-- $Id$ DIGEST DEFINITIONS ::= BEGIN IMPORTS EncryptedData, Principal FROM krb5; DigestTypes ::= BIT STRING { ntlm-v1(0), ntlm-v1-session(1), ntlm-v2(2), digest-md5(3), chap-md5(4), ms-chap-v2(5) } DigestInit ::= SEQUENCE { type UTF8String, -- http, sasl, chap, cram-md5 -- channel [0] SEQUENCE { cb-type UTF8String, cb-binding UTF8String } OPTIONAL, hostname [1] UTF8String OPTIONAL -- for chap/cram-md5 } DigestInitReply ::= SEQUENCE { nonce UTF8String, -- service nonce/challenge opaque UTF8String, -- server state identifier [0] UTF8String OPTIONAL } DigestRequest ::= SEQUENCE { type UTF8String, -- http, sasl-md5, chap, cram-md5 -- digest UTF8String, -- http:md5/md5-sess sasl:clear/int/conf -- username UTF8String, -- username user used responseData UTF8String, -- client response authid [0] UTF8String OPTIONAL, authentication-user [1] Principal OPTIONAL, -- principal to get key from realm [2] UTF8String OPTIONAL, method [3] UTF8String OPTIONAL, uri [4] UTF8String OPTIONAL, serverNonce UTF8String, -- same as "DigestInitReply.nonce" clientNonce [5] UTF8String OPTIONAL, nonceCount [6] UTF8String OPTIONAL, qop [7] UTF8String OPTIONAL, identifier [8] UTF8String OPTIONAL, hostname [9] UTF8String OPTIONAL, opaque UTF8String -- same as "DigestInitReply.opaque" } -- opaque = hex(cksum(type|serverNonce|identifier|hostname,digest-key)) -- serverNonce = hex(time[4bytes]random[12bytes])(-cbType:cbBinding) DigestError ::= SEQUENCE { reason UTF8String, code INTEGER (-2147483648..2147483647) } DigestResponse ::= SEQUENCE { success BOOLEAN, rsp [0] UTF8String OPTIONAL, tickets [1] SEQUENCE OF OCTET STRING OPTIONAL, channel [2] SEQUENCE { cb-type UTF8String, cb-binding UTF8String } OPTIONAL, session-key [3] OCTET STRING OPTIONAL } NTLMInit ::= [APPLICATION 1] SEQUENCE { flags [0] INTEGER (0..4294967295), hostname [1] UTF8String OPTIONAL, domain [2] UTF8String OPTIONAL } NTLMInitReply ::= SEQUENCE { ntlmNegFlags [0] INTEGER (0..4294967295), opaque [1] OCTET STRING, challenge [2] OCTET STRING, targetinfo [3] OCTET STRING } NTLMRequest ::= SEQUENCE { flags [0] INTEGER (0..4294967295), opaque [1] OCTET STRING, username [2] UTF8String, targetname [3] UTF8String, targetinfo [4] OCTET STRING OPTIONAL, lm [5] OCTET STRING, ntlm [6] OCTET STRING, sessionkey [7] OCTET STRING OPTIONAL } NTLMResponse ::= SEQUENCE { success [0] BOOLEAN, flags [1] INTEGER (0..4294967295), sessionkey [2] OCTET STRING OPTIONAL, tickets [3] SEQUENCE OF OCTET STRING OPTIONAL } NTLMRequest2 ::= [APPLICATION 2] SEQUENCE { loginUserName [0] UTF8String, loginDomainName [1] UTF8String, workstation [2] UTF8String, ntlmFlags [3] INTEGER (0..4294967295), lmchallenge [4] OCTET STRING SIZE (8), ntChallengeResponse [5] OCTET STRING, lmChallengeResponse [6] OCTET STRING, encryptedSessionKey [7] OCTET STRING, t2targetname [8] UTF8String, acceptorUser [9] UTF8String, acceptorDomain [10] UTF8String } NTLMReply ::= SEQUENCE { success [0] BOOLEAN, avflags [1] INTEGER (0..4294967295), sessionkey [2] OCTET STRING OPTIONAL, user [3] UTF8String, domain [4] UTF8String, uuid [5] OCTET STRING SIZE (16) OPTIONAL, targetinfo [6] OCTET STRING, pac [7] OCTET STRING OPTIONAL, ntlmFlags [8] INTEGER (0..4294967295) } DigestReqInner ::= CHOICE { init [0] DigestInit, digestRequest [1] DigestRequest, ntlmInit [2] NTLMInit, ntlmRequest [3] NTLMRequest, supportedMechs [4] NULL } DigestREQ ::= [APPLICATION 128] SEQUENCE { apReq [0] OCTET STRING, innerReq [1] EncryptedData } DigestRepInner ::= CHOICE { error [0] DigestError, initReply [1] DigestInitReply, response [2] DigestResponse, ntlmInitReply [3] NTLMInitReply, ntlmResponse [4] NTLMResponse, supportedMechs [5] DigestTypes, ... } DigestREP ::= [APPLICATION 129] SEQUENCE { apRep [0] OCTET STRING, innerRep [1] EncryptedData } -- HTTP -- md5 -- A1 = unq(username-value) ":" unq(realm-value) ":" passwd -- md5-sess -- A1 = HEX(H(unq(username-value) ":" unq(realm-value) ":" passwd ) ":" unq(nonce-value) ":" unq(cnonce-value)) -- qop == auth -- A2 = Method ":" digest-uri-value -- qop == auth-int -- A2 = Method ":" digest-uri-value ":" H(entity-body) -- request-digest = HEX(KD(HEX(H(A1)), -- unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":" unq(qop-value) ":" HEX(H(A2)))) -- no "qop" -- request-digest = HEX(KD(HEX(H(A1)), unq(nonce-value) ":" HEX(H(A2)))) -- SASL: -- SS = H( { unq(username-value), ":", unq(realm-value), ":", password } ) -- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) } -- A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value), ":", unq(authzid-value) } -- A2 = "AUTHENTICATE:", ":", digest-uri-value -- qop == auth-int,auth-conf -- A2 = "AUTHENTICATE:", ":", digest-uri-value, ":00000000000000000000000000000000" -- response-value = HEX( KD ( HEX(H(A1)), -- { unq(nonce-value), ":" nc-value, ":", -- unq(cnonce-value), ":", qop-value, ":", -- HEX(H(A2)) })) END