1233294Sstas-- $Id$ 2178825Sdfr 3178825SdfrDIGEST DEFINITIONS ::= 4178825SdfrBEGIN 5178825Sdfr 6178825SdfrIMPORTS EncryptedData, Principal FROM krb5; 7178825Sdfr 8178825SdfrDigestTypes ::= BIT STRING { 9178825Sdfr ntlm-v1(0), 10178825Sdfr ntlm-v1-session(1), 11178825Sdfr ntlm-v2(2), 12178825Sdfr digest-md5(3), 13178825Sdfr chap-md5(4), 14178825Sdfr ms-chap-v2(5) 15178825Sdfr} 16178825Sdfr 17178825SdfrDigestInit ::= SEQUENCE { 18178825Sdfr type UTF8String, -- http, sasl, chap, cram-md5 -- 19178825Sdfr channel [0] SEQUENCE { 20178825Sdfr cb-type UTF8String, 21178825Sdfr cb-binding UTF8String 22178825Sdfr } OPTIONAL, 23178825Sdfr hostname [1] UTF8String OPTIONAL -- for chap/cram-md5 24178825Sdfr} 25178825Sdfr 26178825SdfrDigestInitReply ::= SEQUENCE { 27178825Sdfr nonce UTF8String, -- service nonce/challange 28178825Sdfr opaque UTF8String, -- server state 29178825Sdfr identifier [0] UTF8String OPTIONAL 30178825Sdfr} 31178825Sdfr 32178825Sdfr 33178825SdfrDigestRequest ::= SEQUENCE { 34178825Sdfr type UTF8String, -- http, sasl-md5, chap, cram-md5 -- 35178825Sdfr digest UTF8String, -- http:md5/md5-sess sasl:clear/int/conf -- 36178825Sdfr username UTF8String, -- username user used 37178825Sdfr responseData UTF8String, -- client response 38178825Sdfr authid [0] UTF8String OPTIONAL, 39178825Sdfr authentication-user [1] Principal OPTIONAL, -- principal to get key from 40178825Sdfr realm [2] UTF8String OPTIONAL, 41178825Sdfr method [3] UTF8String OPTIONAL, 42178825Sdfr uri [4] UTF8String OPTIONAL, 43178825Sdfr serverNonce UTF8String, -- same as "DigestInitReply.nonce" 44178825Sdfr clientNonce [5] UTF8String OPTIONAL, 45178825Sdfr nonceCount [6] UTF8String OPTIONAL, 46178825Sdfr qop [7] UTF8String OPTIONAL, 47178825Sdfr identifier [8] UTF8String OPTIONAL, 48178825Sdfr hostname [9] UTF8String OPTIONAL, 49178825Sdfr opaque UTF8String -- same as "DigestInitReply.opaque" 50178825Sdfr} 51178825Sdfr-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key)) 52178825Sdfr-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding) 53178825Sdfr 54178825Sdfr 55178825SdfrDigestError ::= SEQUENCE { 56178825Sdfr reason UTF8String, 57178825Sdfr code INTEGER (-2147483648..2147483647) 58178825Sdfr} 59178825Sdfr 60178825SdfrDigestResponse ::= SEQUENCE { 61178825Sdfr success BOOLEAN, 62178825Sdfr rsp [0] UTF8String OPTIONAL, 63178825Sdfr tickets [1] SEQUENCE OF OCTET STRING OPTIONAL, 64178825Sdfr channel [2] SEQUENCE { 65178825Sdfr cb-type UTF8String, 66178825Sdfr cb-binding UTF8String 67178825Sdfr } OPTIONAL, 68178825Sdfr session-key [3] OCTET STRING OPTIONAL 69178825Sdfr} 70178825Sdfr 71178825SdfrNTLMInit ::= SEQUENCE { 72178825Sdfr flags [0] INTEGER (0..4294967295), 73178825Sdfr hostname [1] UTF8String OPTIONAL, 74178825Sdfr domain [1] UTF8String OPTIONAL 75178825Sdfr} 76178825Sdfr 77178825SdfrNTLMInitReply ::= SEQUENCE { 78178825Sdfr flags [0] INTEGER (0..4294967295), 79178825Sdfr opaque [1] OCTET STRING, 80178825Sdfr targetname [2] UTF8String, 81178825Sdfr challange [3] OCTET STRING, 82178825Sdfr targetinfo [4] OCTET STRING OPTIONAL 83178825Sdfr} 84178825Sdfr 85178825SdfrNTLMRequest ::= SEQUENCE { 86178825Sdfr flags [0] INTEGER (0..4294967295), 87178825Sdfr opaque [1] OCTET STRING, 88178825Sdfr username [2] UTF8String, 89178825Sdfr targetname [3] UTF8String, 90178825Sdfr targetinfo [4] OCTET STRING OPTIONAL, 91178825Sdfr lm [5] OCTET STRING, 92178825Sdfr ntlm [6] OCTET STRING, 93178825Sdfr sessionkey [7] OCTET STRING OPTIONAL 94178825Sdfr} 95178825Sdfr 96178825SdfrNTLMResponse ::= SEQUENCE { 97178825Sdfr success [0] BOOLEAN, 98178825Sdfr flags [1] INTEGER (0..4294967295), 99178825Sdfr sessionkey [2] OCTET STRING OPTIONAL, 100178825Sdfr tickets [3] SEQUENCE OF OCTET STRING OPTIONAL 101178825Sdfr} 102178825Sdfr 103233294SstasNTLMRequest2 ::= SEQUENCE { 104233294Sstas loginUserName [0] UTF8String, 105233294Sstas loginDomainName [1] UTF8String, 106233294Sstas flags [2] INTEGER (0..4294967295), 107233294Sstas lmchallenge [3] OCTET STRING SIZE (8), 108233294Sstas ntChallengeResponce [4] OCTET STRING, 109233294Sstas lmChallengeResponce [5] OCTET STRING 110233294Sstas} 111233294Sstas 112233294SstasNTLMReply ::= SEQUENCE { 113233294Sstas success [0] BOOLEAN, 114233294Sstas flags [1] INTEGER (0..4294967295), 115233294Sstas sessionkey [2] OCTET STRING OPTIONAL 116233294Sstas} 117233294Sstas 118178825SdfrDigestReqInner ::= CHOICE { 119178825Sdfr init [0] DigestInit, 120178825Sdfr digestRequest [1] DigestRequest, 121178825Sdfr ntlmInit [2] NTLMInit, 122178825Sdfr ntlmRequest [3] NTLMRequest, 123178825Sdfr supportedMechs [4] NULL 124178825Sdfr} 125178825Sdfr 126178825SdfrDigestREQ ::= [APPLICATION 128] SEQUENCE { 127178825Sdfr apReq [0] OCTET STRING, 128178825Sdfr innerReq [1] EncryptedData 129178825Sdfr} 130178825Sdfr 131178825SdfrDigestRepInner ::= CHOICE { 132178825Sdfr error [0] DigestError, 133178825Sdfr initReply [1] DigestInitReply, 134178825Sdfr response [2] DigestResponse, 135178825Sdfr ntlmInitReply [3] NTLMInitReply, 136178825Sdfr ntlmResponse [4] NTLMResponse, 137178825Sdfr supportedMechs [5] DigestTypes, 138178825Sdfr ... 139178825Sdfr} 140178825Sdfr 141178825SdfrDigestREP ::= [APPLICATION 129] SEQUENCE { 142178825Sdfr apRep [0] OCTET STRING, 143178825Sdfr innerRep [1] EncryptedData 144178825Sdfr} 145178825Sdfr 146178825Sdfr 147178825Sdfr-- HTTP 148178825Sdfr 149178825Sdfr-- md5 150178825Sdfr-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd 151178825Sdfr-- md5-sess 152178825Sdfr-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value)) 153178825Sdfr 154178825Sdfr-- qop == auth 155178825Sdfr-- A2 = Method ":" digest-uri-value 156178825Sdfr-- qop == auth-int 157233294Sstas-- A2 = Method ":" digest-uri-value ":" H(entity-body) 158178825Sdfr 159178825Sdfr-- request-digest = HEX(KD(HEX(H(A1)), 160178825Sdfr-- unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2)))) 161178825Sdfr-- no "qop" 162178825Sdfr-- request-digest = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2)))) 163178825Sdfr 164178825Sdfr 165178825Sdfr-- SASL: 166178825Sdfr-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } ) 167178825Sdfr-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) } 168178825Sdfr-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) } 169178825Sdfr 170178825Sdfr-- A2 = "AUTHENTICATE:", ":", digest-uri-value 171178825Sdfr-- qop == auth-int,auth-conf 172178825Sdfr-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000" 173178825Sdfr 174178825Sdfr-- response-value = HEX( KD ( HEX(H(A1)), 175178825Sdfr-- { unq(nonce-value), ":" nc-value, ":", 176178825Sdfr-- unq(cnonce-value), ":", qop-value, ":", 177178825Sdfr-- HEX(H(A2)) })) 178178825Sdfr 179178825SdfrEND 180