1-- $Id$
2
3DIGEST DEFINITIONS ::=
4BEGIN
5
6IMPORTS EncryptedData, Principal FROM krb5;
7
8DigestTypes ::= BIT STRING {
9	ntlm-v1(0),
10	ntlm-v1-session(1),
11	ntlm-v2(2),
12	digest-md5(3),
13	chap-md5(4),
14	ms-chap-v2(5)
15}
16
17DigestInit ::= SEQUENCE {
18    type		UTF8String, -- http, sasl, chap, cram-md5 --
19    channel		[0] SEQUENCE {
20    	cb-type		UTF8String,
21    	cb-binding	UTF8String
22    } OPTIONAL,
23    hostname		[1] UTF8String OPTIONAL -- for chap/cram-md5
24}
25
26DigestInitReply ::= SEQUENCE {
27    nonce		UTF8String,	-- service nonce/challenge
28    opaque		UTF8String,	-- server state
29    identifier		[0] UTF8String OPTIONAL
30}
31
32
33DigestRequest ::= SEQUENCE  {
34    type		UTF8String, -- http, sasl-md5, chap, cram-md5 --
35    digest		UTF8String, -- http:md5/md5-sess sasl:clear/int/conf --
36    username		UTF8String, -- username user used
37    responseData	UTF8String, -- client response
38    authid		[0] UTF8String OPTIONAL,
39    authentication-user	[1] Principal OPTIONAL, -- principal to get key from
40    realm		[2] UTF8String OPTIONAL,
41    method		[3] UTF8String OPTIONAL,
42    uri			[4] UTF8String OPTIONAL,
43    serverNonce		UTF8String, -- same as "DigestInitReply.nonce"
44    clientNonce		[5] UTF8String OPTIONAL,
45    nonceCount		[6] UTF8String OPTIONAL,
46    qop			[7] UTF8String OPTIONAL,
47    identifier		[8] UTF8String OPTIONAL,
48    hostname		[9] UTF8String OPTIONAL,
49    opaque		UTF8String -- same as "DigestInitReply.opaque"
50}
51-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key))
52-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding)
53
54
55DigestError ::= SEQUENCE {
56    reason		UTF8String,
57    code		INTEGER (-2147483648..2147483647)
58}
59
60DigestResponse ::= SEQUENCE  {
61    success		BOOLEAN,
62    rsp			[0] UTF8String OPTIONAL,
63    tickets		[1] SEQUENCE OF OCTET STRING OPTIONAL,
64    channel		[2] SEQUENCE {
65    	cb-type		UTF8String,
66    	cb-binding	UTF8String
67    } OPTIONAL,
68    session-key		[3] OCTET STRING OPTIONAL
69}
70
71NTLMInit ::= [APPLICATION 1] SEQUENCE {
72    flags		[0] INTEGER (0..4294967295),
73    hostname		[1] UTF8String OPTIONAL,
74    domain		[2] UTF8String OPTIONAL
75}
76
77NTLMInitReply ::= SEQUENCE {
78    ntlmNegFlags	[0] INTEGER (0..4294967295),
79    opaque		[1] OCTET STRING,
80    challenge		[2] OCTET STRING,
81    targetinfo		[3] OCTET STRING
82}
83
84NTLMRequest ::= SEQUENCE {
85    flags		[0] INTEGER (0..4294967295),
86    opaque		[1] OCTET STRING,
87    username		[2] UTF8String,
88    targetname		[3] UTF8String,
89    targetinfo		[4] OCTET STRING OPTIONAL,
90    lm			[5] OCTET STRING,
91    ntlm		[6] OCTET STRING,
92    sessionkey		[7] OCTET STRING OPTIONAL
93}
94
95NTLMResponse ::= SEQUENCE {
96    success		[0] BOOLEAN,
97    flags		[1] INTEGER (0..4294967295),
98    sessionkey		[2] OCTET STRING OPTIONAL,
99    tickets		[3] SEQUENCE OF OCTET STRING OPTIONAL
100}
101
102NTLMRequest2 ::= [APPLICATION 2] SEQUENCE {
103    loginUserName	[0] UTF8String,
104    loginDomainName	[1] UTF8String,
105    workstation		[2] UTF8String,
106    ntlmFlags		[3] INTEGER (0..4294967295),
107    lmchallenge		[4] OCTET STRING SIZE (8),
108    ntChallengeResponse [5] OCTET STRING,
109    lmChallengeResponse [6] OCTET STRING,
110    encryptedSessionKey [7] OCTET STRING,
111    t2targetname	[8] UTF8String,
112    acceptorUser	[9] UTF8String,
113    acceptorDomain	[10] UTF8String
114}
115
116NTLMReply ::= SEQUENCE {
117    success		[0] BOOLEAN,
118    avflags		[1] INTEGER (0..4294967295),
119    sessionkey		[2] OCTET STRING OPTIONAL,
120    user		[3] UTF8String,
121    domain		[4] UTF8String,
122    uuid		[5] OCTET STRING SIZE (16) OPTIONAL,
123    targetinfo		[6] OCTET STRING,
124    pac			[7] OCTET STRING OPTIONAL,
125    ntlmFlags		[8] INTEGER (0..4294967295)
126}
127
128DigestReqInner ::= CHOICE {
129    init		[0] DigestInit,
130    digestRequest	[1] DigestRequest,
131    ntlmInit		[2] NTLMInit,
132    ntlmRequest		[3] NTLMRequest,
133    supportedMechs	[4] NULL
134}
135
136DigestREQ ::= [APPLICATION 128] SEQUENCE {
137    apReq		[0] OCTET STRING,
138    innerReq		[1] EncryptedData
139}
140
141DigestRepInner ::= CHOICE {
142    error		[0] DigestError,
143    initReply		[1] DigestInitReply,
144    response		[2] DigestResponse,
145    ntlmInitReply	[3] NTLMInitReply,
146    ntlmResponse	[4] NTLMResponse,
147    supportedMechs	[5] DigestTypes,
148    ...
149}
150
151DigestREP ::= [APPLICATION 129] SEQUENCE {
152    apRep		[0] OCTET STRING,
153    innerRep		[1] EncryptedData
154}
155
156
157-- HTTP
158
159-- md5
160-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd
161-- md5-sess
162-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value))
163
164-- qop == auth
165-- A2 = Method ":" digest-uri-value
166-- qop == auth-int
167-- A2 = Method ":" digest-uri-value ":" H(entity-body)
168
169-- request-digest  = HEX(KD(HEX(H(A1)),
170--    unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2))))
171-- no "qop"
172-- request-digest  = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2))))
173
174
175-- SASL:
176-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } )
177-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) }
178-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) }
179
180-- A2 = "AUTHENTICATE:", ":", digest-uri-value
181-- qop == auth-int,auth-conf
182-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000"
183
184-- response-value = HEX( KD ( HEX(H(A1)),
185--                 { unq(nonce-value), ":" nc-value, ":",
186--                   unq(cnonce-value), ":", qop-value, ":",
187--                   HEX(H(A2)) }))
188
189END
190