1-- Id
2
3DIGEST DEFINITIONS ::=
4BEGIN
5
6IMPORTS EncryptedData, Principal FROM krb5;
7
8DigestTypes ::= BIT STRING {
9	ntlm-v1(0),
10	ntlm-v1-session(1),
11	ntlm-v2(2),
12	digest-md5(3),
13	chap-md5(4),
14	ms-chap-v2(5)
15}
16
17DigestInit ::= SEQUENCE {
18    type		UTF8String, -- http, sasl, chap, cram-md5 --
19    channel		[0] SEQUENCE {
20    	cb-type		UTF8String,
21    	cb-binding	UTF8String
22    } OPTIONAL,
23    hostname		[1] UTF8String OPTIONAL -- for chap/cram-md5
24}
25
26DigestInitReply ::= SEQUENCE {
27    nonce		UTF8String,	-- service nonce/challange
28    opaque		UTF8String,	-- server state
29    identifier		[0] UTF8String OPTIONAL
30}
31
32
33DigestRequest ::= SEQUENCE  {
34    type		UTF8String, -- http, sasl-md5, chap, cram-md5 --
35    digest		UTF8String, -- http:md5/md5-sess sasl:clear/int/conf --
36    username		UTF8String, -- username user used
37    responseData	UTF8String, -- client response
38    authid		[0] UTF8String OPTIONAL,
39    authentication-user	[1] Principal OPTIONAL, -- principal to get key from
40    realm		[2] UTF8String OPTIONAL,
41    method		[3] UTF8String OPTIONAL,
42    uri			[4] UTF8String OPTIONAL,
43    serverNonce		UTF8String, -- same as "DigestInitReply.nonce"
44    clientNonce		[5] UTF8String OPTIONAL,
45    nonceCount		[6] UTF8String OPTIONAL,
46    qop			[7] UTF8String OPTIONAL,
47    identifier		[8] UTF8String OPTIONAL,
48    hostname		[9] UTF8String OPTIONAL,
49    opaque		UTF8String -- same as "DigestInitReply.opaque"
50}
51-- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key))
52-- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding)
53
54
55DigestError ::= SEQUENCE {
56    reason		UTF8String,
57    code		INTEGER (-2147483648..2147483647)
58}
59
60DigestResponse ::= SEQUENCE  {
61    success		BOOLEAN,
62    rsp			[0] UTF8String OPTIONAL,
63    tickets		[1] SEQUENCE OF OCTET STRING OPTIONAL,
64    channel		[2] SEQUENCE {
65    	cb-type		UTF8String,
66    	cb-binding	UTF8String
67    } OPTIONAL,
68    session-key		[3] OCTET STRING OPTIONAL
69}
70
71NTLMInit ::= SEQUENCE {
72    flags		[0] INTEGER (0..4294967295),
73    hostname		[1] UTF8String OPTIONAL,
74    domain		[1] UTF8String OPTIONAL
75}
76
77NTLMInitReply ::= SEQUENCE {
78    flags		[0] INTEGER (0..4294967295),
79    opaque		[1] OCTET STRING,
80    targetname		[2] UTF8String,
81    challange		[3] OCTET STRING,
82    targetinfo		[4] OCTET STRING OPTIONAL
83}
84
85NTLMRequest ::= SEQUENCE {
86    flags		[0] INTEGER (0..4294967295),
87    opaque		[1] OCTET STRING,
88    username		[2] UTF8String,
89    targetname		[3] UTF8String,
90    targetinfo		[4] OCTET STRING OPTIONAL,
91    lm			[5] OCTET STRING,
92    ntlm		[6] OCTET STRING,
93    sessionkey		[7] OCTET STRING OPTIONAL
94}
95
96NTLMResponse ::= SEQUENCE {
97    success		[0] BOOLEAN,
98    flags		[1] INTEGER (0..4294967295),
99    sessionkey		[2] OCTET STRING OPTIONAL,
100    tickets		[3] SEQUENCE OF OCTET STRING OPTIONAL
101}
102
103NTLMRequest2 ::= SEQUENCE {
104    loginUserName	[0] UTF8String,
105    loginDomainName	[1] UTF8String,
106    flags		[2] INTEGER (0..4294967295),
107    lmchallenge		[3] OCTET STRING SIZE (8),
108    ntChallengeResponce [4] OCTET STRING,
109    lmChallengeResponce [5] OCTET STRING
110}
111
112NTLMReply ::= SEQUENCE {
113    success		[0] BOOLEAN,
114    flags		[1] INTEGER (0..4294967295),
115    sessionkey		[2] OCTET STRING OPTIONAL
116}
117
118DigestReqInner ::= CHOICE {
119    init		[0] DigestInit,
120    digestRequest	[1] DigestRequest,
121    ntlmInit		[2] NTLMInit,
122    ntlmRequest		[3] NTLMRequest,
123    supportedMechs	[4] NULL
124}
125
126DigestREQ ::= [APPLICATION 128] SEQUENCE {
127    apReq		[0] OCTET STRING,
128    innerReq		[1] EncryptedData
129}
130
131DigestRepInner ::= CHOICE {
132    error		[0] DigestError,
133    initReply		[1] DigestInitReply,
134    response		[2] DigestResponse,
135    ntlmInitReply	[3] NTLMInitReply,
136    ntlmResponse	[4] NTLMResponse,
137    supportedMechs	[5] DigestTypes,
138    ...
139}
140
141DigestREP ::= [APPLICATION 129] SEQUENCE {
142    apRep		[0] OCTET STRING,
143    innerRep		[1] EncryptedData
144}
145
146
147-- HTTP
148
149-- md5
150-- A1 = unq(username-value) ":" unq(realm-value) ":" passwd
151-- md5-sess
152-- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value))
153
154-- qop == auth
155-- A2 = Method ":" digest-uri-value
156-- qop == auth-int
157-- A2 = Method ":" digest-uri-value ":" H(entity-body)
158
159-- request-digest  = HEX(KD(HEX(H(A1)),
160--    unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2))))
161-- no "qop"
162-- request-digest  = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2))))
163
164
165-- SASL:
166-- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } )
167-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) }
168-- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) }
169
170-- A2 = "AUTHENTICATE:", ":", digest-uri-value
171-- qop == auth-int,auth-conf
172-- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000"
173
174-- response-value = HEX( KD ( HEX(H(A1)),
175--                 { unq(nonce-value), ":" nc-value, ":",
176--                   unq(cnonce-value), ":", qop-value, ":",
177--                   HEX(H(A2)) }))
178
179END
180