other cookies it is the final hash.</p> -<p>For a stage-0 cookie, there may be any number of second-factor -records, including none; a second-factor type need not create a state -field if it does not need one, and no record is created for SF-NONE. -For other cookies, there must be exactly one second-factor record -corresponding to the factor type chosen by the client.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">KDC cookie format</a><ul> -<li><a class="reference internal" href="#trivial-cookie-version-0">Trivial cookie (version 0)</a></li> -<li><a class="reference internal" href="#secure-cookie-version-1">Secure cookie (version 1)</a></li> -<li><a class="reference internal" href="#spake-cookie-format-version-1">SPAKE cookie format (version 1)</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">KDC cookie format</a></li> -<li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> -<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="rcache_file_format.html" title="Replay cache file format" - >previous</a> | - <a href="freshness_token.html" title="PKINIT freshness tokens" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__KDC cookie format">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/formats/database_formats.html b/crypto/krb5/doc/html/formats/database_formats.html deleted file mode 100644 index 782a004b1370..000000000000 --- a/crypto/krb5/doc/html/formats/database_formats.html +++ /dev/null @@ -1,587 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Kerberos Database (KDB) Formats — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="MIT Kerberos features" href="../mitK5features.html" /> - <link rel="prev" title="PKINIT freshness tokens" href="freshness_token.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="freshness_token.html" title="PKINIT freshness tokens" - accesskey="P">previous</a> | - <a href="../mitK5features.html" title="MIT Kerberos features" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Kerberos Database (KDB) Formats">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="kerberos-database-kdb-formats"> -<h1>Kerberos Database (KDB) Formats<a class="headerlink" href="#kerberos-database-kdb-formats" title="Link to this heading">¶</a></h1> -<section id="dump-format"> -<h2>Dump format<a class="headerlink" href="#dump-format" title="Link to this heading">¶</a></h2> -<p>Files created with the <a class="reference internal" href="../admin/admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command begin with -a versioned header “kdb5_util load_dump version 7”. This version has -been in use since MIT krb5 release 1.11; some previous versions are -supported but are not described here.</p> -<p>Each subsequent line of the dump file contains one or more -tab-separated fields describing either a principal entry or a policy -entry. The fields of a principal entry line are:</p> -<ul class="simple"> -<li><p>the word “princ”</p></li> -<li><p>the string “38” (this was originally a length field)</p></li> -<li><p>the length of the principal name in string form</p></li> -<li><p>the decimal number of tag-length data elements</p></li> -<li><p>the decimal number of key-data elements</p></li> -<li><p>the string “0” (this was originally an extension length field)</p></li> -<li><p>the principal name in string form</p></li> -<li><p>the principal attributes as a decimal number; when converted to -binary, the bits from least significant to most significant are:</p> -<ul> -<li><p>disallow_postdated</p></li> -<li><p>disallow_forwardable</p></li> -<li><p>disallow_tgt_based</p></li> -<li><p>disallow_renewable</p></li> -<li><p>disallow_proxiable</p></li> -<li><p>disallow_dup_skey</p></li> -<li><p>disallow_all_tix</p></li> -<li><p>requires_preauth</p></li> -<li><p>requires_hwauth</p></li> -<li><p>requires_pwchange</p></li> -<li><p>disallow_svr</p></li> -<li><p>pwchange_service</p></li> -<li><p>support_desmd5</p></li> -<li><p>new_princ</p></li> -<li><p>ok_as_delegate</p></li> -<li><p>ok_to_auth_as_delegate</p></li> -<li><p>no_auth_data_required</p></li> -<li><p>lockdown_keys</p></li> -</ul> -</li> -<li><p>the maximum ticket lifetime, as a decimal number of seconds</p></li> -<li><p>the maximum renewable ticket lifetime, as a decimal number of seconds</p></li> -<li><p>the principal expiration time, as a decimal POSIX timestamp</p></li> -<li><p>the password expiration time, as a decimal POSIX timestamp</p></li> -<li><p>the last successful authentication time, as a decimal POSIX -timestamp</p></li> -<li><p>the last failed authentication time, as a decimal POSIX timestamp</p></li> -<li><p>the decimal number of failed authentications since the last -successful authentication time</p></li> -<li><p>for each tag-length data value:</p> -<ul> -<li><p>the tag value in decimal</p></li> -<li><p>the length in decimal</p></li> -<li><p>the data as a lowercase hexadecimal byte string, or “-1” if the length is 0</p></li> -</ul> -</li> -<li><p>for each key-data element:</p> -<ul> -<li><p>the string “2” if this element has non-normal salt type, “1” -otherwise</p></li> -<li><p>the key version number of this element</p></li> -<li><p>the encryption type</p></li> -<li><p>the length of the encrypted key value</p></li> -<li><p>the encrypted key as a lowercase hexadecimal byte string</p></li> -<li><p>if this element has non-normal salt type:</p> -<ul> -<li><p>the salt type</p></li> -<li><p>the length of the salt data</p></li> -<li><p>the salt data as a lowercase hexadecimal byte string, or the -string “-1” if the salt data length is 0</p></li> -</ul> -</li> -</ul> -</li> -<li><p>the string “-1;” (this was originally an extension field)</p></li> -</ul> -<p>The fields of a policy entry line are:</p> -<ul class="simple"> -<li><p>the string “policy”</p></li> -<li><p>the policy name</p></li> -<li><p>the minimum password lifetime as a decimal number of seconds</p></li> -<li><p>the maximum password lifetime as a decimal number of seconds</p></li> -<li><p>the minimum password length, in decimal</p></li> -<li><p>the minimum number of character classes, in decimal</p></li> -<li><p>the number of historical keys to be stored, in decimal</p></li> -<li><p>the policy reference count (no longer used)</p></li> -<li><p>the maximum number of failed authentications before lockout</p></li> -<li><p>the time interval after which the failed authentication count is -reset, as a decimal number of seconds</p></li> -<li><p>the lockout duration, as a decimal number of seconds</p></li> -<li><p>the required principal attributes, in decimal (currently unenforced)</p></li> -<li><p>the maximum ticket lifetime as a decimal number of seconds -(currently unenforced)</p></li> -<li><p>the maximum renewable lifetime as a decimal number of seconds -(currently unenforced)</p></li> -<li><p>the allowed key/salt types, or “-” if unrestricted</p></li> -<li><p>the number of tag-length values</p></li> -<li><p>for each tag-length data value:</p> -<ul> -<li><p>the tag value in decimal</p></li> -<li><p>the length in decimal</p></li> -<li><p>the data as a lowercase hexadecimal byte string, or “-1” if the -length is 0</p></li> -</ul> -</li> -</ul> -</section> -<section id="tag-length-data-formats"> -<h2>Tag-length data formats<a class="headerlink" href="#tag-length-data-formats" title="Link to this heading">¶</a></h2> -<p>The currently defined tag-length data types are:</p> -<ul class="simple"> -<li><p>(1) last password change: a four-byte little-endian POSIX timestamp -giving the last password change time</p></li> -<li><p>(2) last modification data: a four-byte little-endian POSIX -timestamp followed by a zero-terminated principal name in string -form, giving the time of the last principal change and the principal -who performed it</p></li> -<li><p>(3) kadmin data: the XDR encoding of a per-principal kadmin data -record (see below)</p></li> -<li><p>(8) master key version: a two-byte little-endian integer containing -the master key version used to encrypt this principal’s key data</p></li> -<li><ol class="arabic simple" start="9"> -<li><p>active kvno: see below</p></li> -</ol> -</li> -<li><ol class="arabic simple" start="10"> -<li><p>master key auxiliary data: see below</p></li> -</ol> -</li> -<li><p>(11) string attributes: one or more iterations of a zero-terminated -string key followed by a zero-terminated string value</p></li> -<li><p>(12) alias target principal: a zero-terminated principal name in -string form</p></li> -<li><ol class="arabic simple" start="255"> -<li><p>LDAP object information: see below</p></li> -</ol> -</li> -<li><p>(768) referral padata: a DER-encoded PA-SVR-REFERRAL-DATA to be sent -to a TGS-REQ client within encrypted padata (see Appendix A of -<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc1606.html"><strong>RFC 1606</strong></a>)</p></li> -<li><p>(1792) last admin unlock: a four-byte little-endian POSIX timestamp -giving the time of the last administrative account unlock</p></li> -<li><p>(32767) database arguments: a zero-terminated key=value string (may -appear multiple times); used by the kadmin protocol to -communicate -x arguments to kadmind</p></li> -</ul> -<section id="per-principal-kadmin-data"> -<h3>Per-principal kadmin data<a class="headerlink" href="#per-principal-kadmin-data" title="Link to this heading">¶</a></h3> -<p>Per-principal kadmin data records use a modified XDR encoding of the -kadmin_data type defined as follows:</p> -<div class="highlight-c notranslate"><div class="highlight"><pre><span></span><span class="k">struct</span><span class="w"> </span><span class="nc">key_data</span><span class="w"> </span><span class="p">{</span> -<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">numfields</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">kvno</span><span class="p">;</span> -<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">enctype</span><span class="p">;</span> -<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">salttype</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">keylen</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">saltlen</span><span class="p">;</span> -<span class="w"> </span><span class="n">opaque</span><span class="w"> </span><span class="n">key</span><span class="o"><></span><span class="p">;</span> -<span class="w"> </span><span class="n">opaque</span><span class="w"> </span><span class="n">salt</span><span class="o"><></span><span class="p">;</span> -<span class="p">};</span> - -<span class="k">struct</span><span class="w"> </span><span class="nc">hist_entry</span><span class="w"> </span><span class="p">{</span> -<span class="w"> </span><span class="n">key_data</span><span class="w"> </span><span class="n">keys</span><span class="o"><></span><span class="p">;</span> -<span class="p">};</span> - -<span class="k">struct</span><span class="w"> </span><span class="nc">kadmin_data</span><span class="w"> </span><span class="p">{</span> -<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">version_number</span><span class="p">;</span> -<span class="w"> </span><span class="n">nullstring</span><span class="w"> </span><span class="n">policy</span><span class="p">;</span> -<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">aux_attributes</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">old_key_next</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">admin_history_kvno</span><span class="p">;</span> -<span class="w"> </span><span class="n">hist_entry</span><span class="w"> </span><span class="n">old_keysets</span><span class="o"><></span><span class="p">;</span> -<span class="p">};</span> -</pre></div> -</div> -<p>The type “nullstring” uses a custom string encoder where the length -field is zero or the string length plus one; a length of zero -indicates that no policy object is specified for the principal. The -field “version_number” contains 0x12345C01. The aux_attributes field -contains the bit 0x800 if a policy object is associated with the -principal.</p> -<p>Within a key_data record, numfields is 2 if the key data has -non-normal salt type, 1 otherwise.</p> -</section> -<section id="active-kvno-and-master-key-auxiliary-data"> -<h3>Active kvno and master key auxiliary data<a class="headerlink" href="#active-kvno-and-master-key-auxiliary-data" title="Link to this heading">¶</a></h3> -<p>These types only appear in the entry of the master key principal -(K/M). They use little-endian binary integer encoding.</p> -<p>The active kvno table determines which master key version is active -for a given timestamp. It uses the following binary format:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>active-key-version-table <span class="o">::=</span> - version (16 bits) [with the value 1] - version entry 1 (key-version-entry) - version entry 2 (key-version-entry) - ... - -key-version-entry <span class="o">::=</span> - key version (16 bits) - timestamp (32 bits) [when this key version becomes active] -</pre></div> -</div> -<p>The master key auxiliary data record contains copies of the current -master key encrypted in each older master key. It uses the following -binary format:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>master-key-aux <span class="o">::=</span> - version (16 bits) [with the value 1] - key entry 1 (key-entry) - key entry 2 (key-entry) - ... - -key-entry <span class="o">::=</span> - old master key version (16 bits) - latest master key version (16 bits) - latest master key encryption type (16 bits) - encrypted key length (16 bits) - encrypted key contents -</pre></div> -</div> -</section> -<section id="ldap-object-information"> -<h3>LDAP object information<a class="headerlink" href="#ldap-object-information" title="Link to this heading">¶</a></h3> -<p>This type appears in principal entries retrieved with the LDAP KDB -module. The value uses the following binary format, using big-endian -integer encoding:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>ldap-principal-data <span class="o">::=</span> - record 1 (ldap-tl-data) - record 2 (ldap-tl-data) - ... - -ldap-tl-data <span class="o">::=</span> - type (8 bits) - length (16 bits) - data -</pre></div> -</div> -<p>The currently defined ldap-tl-data types are (all integers are -big-endian):</p> -<ul class="simple"> -<li><p>(1) principal type: 16 bits containing the value 1, indicating that -the LDAP object containing the principal entry is a standalone -principal object</p></li> -<li><p>(2) principal count: 16 bits containing the number of -krbPrincipalName values in the LDAP object</p></li> -<li><p>(3) user DN: the string representation of the distinguished name of -the LDAP object</p></li> -<li><p>(5) attribute mask: 16 bits indicating which Kerberos-specific LDAP -attributes are present in the LDAP object (see below)</p></li> -<li><p>(7) link DN: the string representation of the distinguished name of -an LDAP object this object is linked to; may appear multiple times</p></li> -</ul> -<p>When converted to binary, the attribute mask bits, from least -significant to most significant, correspond to the following LDAP -attributes:</p> -<ul class="simple"> -<li><p>krbMaxTicketLife</p></li> -<li><p>krbMaxRenewableAge</p></li> -<li><p>krbTicketFlags</p></li> -<li><p>krbPrincipalExpiration</p></li> -<li><p>krbTicketPolicyReference</p></li> -<li><p>krbPrincipalAuthInd</p></li> -<li><p>krbPwdPolicyReference</p></li> -<li><p>krbPasswordExpiration</p></li> -<li><p>krbPrincipalKey</p></li> -<li><p>krbLastPwdChange</p></li> -<li><p>krbExtraData</p></li> -<li><p>krbLastSuccessfulAuth</p></li> -<li><p>krbLastFailedAuth</p></li> -<li><p>krbLoginFailedCount</p></li> -<li><p>krbLastAdminUnlock</p></li> -<li><p>krbPwdHistory</p></li> -</ul> -</section> -</section> -<section id="alias-principal-entries"> -<h2>Alias principal entries<a class="headerlink" href="#alias-principal-entries" title="Link to this heading">¶</a></h2> -<p>To allow aliases to be represented in dump files and within the -incremental update protocol, the krb5 database library supports the -concept of an alias principal entry. An alias principal entry -contains an alias target principal in its tag-length data, has its -attributes set to disallow_all_tix, and has zero or empty values for -all other fields. The database glue library recognizes alias entries -and iteratively looks up the alias target up to a depth of 10 chained -aliases. (Added in release 1.22.)</p> -</section> -<section id="db2-principal-and-policy-formats"> -<h2>DB2 principal and policy formats<a class="headerlink" href="#db2-principal-and-policy-formats" title="Link to this heading">¶</a></h2> -<p>The DB2 KDB module uses the string form of a principal name, with zero -terminator, as a lookup key for principal entries. Principal entry -values use the following binary format with little-endian integer -encoding:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>db2-principal-entry <span class="o">::=</span> - len (16 bits) [always has the value 38] - attributes (32 bits) - max ticket lifetime (32 bits) - max renewable lifetime (32 bits) - principal expiration timestamp (32 bits) - password expiration timestamp (32 bits) - last successful authentication timestamp (32 bits) - last failed authentication timestamp (32 bits) - failed authentication counter (32 bits) - number of tag-length elements (16 bits) - number of key-data elements (16 bits) - length of string-form principal with zero terminator (16 bits) - string-form principal with zero terminator - tag-length entry 1 (tag-length-data) - tag-length entry 2 (tag-length-data) - ... - key-data entry 1 (key-data) - key-data entry 2 (key-data) - ... - -tag-length-data <span class="o">::=</span> - type tag (16 bits) - data length (16 bits) - data - -key-data <span class="o">::=</span> - salt indicator (16 bits) [1 for default salt, 2 otherwise] - key version (16 bits) - encryption type (16 bits) - encrypted key length (16 bits) - encrypted key - salt type (16 bits) [omitted if salt indicator is 1] - salt data length (16 bits) [omitted if salt indicator is 1] - salt data [omitted if salt indicator is 1] -</pre></div> -</div> -<p>DB2 policy entries reside in a separate database file. The lookup key -is the policy name with zero terminator. Policy entry values use a -modified XDR encoding of the policy type defined as follows:</p> -<div class="highlight-c notranslate"><div class="highlight"><pre><span></span><span class="k">struct</span><span class="w"> </span><span class="nc">tl_data</span><span class="w"> </span><span class="p">{</span> -<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">type</span><span class="p">;</span> -<span class="w"> </span><span class="n">opaque</span><span class="w"> </span><span class="n">data</span><span class="o"><></span><span class="p">;</span> -<span class="w"> </span><span class="n">tl_data</span><span class="w"> </span><span class="o">*</span><span class="n">next</span><span class="p">;</span> -<span class="p">};</span> - -<span class="k">struct</span><span class="w"> </span><span class="nc">policy</span><span class="w"> </span><span class="p">{</span> -<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">version_number</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">min_life</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">max_pw_life</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">min_length</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">min_classes</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">history_num</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">refcount</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">max_fail</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">failcount_interval</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">lockout_duration</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">attributes</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">max_ticket_life</span><span class="p">;</span> -<span class="w"> </span><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">max_renewable_life</span><span class="p">;</span> -<span class="w"> </span><span class="n">nullstring</span><span class="w"> </span><span class="n">allowed_keysalts</span><span class="p">;</span> -<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">n_tl_data</span><span class="p">;</span> -<span class="w"> </span><span class="n">tl_data</span><span class="w"> </span><span class="o">*</span><span class="n">tag_length_data</span><span class="p">;</span> -<span class="p">};</span> -</pre></div> -</div> -<p>The type “nullstring” uses the same custom encoder as in the -per-principal kadmin data.</p> -<p>The field “version_number” contains 0x12345D01, 0x12345D02, or -0x12345D03 for versions 1, 2, and 3 respectively. Versions 1 and 2 -omit the fields “attributes” through “tag_length_data”. Version 1 -also omits the fields “max_fail” through “lockout_duration”. Encoding -uses the lowest version that can represent the policy entry.</p> -<p>The field “refcount” is no longer used and its value is ignored.</p> -</section> -<section id="lmdb-principal-and-policy-formats"> -<h2>LMDB principal and policy formats<a class="headerlink" href="#lmdb-principal-and-policy-formats" title="Link to this heading">¶</a></h2> -<p>In the LMDB KDB module, principal entries are stored in the -“principal” database within the main LMDB environment (typically named -“principal.mdb”), with the exception of lockout-related fields which -are stored in the “lockout” table of the lockout LMDB environment -(typically named “principal.lockout.mdb”). For both databases the key -is the principal name in string form, with no zero terminator. Values -in the “principal” database use the following binary format with -little-endian integer encoding:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>lmdb-principal-entry <span class="o">::=</span> - attributes (32 bits) - max ticket lifetime (32 bits) - max renewable lifetime (32 bits) - principal expiration timestamp (32 bits) - password expiration timestamp (32 bits) - number of tag-length elements (16 bits) - number of key-data elements (16 bits) - tag-length entry 1 (tag-length-data) - tag-length entry 2 (tag-length-data) - ... - key-data entry 1 (key-data) - key-data entry 2 (key-data) - ... - -tag-length-data <span class="o">::=</span> - type tag (16 bits) - data length (16 bits) - data value - -key-data <span class="o">::=</span> - salt indicator (16 bits) [1 for default salt, 2 otherwise] - key version (16 bits) - encryption type (16 bits) - encrypted key length (16 bits) - encrypted key - salt type (16 bits) [omitted if salt indicator is 1] - salt data length (16 bits) [omitted if salt indicator is 1] - salt data [omitted if salt indicator is 1] -</pre></div> -</div> -<p>Values in the “lockout” database have the following binary format with -little-endian integer encoding:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>lmdb-lockout-entry <span class="o">::=</span> - last successful authentication timestamp (32 bits) - last failed authentication timestamp (32 bits) - failed authentication counter (32 bits) -</pre></div> -</div> -<p>In the “policy” database, the lookup key is the policy name with no -zero terminator. Values in this database use the following binary -format with little-endian integer encoding:</p> -<div class="highlight-bnf notranslate"><div class="highlight"><pre><span></span>lmdb-policy-entry <span class="o">::=</span> - minimum password lifetime (32 bits) - maximum password lifetime (32 bits) - minimum password length (32 bits) - minimum character classes (32 bits) - number of historical keys (32 bits) - maximum failed authentications before lockout (32 bits) - time interval to reset failed authentication counter (32 bits) - lockout duration (32 bits) - required principal attributes (32 bits) [currently unenforced] - maximum ticket lifetime (32 bits) [currently unenforced] - maximum renewable lifetime (32 bits) [currently unenforced] - allowed key/salt type specification length [32 bits] - allowed key/salt type specification - number of tag-length values (16 bits) - tag-length entry 1 (tag-length-data) - tag-length entry 2 (tag-length-data) - ... - -tag-length-data <span class="o">::=</span> - type tag (16 bits) - data length (16 bits) - data value -</pre></div> -</div> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Kerberos Database (KDB) Formats</a><ul> -<li><a class="reference internal" href="#dump-format">Dump format</a></li> -<li><a class="reference internal" href="#tag-length-data-formats">Tag-length data formats</a><ul> -<li><a class="reference internal" href="#per-principal-kadmin-data">Per-principal kadmin data</a></li> -<li><a class="reference internal" href="#active-kvno-and-master-key-auxiliary-data">Active kvno and master key auxiliary data</a></li> -<li><a class="reference internal" href="#ldap-object-information">LDAP object information</a></li> -</ul> -</li> -<li><a class="reference internal" href="#alias-principal-entries">Alias principal entries</a></li> -<li><a class="reference internal" href="#db2-principal-and-policy-formats">DB2 principal and policy formats</a></li> -<li><a class="reference internal" href="#lmdb-principal-and-policy-formats">LMDB principal and policy formats</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> -<li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Kerberos Database (KDB) Formats</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="freshness_token.html" title="PKINIT freshness tokens" - >previous</a> | - <a href="../mitK5features.html" title="MIT Kerberos features" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Kerberos Database (KDB) Formats">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/formats/freshness_token.html b/crypto/krb5/doc/html/formats/freshness_token.html deleted file mode 100644 index 2099077df29e..000000000000 --- a/crypto/krb5/doc/html/formats/freshness_token.html +++ /dev/null @@ -1,148 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>PKINIT freshness tokens — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Kerberos Database (KDB) Formats" href="database_formats.html" /> - <link rel="prev" title="KDC cookie format" href="cookie.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="cookie.html" title="KDC cookie format" - accesskey="P">previous</a> | - <a href="database_formats.html" title="Kerberos Database (KDB) Formats" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT freshness tokens">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="pkinit-freshness-tokens"> -<h1>PKINIT freshness tokens<a class="headerlink" href="#pkinit-freshness-tokens" title="Link to this heading">¶</a></h1> -<p><span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc8070.html"><strong>RFC 8070</strong></a> specifies a pa-data type PA_AS_FRESHNESS, which clients -should reflect within signed PKINIT data to prove recent access to the -client certificate private key. The contents of a freshness token are -left to the KDC implementation. The MIT krb5 KDC uses the following -format for freshness tokens (starting in release 1.17):</p> -<ul class="simple"> -<li><p>a four-byte big-endian POSIX timestamp</p></li> -<li><p>a four-byte big-endian key version number</p></li> -<li><p>an <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc3961.html"><strong>RFC 3961</strong></a> checksum, with no ASN.1 wrapper</p></li> -</ul> -<p>The checksum is computed using the first key in the local krbtgt -principal entry for the realm (e.g. <code class="docutils literal notranslate"><span class="pre">krbtgt/KRBTEST.COM@KRBTEST.COM</span></code> -if the request is to the <code class="docutils literal notranslate"><span class="pre">KRBTEST.COM</span></code> realm) of the indicated key -version. The checksum type must be the mandatory checksum type for -the encryption type of the krbtgt key. The key usage value for the -checksum is 514.</p> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">PKINIT freshness tokens</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">PKINIT freshness tokens</a></li> -<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="cookie.html" title="KDC cookie format" - >previous</a> | - <a href="database_formats.html" title="Kerberos Database (KDB) Formats" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__PKINIT freshness tokens">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/formats/index.html b/crypto/krb5/doc/html/formats/index.html deleted file mode 100644 index ac41016ce786..000000000000 --- a/crypto/krb5/doc/html/formats/index.html +++ /dev/null @@ -1,142 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Protocols and file formats — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Credential cache file format" href="ccache_file_format.html" /> - <link rel="prev" title="Supported date and time formats" href="../basic/date_format.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="../basic/date_format.html" title="Supported date and time formats" - accesskey="P">previous</a> | - <a href="ccache_file_format.html" title="Credential cache file format" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Protocols and file formats">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="protocols-and-file-formats"> -<h1>Protocols and file formats<a class="headerlink" href="#protocols-and-file-formats" title="Link to this heading">¶</a></h1> -<div class="toctree-wrapper compound"> -<ul> -<li class="toctree-l1"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> -<li class="toctree-l1"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> -<li class="toctree-l1"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> -<li class="toctree-l1"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> -<li class="toctree-l1"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> -<li class="toctree-l1"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> -</ul> -</div> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Protocols and file formats</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1 current"><a class="current reference internal" href="#">Protocols and file formats</a><ul> -<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> -<li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> -<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="../basic/date_format.html" title="Supported date and time formats" - >previous</a> | - <a href="ccache_file_format.html" title="Credential cache file format" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Protocols and file formats">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/formats/keytab_file_format.html b/crypto/krb5/doc/html/formats/keytab_file_format.html deleted file mode 100644 index 7c74e1a1ac0e..000000000000 --- a/crypto/krb5/doc/html/formats/keytab_file_format.html +++ /dev/null @@ -1,178 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Keytab file format — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="Replay cache file format" href="rcache_file_format.html" /> - <link rel="prev" title="Credential cache file format" href="ccache_file_format.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="ccache_file_format.html" title="Credential cache file format" - accesskey="P">previous</a> | - <a href="rcache_file_format.html" title="Replay cache file format" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Keytab file format">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="keytab-file-format"> -<span id="id1"></span><h1>Keytab file format<a class="headerlink" href="#keytab-file-format" title="Link to this heading">¶</a></h1> -<p>There are two versions of the file format used by the FILE keytab -type. The first byte of the file always has the value 5, and the -value of the second byte contains the version number (1 or 2). -Version 1 of the file format uses native byte order for integer -representations. Version 2 always uses big-endian byte order.</p> -<p>After the two-byte version indicator, the file contains a sequence of -signed 32-bit record lengths followed by key records or holes. A -positive record length indicates a valid key entry whose size is equal -to or less than the record length. A negative length indicates a -zero-filled hole whose size is the inverse of the length. A length of -0 indicates the end of the file.</p> -<section id="key-entry-format"> -<h2>Key entry format<a class="headerlink" href="#key-entry-format" title="Link to this heading">¶</a></h2> -<p>A key entry may be smaller in size than the record length which -precedes it, because it may have replaced a hole which is larger than -the key entry. Key entries use the following informal grammar:</p> -<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">entry</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">principal</span> - <span class="n">timestamp</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">key</span> <span class="n">version</span> <span class="p">(</span><span class="mi">8</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">enctype</span> <span class="p">(</span><span class="mi">16</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">key</span> <span class="n">length</span> <span class="p">(</span><span class="mi">16</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">key</span> <span class="n">contents</span> - <span class="n">key</span> <span class="n">version</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> <span class="p">[</span><span class="ow">in</span> <span class="n">release</span> <span class="mf">1.14</span> <span class="ow">and</span> <span class="n">later</span><span class="p">]</span> - -<span class="n">principal</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">count</span> <span class="n">of</span> <span class="n">components</span> <span class="p">(</span><span class="mi">16</span> <span class="n">bits</span><span class="p">)</span> <span class="p">[</span><span class="n">includes</span> <span class="n">realm</span> <span class="ow">in</span> <span class="n">version</span> <span class="mi">1</span><span class="p">]</span> - <span class="n">realm</span> <span class="p">(</span><span class="n">data</span><span class="p">)</span> - <span class="n">component1</span> <span class="p">(</span><span class="n">data</span><span class="p">)</span> - <span class="n">component2</span> <span class="p">(</span><span class="n">data</span><span class="p">)</span> - <span class="o">...</span> - <span class="n">name</span> <span class="nb">type</span> <span class="p">(</span><span class="mi">32</span> <span class="n">bits</span><span class="p">)</span> <span class="p">[</span><span class="n">omitted</span> <span class="ow">in</span> <span class="n">version</span> <span class="mi">1</span><span class="p">]</span> - -<span class="n">data</span> <span class="p">:</span><span class="o">:=</span> - <span class="n">length</span> <span class="p">(</span><span class="mi">16</span> <span class="n">bits</span><span class="p">)</span> - <span class="n">value</span> <span class="p">(</span><span class="n">length</span> <span class="nb">bytes</span><span class="p">)</span> -</pre></div> -</div> -<p>The 32-bit key version overrides the 8-bit key version. To determine -if it is present, the implementation must check that at least 4 bytes -remain in the record after the other fields are read, and that the -value of the 32-bit integer contained in those bytes is non-zero.</p> -</section> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Keytab file format</a><ul> -<li><a class="reference internal" href="#key-entry-format">Key entry format</a></li> -</ul> -</li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Keytab file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="rcache_file_format.html">Replay cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> -<li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> -<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="ccache_file_format.html" title="Credential cache file format" - >previous</a> | - <a href="rcache_file_format.html" title="Replay cache file format" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Keytab file format">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file diff --git a/crypto/krb5/doc/html/formats/rcache_file_format.html b/crypto/krb5/doc/html/formats/rcache_file_format.html deleted file mode 100644 index 85ffdae3b8fc..000000000000 --- a/crypto/krb5/doc/html/formats/rcache_file_format.html +++ /dev/null @@ -1,172 +0,0 @@ -<!DOCTYPE html> - -<html lang="en" data-content_root="../"> - <head> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> - - <title>Replay cache file format — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" /> - <link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" /> - <link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" /> - <script src="../_static/documentation_options.js?v=236fef3b"></script> - <script src="../_static/doctools.js?v=888ff710"></script> - <script src="../_static/sphinx_highlight.js?v=dc90522c"></script> - <link rel="author" title="About these documents" href="../about.html" /> - <link rel="index" title="Index" href="../genindex.html" /> - <link rel="search" title="Search" href="../search.html" /> - <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="next" title="KDC cookie format" href="cookie.html" /> - <link rel="prev" title="Keytab file format" href="keytab_file_format.html" /> - </head><body> - <div class="header-wrapper"> - <div class="header"> - - - <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> - - <div class="rel"> - - <a href="../index.html" title="Full Table of Contents" - accesskey="C">Contents</a> | - <a href="keytab_file_format.html" title="Keytab file format" - accesskey="P">previous</a> | - <a href="cookie.html" title="KDC cookie format" - accesskey="N">next</a> | - <a href="../genindex.html" title="General Index" - accesskey="I">index</a> | - <a href="../search.html" title="Enter search criteria" - accesskey="S">Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Replay cache file format">feedback</a> - </div> - </div> - </div> - - <div class="content-wrapper"> - <div class="content"> - <div class="document"> - - <div class="documentwrapper"> - <div class="bodywrapper"> - <div class="body" role="main"> - - <section id="replay-cache-file-format"> -<h1>Replay cache file format<a class="headerlink" href="#replay-cache-file-format" title="Link to this heading">¶</a></h1> -<p>This section documents the second version of the replay cache file -format, used by the “file2” replay cache type (new in release 1.18). -The first version of the file replay cache format is not documented.</p> -<p>All accesses to the replay cache file take place under an exclusive -POSIX or Windows file lock, obtained when the file is opened and -released when it is closed. Replay cache files are automatically -created when first accessed.</p> -<p>For each store operation, a tag is derived from the checksum part of -the <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc3961.html"><strong>RFC 3961</strong></a> ciphertext of the authenticator. The checksum is -coerced to a fixed length of 12 bytes, either through truncation or -right-padding with zero bytes. A four-byte timestamp is appended to -the tag to produce a total record length of 16 bytes.</p> -<p>Bytes 0 through 15 of the file contain a hash seed for the SipHash-2-4 -algorithm (<a class="reference external" href="https://131002.net/siphash/siphash.pdf">siphash</a>); this field is populated with random bytes when -the file is first created. All remaining bytes are divided into a -series of expanding hash tables:</p> -<ul class="simple"> -<li><p>Bytes 16-16383: hash table 1 (1023 slots)</p></li> -<li><p>Bytes 16384-49151: hash table 2 (2048 slots)</p></li> -<li><p>Bytes 49152-114687: hash table 3 (4096 slots)</p></li> -<li><p>…</p></li> -</ul> -<p>Only some hash tables will be present in the file at any specific -time, and the final table may be only partially filled. Replay cache -files may be sparse if the filesystem supports it.</p> -<p>For each table present in the file, the tag is hashed with SipHash-2-4 -using the seed recorded in the file. The first byte of the seed is -incremented by one (modulo 256) for each table after the first. The -resulting hash value is taken modulo one less than the table size -(1022 for the first hash table, 2047 for the second) to produce the -index. The record may be found at the slot given by the index or at -the next slot.</p> -<p>All candidate locations for the record must be searched until a slot -is found with a timestamp of zero (indicating a slot which has never -been written to) or an offset is reached at or beyond the end of the -file. Any candidate location with a timestamp value of zero, with a -timestamp value less than the current time minus clockskew, or at or -beyond the end of the file is available for writing. When all -candidate locations have been searched without finding a match, the -new entry is written to the earliest candidate available for writing.</p> -</section> - - - <div class="clearer"></div> - </div> - </div> - </div> - </div> - <div class="sidebar"> - - <h2>On this page</h2> - <ul> -<li><a class="reference internal" href="#">Replay cache file format</a></li> -</ul> - - <br/> - <h2>Table of contents</h2> - <ul class="current"> -<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> -<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> -<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> -<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> -<li class="toctree-l1 current"><a class="reference internal" href="index.html">Protocols and file formats</a><ul class="current"> -<li class="toctree-l2"><a class="reference internal" href="ccache_file_format.html">Credential cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="keytab_file_format.html">Keytab file format</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="#">Replay cache file format</a></li> -<li class="toctree-l2"><a class="reference internal" href="cookie.html">KDC cookie format</a></li> -<li class="toctree-l2"><a class="reference internal" href="freshness_token.html">PKINIT freshness tokens</a></li> -<li class="toctree-l2"><a class="reference internal" href="database_formats.html">Kerberos Database (KDB) Formats</a></li> -</ul> -</li> -<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> -<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> -<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> -<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> -</ul> - - <br/> - <h4><a href="../index.html">Full Table of Contents</a></h4> - <h4>Search</h4> - <form class="search" action="../search.html" method="get"> - <input type="text" name="q" size="18" /> - <input type="submit" value="Go" /> - <input type="hidden" name="check_keywords" value="yes" /> - <input type="hidden" name="area" value="default" /> - </form> - - </div> - <div class="clearer"></div> - </div> - </div> - - <div class="footer-wrapper"> - <div class="footer" > - <div class="right" ><i>Release: 1.22-final</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2025, MIT. - </div> - <div class="left"> - - <a href="../index.html" title="Full Table of Contents" - >Contents</a> | - <a href="keytab_file_format.html" title="Keytab file format" - >previous</a> | - <a href="cookie.html" title="KDC cookie format" - >next</a> | - <a href="../genindex.html" title="General Index" - >index</a> | - <a href="../search.html" title="Enter search criteria" - >Search</a> | - <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Replay cache file format">feedback</a> - </div> - </div> - </div> - - </body> -</html>
\ No newline at end of file |