1c19800e8SDoug Rabson-- $Id$ 2c19800e8SDoug Rabson 3c19800e8SDoug RabsonDIGEST DEFINITIONS ::= 4c19800e8SDoug RabsonBEGIN 5c19800e8SDoug Rabson 6c19800e8SDoug RabsonIMPORTS EncryptedData, Principal FROM krb5; 7c19800e8SDoug Rabson 8c19800e8SDoug RabsonDigestTypes ::= BIT STRING { 9c19800e8SDoug Rabson ntlm-v1(0), 10c19800e8SDoug Rabson ntlm-v1-session(1), 11c19800e8SDoug Rabson ntlm-v2(2), 12c19800e8SDoug Rabson digest-md5(3), 13c19800e8SDoug Rabson chap-md5(4), 14c19800e8SDoug Rabson ms-chap-v2(5) 15c19800e8SDoug Rabson} 16c19800e8SDoug Rabson 17c19800e8SDoug RabsonDigestInit ::= SEQUENCE { 18c19800e8SDoug Rabson type UTF8String, -- http, sasl, chap, cram-md5 -- 19c19800e8SDoug Rabson channel [0] SEQUENCE { 20c19800e8SDoug Rabson cb-type UTF8String, 21c19800e8SDoug Rabson cb-binding UTF8String 22c19800e8SDoug Rabson } OPTIONAL, 23c19800e8SDoug Rabson hostname [1] UTF8String OPTIONAL -- for chap/cram-md5 24c19800e8SDoug Rabson} 25c19800e8SDoug Rabson 26c19800e8SDoug RabsonDigestInitReply ::= SEQUENCE { 27c19800e8SDoug Rabson nonce UTF8String, -- service nonce/challange 28c19800e8SDoug Rabson opaque UTF8String, -- server state 29c19800e8SDoug Rabson identifier [0] UTF8String OPTIONAL 30c19800e8SDoug Rabson} 31c19800e8SDoug Rabson 32c19800e8SDoug Rabson 33c19800e8SDoug RabsonDigestRequest ::= SEQUENCE { 34c19800e8SDoug Rabson type UTF8String, -- http, sasl-md5, chap, cram-md5 -- 35c19800e8SDoug Rabson digest UTF8String, -- http:md5/md5-sess sasl:clear/int/conf -- 36c19800e8SDoug Rabson username UTF8String, -- username user used 37c19800e8SDoug Rabson responseData UTF8String, -- client response 38c19800e8SDoug Rabson authid [0] UTF8String OPTIONAL, 39c19800e8SDoug Rabson authentication-user [1] Principal OPTIONAL, -- principal to get key from 40c19800e8SDoug Rabson realm [2] UTF8String OPTIONAL, 41c19800e8SDoug Rabson method [3] UTF8String OPTIONAL, 42c19800e8SDoug Rabson uri [4] UTF8String OPTIONAL, 43c19800e8SDoug Rabson serverNonce UTF8String, -- same as "DigestInitReply.nonce" 44c19800e8SDoug Rabson clientNonce [5] UTF8String OPTIONAL, 45c19800e8SDoug Rabson nonceCount [6] UTF8String OPTIONAL, 46c19800e8SDoug Rabson qop [7] UTF8String OPTIONAL, 47c19800e8SDoug Rabson identifier [8] UTF8String OPTIONAL, 48c19800e8SDoug Rabson hostname [9] UTF8String OPTIONAL, 49c19800e8SDoug Rabson opaque UTF8String -- same as "DigestInitReply.opaque" 50c19800e8SDoug Rabson} 51c19800e8SDoug Rabson-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key)) 52c19800e8SDoug Rabson-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding) 53c19800e8SDoug Rabson 54c19800e8SDoug Rabson 55c19800e8SDoug RabsonDigestError ::= SEQUENCE { 56c19800e8SDoug Rabson reason UTF8String, 57c19800e8SDoug Rabson code INTEGER (-2147483648..2147483647) 58c19800e8SDoug Rabson} 59c19800e8SDoug Rabson 60c19800e8SDoug RabsonDigestResponse ::= SEQUENCE { 61c19800e8SDoug Rabson success BOOLEAN, 62c19800e8SDoug Rabson rsp [0] UTF8String OPTIONAL, 63c19800e8SDoug Rabson tickets [1] SEQUENCE OF OCTET STRING OPTIONAL, 64c19800e8SDoug Rabson channel [2] SEQUENCE { 65c19800e8SDoug Rabson cb-type UTF8String, 66c19800e8SDoug Rabson cb-binding UTF8String 67c19800e8SDoug Rabson } OPTIONAL, 68c19800e8SDoug Rabson session-key [3] OCTET STRING OPTIONAL 69c19800e8SDoug Rabson} 70c19800e8SDoug Rabson 71c19800e8SDoug RabsonNTLMInit ::= SEQUENCE { 72c19800e8SDoug Rabson flags [0] INTEGER (0..4294967295), 73c19800e8SDoug Rabson hostname [1] UTF8String OPTIONAL, 74c19800e8SDoug Rabson domain [1] UTF8String OPTIONAL 75c19800e8SDoug Rabson} 76c19800e8SDoug Rabson 77c19800e8SDoug RabsonNTLMInitReply ::= SEQUENCE { 78c19800e8SDoug Rabson flags [0] INTEGER (0..4294967295), 79c19800e8SDoug Rabson opaque [1] OCTET STRING, 80c19800e8SDoug Rabson targetname [2] UTF8String, 81c19800e8SDoug Rabson challange [3] OCTET STRING, 82c19800e8SDoug Rabson targetinfo [4] OCTET STRING OPTIONAL 83c19800e8SDoug Rabson} 84c19800e8SDoug Rabson 85c19800e8SDoug RabsonNTLMRequest ::= SEQUENCE { 86c19800e8SDoug Rabson flags [0] INTEGER (0..4294967295), 87c19800e8SDoug Rabson opaque [1] OCTET STRING, 88c19800e8SDoug Rabson username [2] UTF8String, 89c19800e8SDoug Rabson targetname [3] UTF8String, 90c19800e8SDoug Rabson targetinfo [4] OCTET STRING OPTIONAL, 91c19800e8SDoug Rabson lm [5] OCTET STRING, 92c19800e8SDoug Rabson ntlm [6] OCTET STRING, 93c19800e8SDoug Rabson sessionkey [7] OCTET STRING OPTIONAL 94c19800e8SDoug Rabson} 95c19800e8SDoug Rabson 96c19800e8SDoug RabsonNTLMResponse ::= SEQUENCE { 97c19800e8SDoug Rabson success [0] BOOLEAN, 98c19800e8SDoug Rabson flags [1] INTEGER (0..4294967295), 99c19800e8SDoug Rabson sessionkey [2] OCTET STRING OPTIONAL, 100c19800e8SDoug Rabson tickets [3] SEQUENCE OF OCTET STRING OPTIONAL 101c19800e8SDoug Rabson} 102c19800e8SDoug Rabson 103c19800e8SDoug RabsonNTLMRequest2 ::= SEQUENCE { 104c19800e8SDoug Rabson loginUserName [0] UTF8String, 105c19800e8SDoug Rabson loginDomainName [1] UTF8String, 106c19800e8SDoug Rabson flags [2] INTEGER (0..4294967295), 107c19800e8SDoug Rabson lmchallenge [3] OCTET STRING SIZE (8), 108c19800e8SDoug Rabson ntChallengeResponce [4] OCTET STRING, 109c19800e8SDoug Rabson lmChallengeResponce [5] OCTET STRING 110c19800e8SDoug Rabson} 111c19800e8SDoug Rabson 112c19800e8SDoug RabsonNTLMReply ::= SEQUENCE { 113c19800e8SDoug Rabson success [0] BOOLEAN, 114c19800e8SDoug Rabson flags [1] INTEGER (0..4294967295), 115c19800e8SDoug Rabson sessionkey [2] OCTET STRING OPTIONAL 116c19800e8SDoug Rabson} 117c19800e8SDoug Rabson 118c19800e8SDoug RabsonDigestReqInner ::= CHOICE { 119c19800e8SDoug Rabson init [0] DigestInit, 120c19800e8SDoug Rabson digestRequest [1] DigestRequest, 121c19800e8SDoug Rabson ntlmInit [2] NTLMInit, 122c19800e8SDoug Rabson ntlmRequest [3] NTLMRequest, 123c19800e8SDoug Rabson supportedMechs [4] NULL 124c19800e8SDoug Rabson} 125c19800e8SDoug Rabson 126c19800e8SDoug RabsonDigestREQ ::= [APPLICATION 128] SEQUENCE { 127c19800e8SDoug Rabson apReq [0] OCTET STRING, 128c19800e8SDoug Rabson innerReq [1] EncryptedData 129c19800e8SDoug Rabson} 130c19800e8SDoug Rabson 131c19800e8SDoug RabsonDigestRepInner ::= CHOICE { 132c19800e8SDoug Rabson error [0] DigestError, 133c19800e8SDoug Rabson initReply [1] DigestInitReply, 134c19800e8SDoug Rabson response [2] DigestResponse, 135c19800e8SDoug Rabson ntlmInitReply [3] NTLMInitReply, 136c19800e8SDoug Rabson ntlmResponse [4] NTLMResponse, 137c19800e8SDoug Rabson supportedMechs [5] DigestTypes, 138c19800e8SDoug Rabson ... 139c19800e8SDoug Rabson} 140c19800e8SDoug Rabson 141c19800e8SDoug RabsonDigestREP ::= [APPLICATION 129] SEQUENCE { 142c19800e8SDoug Rabson apRep [0] OCTET STRING, 143c19800e8SDoug Rabson innerRep [1] EncryptedData 144c19800e8SDoug Rabson} 145c19800e8SDoug Rabson 146c19800e8SDoug Rabson 147c19800e8SDoug Rabson-- HTTP 148c19800e8SDoug Rabson 149c19800e8SDoug Rabson-- md5 150c19800e8SDoug Rabson-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd 151c19800e8SDoug Rabson-- md5-sess 152c19800e8SDoug Rabson-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value)) 153c19800e8SDoug Rabson 154c19800e8SDoug Rabson-- qop == auth 155c19800e8SDoug Rabson-- A2 = Method ":" digest-uri-value 156c19800e8SDoug Rabson-- qop == auth-int 157c19800e8SDoug Rabson-- A2 = Method ":" digest-uri-value ":" H(entity-body) 158c19800e8SDoug Rabson 159c19800e8SDoug Rabson-- request-digest = HEX(KD(HEX(H(A1)), 160c19800e8SDoug Rabson-- unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2)))) 161c19800e8SDoug Rabson-- no "qop" 162c19800e8SDoug Rabson-- request-digest = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2)))) 163c19800e8SDoug Rabson 164c19800e8SDoug Rabson 165-- SASL: 166-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } ) 167-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) } 168-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) } 169 170-- A2 = "AUTHENTICATE:", ":", digest-uri-value 171-- qop == auth-int,auth-conf 172-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000" 173 174-- response-value = HEX( KD ( HEX(H(A1)), 175-- { unq(nonce-value), ":" nc-value, ":", 176-- unq(cnonce-value), ":", qop-value, ":", 177-- HEX(H(A2)) })) 178 179END 180