1233294Sstas-- $Id$
2178825Sdfr
3178825SdfrDIGEST DEFINITIONS ::=
4178825SdfrBEGIN
5178825Sdfr
6178825SdfrIMPORTS EncryptedData, Principal FROM krb5;
7178825Sdfr
8178825SdfrDigestTypes ::= BIT STRING {
9178825Sdfr	ntlm-v1(0),
10178825Sdfr	ntlm-v1-session(1),
11178825Sdfr	ntlm-v2(2),
12178825Sdfr	digest-md5(3),
13178825Sdfr	chap-md5(4),
14178825Sdfr	ms-chap-v2(5)
15178825Sdfr}
16178825Sdfr
17178825SdfrDigestInit ::= SEQUENCE {
18178825Sdfr    type		UTF8String, -- http, sasl, chap, cram-md5 --
19178825Sdfr    channel		[0] SEQUENCE {
20178825Sdfr    	cb-type		UTF8String,
21178825Sdfr    	cb-binding	UTF8String
22178825Sdfr    } OPTIONAL,
23178825Sdfr    hostname		[1] UTF8String OPTIONAL -- for chap/cram-md5
24178825Sdfr}
25178825Sdfr
26178825SdfrDigestInitReply ::= SEQUENCE {
27178825Sdfr    nonce		UTF8String,	-- service nonce/challange
28178825Sdfr    opaque		UTF8String,	-- server state
29178825Sdfr    identifier		[0] UTF8String OPTIONAL
30178825Sdfr}
31178825Sdfr
32178825Sdfr
33178825SdfrDigestRequest ::= SEQUENCE  {
34178825Sdfr    type		UTF8String, -- http, sasl-md5, chap, cram-md5 --
35178825Sdfr    digest		UTF8String, -- http:md5/md5-sess sasl:clear/int/conf --
36178825Sdfr    username		UTF8String, -- username user used
37178825Sdfr    responseData	UTF8String, -- client response
38178825Sdfr    authid		[0] UTF8String OPTIONAL,
39178825Sdfr    authentication-user	[1] Principal OPTIONAL, -- principal to get key from
40178825Sdfr    realm		[2] UTF8String OPTIONAL,
41178825Sdfr    method		[3] UTF8String OPTIONAL,
42178825Sdfr    uri			[4] UTF8String OPTIONAL,
43178825Sdfr    serverNonce		UTF8String, -- same as "DigestInitReply.nonce"
44178825Sdfr    clientNonce		[5] UTF8String OPTIONAL,
45178825Sdfr    nonceCount		[6] UTF8String OPTIONAL,
46178825Sdfr    qop			[7] UTF8String OPTIONAL,
47178825Sdfr    identifier		[8] UTF8String OPTIONAL,
48178825Sdfr    hostname		[9] UTF8String OPTIONAL,
49178825Sdfr    opaque		UTF8String -- same as "DigestInitReply.opaque"
50178825Sdfr}
51178825Sdfr-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key))
52178825Sdfr-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding)
53178825Sdfr
54178825Sdfr
55178825SdfrDigestError ::= SEQUENCE {
56178825Sdfr    reason		UTF8String,
57178825Sdfr    code		INTEGER (-2147483648..2147483647)
58178825Sdfr}
59178825Sdfr
60178825SdfrDigestResponse ::= SEQUENCE  {
61178825Sdfr    success		BOOLEAN,
62178825Sdfr    rsp			[0] UTF8String OPTIONAL,
63178825Sdfr    tickets		[1] SEQUENCE OF OCTET STRING OPTIONAL,
64178825Sdfr    channel		[2] SEQUENCE {
65178825Sdfr    	cb-type		UTF8String,
66178825Sdfr    	cb-binding	UTF8String
67178825Sdfr    } OPTIONAL,
68178825Sdfr    session-key		[3] OCTET STRING OPTIONAL
69178825Sdfr}
70178825Sdfr
71178825SdfrNTLMInit ::= SEQUENCE {
72178825Sdfr    flags		[0] INTEGER (0..4294967295),
73178825Sdfr    hostname		[1] UTF8String OPTIONAL,
74178825Sdfr    domain		[1] UTF8String OPTIONAL
75178825Sdfr}
76178825Sdfr
77178825SdfrNTLMInitReply ::= SEQUENCE {
78178825Sdfr    flags		[0] INTEGER (0..4294967295),
79178825Sdfr    opaque		[1] OCTET STRING,
80178825Sdfr    targetname		[2] UTF8String,
81178825Sdfr    challange		[3] OCTET STRING,
82178825Sdfr    targetinfo		[4] OCTET STRING OPTIONAL
83178825Sdfr}
84178825Sdfr
85178825SdfrNTLMRequest ::= SEQUENCE {
86178825Sdfr    flags		[0] INTEGER (0..4294967295),
87178825Sdfr    opaque		[1] OCTET STRING,
88178825Sdfr    username		[2] UTF8String,
89178825Sdfr    targetname		[3] UTF8String,
90178825Sdfr    targetinfo		[4] OCTET STRING OPTIONAL,
91178825Sdfr    lm			[5] OCTET STRING,
92178825Sdfr    ntlm		[6] OCTET STRING,
93178825Sdfr    sessionkey		[7] OCTET STRING OPTIONAL
94178825Sdfr}
95178825Sdfr
96178825SdfrNTLMResponse ::= SEQUENCE {
97178825Sdfr    success		[0] BOOLEAN,
98178825Sdfr    flags		[1] INTEGER (0..4294967295),
99178825Sdfr    sessionkey		[2] OCTET STRING OPTIONAL,
100178825Sdfr    tickets		[3] SEQUENCE OF OCTET STRING OPTIONAL
101178825Sdfr}
102178825Sdfr
103233294SstasNTLMRequest2 ::= SEQUENCE {
104233294Sstas    loginUserName	[0] UTF8String,
105233294Sstas    loginDomainName	[1] UTF8String,
106233294Sstas    flags		[2] INTEGER (0..4294967295),
107233294Sstas    lmchallenge		[3] OCTET STRING SIZE (8),
108233294Sstas    ntChallengeResponce [4] OCTET STRING,
109233294Sstas    lmChallengeResponce [5] OCTET STRING
110233294Sstas}
111233294Sstas
112233294SstasNTLMReply ::= SEQUENCE {
113233294Sstas    success		[0] BOOLEAN,
114233294Sstas    flags		[1] INTEGER (0..4294967295),
115233294Sstas    sessionkey		[2] OCTET STRING OPTIONAL
116233294Sstas}
117233294Sstas
118178825SdfrDigestReqInner ::= CHOICE {
119178825Sdfr    init		[0] DigestInit,
120178825Sdfr    digestRequest	[1] DigestRequest,
121178825Sdfr    ntlmInit		[2] NTLMInit,
122178825Sdfr    ntlmRequest		[3] NTLMRequest,
123178825Sdfr    supportedMechs	[4] NULL
124178825Sdfr}
125178825Sdfr
126178825SdfrDigestREQ ::= [APPLICATION 128] SEQUENCE {
127178825Sdfr    apReq		[0] OCTET STRING,
128178825Sdfr    innerReq		[1] EncryptedData
129178825Sdfr}
130178825Sdfr
131178825SdfrDigestRepInner ::= CHOICE {
132178825Sdfr    error		[0] DigestError,
133178825Sdfr    initReply		[1] DigestInitReply,
134178825Sdfr    response		[2] DigestResponse,
135178825Sdfr    ntlmInitReply	[3] NTLMInitReply,
136178825Sdfr    ntlmResponse	[4] NTLMResponse,
137178825Sdfr    supportedMechs	[5] DigestTypes,
138178825Sdfr    ...
139178825Sdfr}
140178825Sdfr
141178825SdfrDigestREP ::= [APPLICATION 129] SEQUENCE {
142178825Sdfr    apRep		[0] OCTET STRING,
143178825Sdfr    innerRep		[1] EncryptedData
144178825Sdfr}
145178825Sdfr
146178825Sdfr
147178825Sdfr-- HTTP
148178825Sdfr
149178825Sdfr-- md5
150178825Sdfr-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd
151178825Sdfr-- md5-sess
152178825Sdfr-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value))
153178825Sdfr
154178825Sdfr-- qop == auth
155178825Sdfr-- A2 = Method ":" digest-uri-value
156178825Sdfr-- qop == auth-int
157233294Sstas-- A2 = Method ":" digest-uri-value ":" H(entity-body)
158178825Sdfr
159178825Sdfr-- request-digest  = HEX(KD(HEX(H(A1)),
160178825Sdfr--    unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2))))
161178825Sdfr-- no "qop"
162178825Sdfr-- request-digest  = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2))))
163178825Sdfr
164178825Sdfr
165178825Sdfr-- SASL:
166178825Sdfr-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } )
167178825Sdfr-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) }
168178825Sdfr-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) }
169178825Sdfr
170178825Sdfr-- A2 = "AUTHENTICATE:", ":", digest-uri-value
171178825Sdfr-- qop == auth-int,auth-conf
172178825Sdfr-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000"
173178825Sdfr
174178825Sdfr-- response-value = HEX( KD ( HEX(H(A1)),
175178825Sdfr--                 { unq(nonce-value), ":" nc-value, ":",
176178825Sdfr--                   unq(cnonce-value), ":", qop-value, ":",
177178825Sdfr--                   HEX(H(A2)) }))
178178825Sdfr
179178825SdfrEND
180