1-- $Id$ 2 3DIGEST DEFINITIONS ::= 4BEGIN 5 6IMPORTS EncryptedData, Principal FROM krb5; 7 8DigestTypes ::= BIT STRING { 9 ntlm-v1(0), 10 ntlm-v1-session(1), 11 ntlm-v2(2), 12 digest-md5(3), 13 chap-md5(4), 14 ms-chap-v2(5) 15} 16 17DigestInit ::= SEQUENCE { 18 type UTF8String, -- http, sasl, chap, cram-md5 -- 19 channel [0] SEQUENCE { 20 cb-type UTF8String, 21 cb-binding UTF8String 22 } OPTIONAL, 23 hostname [1] UTF8String OPTIONAL -- for chap/cram-md5 24} 25 26DigestInitReply ::= SEQUENCE { 27 nonce UTF8String, -- service nonce/challenge 28 opaque UTF8String, -- server state 29 identifier [0] UTF8String OPTIONAL 30} 31 32 33DigestRequest ::= SEQUENCE { 34 type UTF8String, -- http, sasl-md5, chap, cram-md5 -- 35 digest UTF8String, -- http:md5/md5-sess sasl:clear/int/conf -- 36 username UTF8String, -- username user used 37 responseData UTF8String, -- client response 38 authid [0] UTF8String OPTIONAL, 39 authentication-user [1] Principal OPTIONAL, -- principal to get key from 40 realm [2] UTF8String OPTIONAL, 41 method [3] UTF8String OPTIONAL, 42 uri [4] UTF8String OPTIONAL, 43 serverNonce UTF8String, -- same as "DigestInitReply.nonce" 44 clientNonce [5] UTF8String OPTIONAL, 45 nonceCount [6] UTF8String OPTIONAL, 46 qop [7] UTF8String OPTIONAL, 47 identifier [8] UTF8String OPTIONAL, 48 hostname [9] UTF8String OPTIONAL, 49 opaque UTF8String -- same as "DigestInitReply.opaque" 50} 51-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key)) 52-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding) 53 54 55DigestError ::= SEQUENCE { 56 reason UTF8String, 57 code INTEGER (-2147483648..2147483647) 58} 59 60DigestResponse ::= SEQUENCE { 61 success BOOLEAN, 62 rsp [0] UTF8String OPTIONAL, 63 tickets [1] SEQUENCE OF OCTET STRING OPTIONAL, 64 channel [2] SEQUENCE { 65 cb-type UTF8String, 66 cb-binding UTF8String 67 } OPTIONAL, 68 session-key [3] OCTET STRING OPTIONAL 69} 70 71NTLMInit ::= [APPLICATION 1] SEQUENCE { 72 flags [0] INTEGER (0..4294967295), 73 hostname [1] UTF8String OPTIONAL, 74 domain [2] UTF8String OPTIONAL 75} 76 77NTLMInitReply ::= SEQUENCE { 78 ntlmNegFlags [0] INTEGER (0..4294967295), 79 opaque [1] OCTET STRING, 80 challenge [2] OCTET STRING, 81 targetinfo [3] OCTET STRING 82} 83 84NTLMRequest ::= SEQUENCE { 85 flags [0] INTEGER (0..4294967295), 86 opaque [1] OCTET STRING, 87 username [2] UTF8String, 88 targetname [3] UTF8String, 89 targetinfo [4] OCTET STRING OPTIONAL, 90 lm [5] OCTET STRING, 91 ntlm [6] OCTET STRING, 92 sessionkey [7] OCTET STRING OPTIONAL 93} 94 95NTLMResponse ::= SEQUENCE { 96 success [0] BOOLEAN, 97 flags [1] INTEGER (0..4294967295), 98 sessionkey [2] OCTET STRING OPTIONAL, 99 tickets [3] SEQUENCE OF OCTET STRING OPTIONAL 100} 101 102NTLMRequest2 ::= [APPLICATION 2] SEQUENCE { 103 loginUserName [0] UTF8String, 104 loginDomainName [1] UTF8String, 105 workstation [2] UTF8String, 106 ntlmFlags [3] INTEGER (0..4294967295), 107 lmchallenge [4] OCTET STRING SIZE (8), 108 ntChallengeResponse [5] OCTET STRING, 109 lmChallengeResponse [6] OCTET STRING, 110 encryptedSessionKey [7] OCTET STRING, 111 t2targetname [8] UTF8String, 112 acceptorUser [9] UTF8String, 113 acceptorDomain [10] UTF8String 114} 115 116NTLMReply ::= SEQUENCE { 117 success [0] BOOLEAN, 118 avflags [1] INTEGER (0..4294967295), 119 sessionkey [2] OCTET STRING OPTIONAL, 120 user [3] UTF8String, 121 domain [4] UTF8String, 122 uuid [5] OCTET STRING SIZE (16) OPTIONAL, 123 targetinfo [6] OCTET STRING, 124 pac [7] OCTET STRING OPTIONAL, 125 ntlmFlags [8] INTEGER (0..4294967295) 126} 127 128DigestReqInner ::= CHOICE { 129 init [0] DigestInit, 130 digestRequest [1] DigestRequest, 131 ntlmInit [2] NTLMInit, 132 ntlmRequest [3] NTLMRequest, 133 supportedMechs [4] NULL 134} 135 136DigestREQ ::= [APPLICATION 128] SEQUENCE { 137 apReq [0] OCTET STRING, 138 innerReq [1] EncryptedData 139} 140 141DigestRepInner ::= CHOICE { 142 error [0] DigestError, 143 initReply [1] DigestInitReply, 144 response [2] DigestResponse, 145 ntlmInitReply [3] NTLMInitReply, 146 ntlmResponse [4] NTLMResponse, 147 supportedMechs [5] DigestTypes, 148 ... 149} 150 151DigestREP ::= [APPLICATION 129] SEQUENCE { 152 apRep [0] OCTET STRING, 153 innerRep [1] EncryptedData 154} 155 156 157-- HTTP 158 159-- md5 160-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd 161-- md5-sess 162-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value)) 163 164-- qop == auth 165-- A2 = Method ":" digest-uri-value 166-- qop == auth-int 167-- A2 = Method ":" digest-uri-value ":" H(entity-body) 168 169-- request-digest = HEX(KD(HEX(H(A1)), 170-- unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2)))) 171-- no "qop" 172-- request-digest = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2)))) 173 174 175-- SASL: 176-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } ) 177-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) } 178-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) } 179 180-- A2 = "AUTHENTICATE:", ":", digest-uri-value 181-- qop == auth-int,auth-conf 182-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000" 183 184-- response-value = HEX( KD ( HEX(H(A1)), 185-- { unq(nonce-value), ":" nc-value, ":", 186-- unq(cnonce-value), ":", qop-value, ":", 187-- HEX(H(A2)) })) 188 189END 190