public KileTgsResponse CreateTgsResponse(
            KileConnection kileConnection,
            _SeqOfPA_DATA seqOfPaData,
            EncTicketFlags encTicketFlags,
            EncryptionKey ticketEncryptKey,
            AuthorizationData ticketAuthorizationData)
        {
            KileServerContext serverContext = GetServerContextByKileConnection(kileConnection);

            if (ticketEncryptKey == null)
            {
                throw new ArgumentNullException("ticketEncryptKey");
            }
            else
            {
                serverContext.TicketEncryptKey = ticketEncryptKey;
            }
            KileTgsResponse response = new KileTgsResponse(serverContext);

            // Construct a Ticket
            Ticket ticket = new Ticket();
            ticket.tkt_vno = new Asn1Integer(ConstValue.KERBEROSV5);
            ticket.realm = new Realm(domain);
            ticket.sname = serverContext.SName;

            // Set EncTicketPart
            EncTicketPart encTicketPart = new EncTicketPart();
            EncryptionType encryptionType = (EncryptionType)serverContext.EncryptType.elements[0].mValue;
            encTicketPart.key = new EncryptionKey((int)encryptionType, GetEncryptionKeyByType(encryptionType));
            encTicketPart.flags = new TicketFlags(KileUtility.ConvertInt2Flags((int)encTicketFlags));
            encTicketPart.crealm = serverContext.TgsTicket.crealm;
            encTicketPart.cname = serverContext.TgsTicket.cname;
            encTicketPart.transited = serverContext.TgsTicket.transited;
            encTicketPart.authtime = KileUtility.CurrentKerberosTime;
            encTicketPart.starttime = KileUtility.CurrentKerberosTime;
            encTicketPart.endtime = serverContext.TgsTicket.endtime;
            encTicketPart.renew_till = serverContext.TgsTicket.renew_till;
            encTicketPart.caddr = serverContext.Addresses;
            encTicketPart.authorization_data = ticketAuthorizationData;
            response.TicketEncPart = encTicketPart;

            // Set AS_REP
            response.Response.pvno = new Asn1Integer(ConstValue.KERBEROSV5);
            response.Response.msg_type = new Asn1Integer((int)MsgType.KRB_TGS_RESP);
            response.Response.padata = seqOfPaData;
            response.Response.crealm = serverContext.UserRealm;
            response.Response.cname = serverContext.UserName;
            response.Response.ticket = ticket;

            // Set EncASRepPart
            EncTGSRepPart encTGSRepPart = new EncTGSRepPart();
            encTGSRepPart.key = encTicketPart.key;
            LastReq_element element = new LastReq_element(new Int32(0), KileUtility.CurrentKerberosTime);
            encTGSRepPart.last_req = new LastReq(new LastReq_element[] { element });
            encTGSRepPart.nonce = serverContext.Nonce;
            encTGSRepPart.flags = encTicketPart.flags;
            encTGSRepPart.authtime = encTicketPart.authtime;
            encTGSRepPart.starttime = encTicketPart.starttime;
            encTGSRepPart.endtime = encTicketPart.endtime;
            encTGSRepPart.renew_till = encTicketPart.renew_till;
            encTGSRepPart.srealm = ticket.realm;
            encTGSRepPart.sname = ticket.sname;
            encTGSRepPart.caddr = encTicketPart.caddr;
            response.EncPart = encTGSRepPart;

            return response;
        }
        public KileAsResponse CreateAsResponse(
            KileConnection kileConnection,
            KerberosAccountType accountType,
            string password,
            _SeqOfPA_DATA SeqofPaData,
            EncTicketFlags encTicketFlags,
            AuthorizationData ticketAuthorizationData)
        {
            KileServerContext serverContext = GetServerContextByKileConnection(kileConnection);
            string cName = serverContext.UserName.name_string.elements[0].mValue;
            string cRealm = serverContext.UserRealm.mValue;
            serverContext.Salt = GenerateSalt(cRealm, cName, accountType);
            serverContext.TicketEncryptKey = new EncryptionKey((int)EncryptionType.RC4_HMAC,
                GetEncryptionKeyByType(EncryptionType.RC4_HMAC));

            if (password == null)
            {
                throw new ArgumentNullException("password");
            }
            else
            {
                serverContext.Password = password;
            }
            KileAsResponse response = new KileAsResponse(serverContext);

            // Construct a Ticket
            Ticket ticket = new Ticket();
            ticket.tkt_vno = new Asn1Integer(ConstValue.KERBEROSV5);
            ticket.realm = new Realm(domain);
            ticket.sname = serverContext.SName;

            // Set EncTicketPart
            EncTicketPart encTicketPart = new EncTicketPart();
            EncryptionType encryptionType = (EncryptionType)serverContext.EncryptType.elements[0].mValue;

            encTicketPart.key = new EncryptionKey((int)encryptionType, GetEncryptionKeyByType(encryptionType));
            encTicketPart.flags = new TicketFlags(KileUtility.ConvertInt2Flags((int)encTicketFlags));
            encTicketPart.crealm = serverContext.UserRealm;
            encTicketPart.cname = serverContext.UserName;
            encTicketPart.transited = new TransitedEncoding(4, null);
            encTicketPart.authtime = KileUtility.CurrentKerberosTime;
            encTicketPart.starttime = KileUtility.CurrentKerberosTime;
            encTicketPart.endtime = serverContext.endTime;
            encTicketPart.renew_till = serverContext.rtime ?? encTicketPart.endtime;
            encTicketPart.caddr = serverContext.Addresses;
            encTicketPart.authorization_data = ticketAuthorizationData;
            response.TicketEncPart = encTicketPart;

            // Set AS_REP
            response.Response.pvno = new Asn1Integer(ConstValue.KERBEROSV5);
            response.Response.msg_type = new Asn1Integer((int)MsgType.KRB_AS_RESP);
            response.Response.padata = SeqofPaData;
            response.Response.crealm = serverContext.UserRealm;
            response.Response.cname = serverContext.UserName;
            response.Response.ticket = ticket;

            // Set EncASRepPart
            EncASRepPart encASRepPart = new EncASRepPart();
            encASRepPart.key = encTicketPart.key;
            LastReq_element element = new LastReq_element(new Int32(0), KileUtility.CurrentKerberosTime);
            encASRepPart.last_req = new LastReq(new LastReq_element[] { element });
            encASRepPart.nonce = serverContext.Nonce;
            encASRepPart.flags = encTicketPart.flags;
            encASRepPart.authtime = encTicketPart.authtime;
            encASRepPart.starttime = encTicketPart.starttime;
            encASRepPart.endtime = encTicketPart.endtime;
            encASRepPart.renew_till = encTicketPart.renew_till;
            encASRepPart.srealm = ticket.realm;
            encASRepPart.sname = ticket.sname;
            encASRepPart.caddr = encTicketPart.caddr;
            response.EncPart = encASRepPart;

            return response;
        }
Beispiel #3
0
        /// <summary>
        /// Update the context.
        /// </summary>
        /// <param name="pdu">The Pdu to update the context.</param>
        internal override void UpdateContext(KilePdu pdu)
        {
            if (pdu != null)
            {
                Type pduType = pdu.GetType();

                if (pduType == typeof(KileAsRequest))
                {
                    KileAsRequest request = (KileAsRequest)pdu;

                    if (request.Request != null && request.Request.req_body != null)
                    {
                        cName       = request.Request.req_body.cname;
                        cRealm      = request.Request.req_body.realm;
                        sName       = request.Request.req_body.sname;
                        encryptType = request.Request.req_body.etype;
                        addresses   = request.Request.req_body.addresses;
                        nonce       = request.Request.req_body.nonce;
                        endTime     = request.Request.req_body.till;
                        rtime       = request.Request.req_body.rtime;
                    }
                }
                else if (pduType == typeof(KileAsResponse))
                {
                    KileAsResponse response = (KileAsResponse)pdu;
                    tgsSessionKey = response.EncPart.key;
                }
                else if (pduType == typeof(KileTgsRequest))
                {
                    KileTgsRequest request = (KileTgsRequest)pdu;
                    encryptType = request.Request.req_body.etype;
                    nonce       = request.Request.req_body.nonce;
                    tgsTicket   = request.tgtTicket;
                    sName       = request.Request.req_body.sname;

                    if (request.authenticator != null)
                    {
                        tgsSubSessionKey = request.authenticator.subkey;
                    }
                }
                else if (pduType == typeof(KileTgsResponse))
                {
                    KileTgsResponse response = (KileTgsResponse)pdu;
                    apSessionKey = response.EncPart.key;
                }
                else if (pduType == typeof(KileApRequest))
                {
                    KileApRequest request = (KileApRequest)pdu;
                    apRequestCtime = request.Authenticator.ctime;
                    apRequestCusec = request.Authenticator.cusec;

                    if (request.Authenticator.cksum != null)
                    {
                        int flag = BitConverter.ToInt32(request.Authenticator.cksum.checksum.ByteArrayValue,
                                                        ConstValue.AUTHENTICATOR_CHECKSUM_LENGTH + sizeof(ChecksumFlags));
                        checksumFlag = (ChecksumFlags)flag;
                    }
                    apSubKey = request.Authenticator.subkey;

                    if (request.Authenticator.seq_number != null)
                    {
                        currentRemoteSequenceNumber = (ulong)request.Authenticator.seq_number.Value;
                        currentLocalSequenceNumber  = currentRemoteSequenceNumber;
                    }
                }
                else if (pduType == typeof(KileApResponse))
                {
                    KileApResponse response = (KileApResponse)pdu;

                    if (response.ApEncPart.subkey != null)
                    {
                        acceptorSubKey = response.ApEncPart.subkey;
                    }
                }
                else
                {
                    // Do nothing.
                }
            }
        }
Beispiel #4
0
        private void Smb2KerberosAuthentication(CaseVariant variant)
        {
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Initialize Kerberos Functional Client");
            KerberosFunctionalClient kerberosClient = new KerberosFunctionalClient(
                TestConfig.DomainName,
                TestConfig.UserName,
                TestConfig.UserPassword,
                KerberosAccountType.User,
                KDCIP,
                KDCPort,
                TransportType.TCP,
                OidPkt,
                BaseTestSite);

            #region Service Ticket
            EncryptionKey serviceKey;
            EncTicketPart encTicketPart = RetrieveAndDecryptServiceTicket(kerberosClient, out serviceKey);

            Ticket serviceTicket = kerberosClient.Context.Ticket.Ticket;

            Realm crealm = serviceTicket.realm;
            BaseTestSite.Assert.AreEqual(TestConfig.DomainName.ToLower(),
                                         encTicketPart.crealm.Value.ToLower(),
                                         "Realm name in service ticket encrypted part should match as expected, case insensitive");
            BaseTestSite.Assert.AreEqual(TestConfig.UserName.ToLower(),
                                         KerberosUtility.PrincipalName2String(encTicketPart.cname).ToLower(),
                                         "User name in service ticket encrypted part should match as expected, case insensitive.");

            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData to the ticket");
                AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
                AppendNewAuthDataElement(encTicketPart.authorization_data, unknownElement);
            }

            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT_OPTIONAL))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData which is inside AD_IF_RELEVANT to the ticket");
                AuthorizationDataElement unknownElement    = GenerateUnKnownAuthorizationDataElement();
                AD_IF_RELEVANT           ifRelavantElement =
                    new AD_IF_RELEVANT(new[] { unknownElement });
                var dataBuffer = new Asn1BerEncodingBuffer();
                ifRelavantElement.BerEncode(dataBuffer);
                AuthorizationDataElement unknownElementOptional =
                    new AuthorizationDataElement(new KerbInt32((long)AuthorizationData_elementType.AD_IF_RELEVANT), new Asn1OctetString(dataBuffer.Data));
                AppendNewAuthDataElement(encTicketPart.authorization_data, unknownElementOptional);
            }

            if (variant.HasFlag(CaseVariant.TICKET_NOT_VALID))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Ticket start time to tomorrow");
                DateTime tomorrow       = DateTime.Now.AddDays(1);
                string   kerbTimeString = tomorrow.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
                encTicketPart.starttime = new KerberosTime(kerbTimeString, true);
            }
            if (variant.HasFlag(CaseVariant.TICKET_EXPIRED))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Ticket end time to yesterday");
                DateTime yesterday      = DateTime.Now.AddDays(-1);
                string   kerbTimeString = yesterday.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
                encTicketPart.endtime = new KerberosTime(kerbTimeString, true);
            }

            if (variant.HasFlag(CaseVariant.TICKET_WRONG_ENC_KEY))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Modify the Ticket, making it encrypted with wrong key");
                serviceKey = KerberosUtility.GenerateKey(serviceKey);
            }

            EncryptedData data = EncryptTicket(encTicketPart, serviceKey);
            serviceTicket.enc_part = data;

            if (variant.HasFlag(CaseVariant.TICKET_WRONG_REALM))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Realm in the Ticket to an unknown realm");
                serviceTicket.realm = new Realm("kerb.com");
            }
            if (variant.HasFlag(CaseVariant.TICKET_WRONG_SNAME))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the SNAME in the Ticket to an unknown service name");
                serviceTicket.sname = new PrincipalName(new KerbInt32((long)PrincipalType.NT_SRV_INST),
                                                        KerberosUtility.String2SeqKerbString("UnknownService", TestConfig.DomainName));
            }
            if (variant.HasFlag(CaseVariant.TICKET_WRONG_KVNO))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep,
                                     "Change the KVNO in the Ticket to an invalid Key Version Number (Int32.MaxValue)");
                const int invalidKvno = System.Int32.MaxValue;
                serviceTicket.enc_part.kvno = new KerbInt32(invalidKvno);
            }
            #endregion

            #region Authenticator
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create Authenticator");
            EncryptionKey subkey = KerberosUtility.GenerateKey(kerberosClient.Context.SessionKey);
            PrincipalName cname;
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CNAME_NOT_MATCH))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong cname in the Authenticator");
                cname = new PrincipalName(new KerbInt32((long)PrincipalType.NT_PRINCIPAL),
                                          KerberosUtility.String2SeqKerbString(TestConfig.NonAdminUserName, TestConfig.DomainName));
            }
            else
            {
                cname = kerberosClient.Context.CName.Name;
            }

            Authenticator authenticator = CreateAuthenticator(cname, crealm, subkey);
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CREALM_NOT_MATCH))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong crealm in the Authenticator");
                authenticator.crealm = new Realm("kerb.com");
            }

            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_EXCEED_TIME_SKEW))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the ctime in the Authenticator to one hour later");
                DateTime oneHourLater   = DateTime.Now.AddHours(1);
                string   kerbTimeString = oneHourLater.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
                authenticator.ctime = new KerberosTime(kerbTimeString, true);
            }

            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData to the Authenticator");
                AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
                authenticator.authorization_data = new AuthorizationData(new[] { unknownElement });
            }

            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR_OPTIONAL))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep,
                                     "Add a type-unknown AuthorizationData which is inside AD_IF_RELEVANT to the Authenticator");
                AuthorizationDataElement unknownElement    = GenerateUnKnownAuthorizationDataElement();
                AD_IF_RELEVANT           ifRelavantElement =
                    new AD_IF_RELEVANT(new[] { unknownElement });
                var dataBuffer = new Asn1BerEncodingBuffer();
                ifRelavantElement.BerEncode(dataBuffer);
                AuthorizationDataElement unknownElementOptional =
                    new AuthorizationDataElement(new KerbInt32((long)AuthorizationData_elementType.AD_IF_RELEVANT), new Asn1OctetString(dataBuffer.Data));
                authenticator.authorization_data = new AuthorizationData(new[] { unknownElementOptional });
            }

            #endregion

            #region AP Request
            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create AP Request");
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_WRONG_ENC_KEY))
            {
                BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong key to encrypt the Authenticator");
                kerberosClient.Context.Ticket.SessionKey = KerberosUtility.GenerateKey(kerberosClient.Context.Ticket.SessionKey);
            }
            KerberosApRequest request = new KerberosApRequest(
                kerberosClient.Context.Pvno,
                new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.MutualRequired)),
                kerberosClient.Context.Ticket,
                authenticator,
                KeyUsageNumber.AP_REQ_Authenticator
                );
            #endregion

            BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create GSS Token");
            byte[] token = KerberosUtility.AddGssApiTokenHeader(request, OidPkt, GssToken);

            Smb2FunctionalClientForKerbAuth smb2Client = new Smb2FunctionalClientForKerbAuth(TestConfig.Timeout, TestConfig, BaseTestSite);
            smb2Client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);

            #region Check the result

            byte[] repToken;
            uint   status = DoSessionSetupWithGssToken(smb2Client, token, out repToken);

            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CNAME_NOT_MATCH) || variant.HasFlag(CaseVariant.AUTHENTICATOR_CREALM_NOT_MATCH))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                                                "Session Setup should fail because the cname or crealm in the authenticator does not match the same field in the Ticket");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH, krbError.ErrorCode,
                                                 "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_WRONG_ENC_KEY) || variant.HasFlag(CaseVariant.TICKET_WRONG_ENC_KEY))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                                                "Session Setup should fail because Ticket or Authenticator cannot be correctly decrypted");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED, krbError.ErrorCode,
                                                 "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.AUTHENTICATOR_EXCEED_TIME_SKEW))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                                                "Session Setup should fail because the server time and the client time " +
                                                "in the Authenticator differ by (1 hour) more than the allowable clock skew");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_SKEW, krbError.ErrorCode,
                                                 "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_SKEW);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.TICKET_WRONG_KVNO) ||
                variant.HasFlag(CaseVariant.TICKET_WRONG_REALM) ||
                variant.HasFlag(CaseVariant.TICKET_WRONG_SNAME))
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment, "If decryption fails, server would try other keys");
            }
            if (variant.HasFlag(CaseVariant.TICKET_NOT_VALID))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                                                "Session Setup should fail because the starttime (tomorrow) in the Ticket " +
                                                "is later than the current time by more than the allowable clock skew");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV, krbError.ErrorCode,
                                                 "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.TICKET_EXPIRED))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                                                "Session Setup should fail because the current time is later than the endtime (yesterday)" +
                                                " in the Ticket by more than the allowable clock skew");
                if (TestConfig.IsWindowsPlatform)
                {
                    KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
                    BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_EXPIRED, krbError.ErrorCode,
                                                 "SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_TKT_EXPIRED);
                }
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT))
            {
                BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
                                                "Session Setup should fail because of the unknown AutherizationData in the ticket");
                smb2Client.Disconnect();
                return;
            }
            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR))
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment,
                                     "Unknown AuthorizationData in the Authenticator should not fail the request");
            }
            if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT_OPTIONAL) ||
                variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR_OPTIONAL))
            {
                BaseTestSite.Log.Add(LogEntryKind.Comment, "Unknown AuthorizationData in AD_IF_RELEVANT is optional. " +
                                     "Server should not fail the request.");
            }

            KerberosApResponse apRep = kerberosClient.GetApResponseFromToken(repToken, GssToken);
            // Get subkey from AP response, which used for signing in smb2
            apRep.Decrypt(kerberosClient.Context.Ticket.SessionKey.keyvalue.ByteArrayValue);
            smb2Client.SetSessionSigningAndEncryption(true, false, apRep.ApEncPart.subkey.keyvalue.ByteArrayValue);

            string path = Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.BasicFileShare);
            AccessFile(smb2Client, path);
            #endregion

            smb2Client.LogOff();
            smb2Client.Disconnect();
        }
Beispiel #5
0
        public KileTgsResponse CreateTgsResponse(
            KileConnection kileConnection,
            Asn1SequenceOf <PA_DATA> seqOfPaData,
            EncTicketFlags encTicketFlags,
            EncryptionKey ticketEncryptKey,
            AuthorizationData ticketAuthorizationData)
        {
            KileServerContext serverContext = GetServerContextByKileConnection(kileConnection);

            if (ticketEncryptKey == null)
            {
                throw new ArgumentNullException(nameof(ticketEncryptKey));
            }
            else
            {
                serverContext.TicketEncryptKey = ticketEncryptKey;
            }
            var response = new KileTgsResponse(serverContext);

            // Construct a Ticket
            var ticket = new Ticket();

            ticket.tkt_vno = new Asn1Integer(ConstValue.KERBEROSV5);
            ticket.realm   = new Realm(domain);
            ticket.sname   = serverContext.SName;

            // Set EncTicketPart
            var            encTicketPart  = new EncTicketPart();
            EncryptionType encryptionType = (EncryptionType)serverContext.EncryptType.Elements[0].Value;

            encTicketPart.key                = new EncryptionKey(new KerbInt32((int)encryptionType), new Asn1OctetString(GetEncryptionKeyByType(encryptionType)));
            encTicketPart.flags              = new TicketFlags(KileUtility.ConvertInt2Flags((int)encTicketFlags));
            encTicketPart.crealm             = serverContext.TgsTicket.crealm;
            encTicketPart.cname              = serverContext.TgsTicket.cname;
            encTicketPart.transited          = serverContext.TgsTicket.transited;
            encTicketPart.authtime           = KileUtility.CurrentKerberosTime;
            encTicketPart.starttime          = KileUtility.CurrentKerberosTime;
            encTicketPart.endtime            = serverContext.TgsTicket.endtime;
            encTicketPart.renew_till         = serverContext.TgsTicket.renew_till;
            encTicketPart.caddr              = serverContext.Addresses;
            encTicketPart.authorization_data = ticketAuthorizationData;
            response.TicketEncPart           = encTicketPart;

            // Set AS_REP
            response.Response.pvno     = new Asn1Integer(ConstValue.KERBEROSV5);
            response.Response.msg_type = new Asn1Integer((int)MsgType.KRB_TGS_RESP);
            response.Response.padata   = seqOfPaData;
            response.Response.crealm   = serverContext.UserRealm;
            response.Response.cname    = serverContext.UserName;
            response.Response.ticket   = ticket;

            // Set EncASRepPart
            var encTGSRepPart = new EncTGSRepPart();

            encTGSRepPart.key = encTicketPart.key;
            var element = new LastReqElement(new KerbInt32(0), KileUtility.CurrentKerberosTime);

            encTGSRepPart.last_req   = new LastReq(new LastReqElement[] { element });
            encTGSRepPart.nonce      = serverContext.Nonce;
            encTGSRepPart.flags      = encTicketPart.flags;
            encTGSRepPart.authtime   = encTicketPart.authtime;
            encTGSRepPart.starttime  = encTicketPart.starttime;
            encTGSRepPart.endtime    = encTicketPart.endtime;
            encTGSRepPart.renew_till = encTicketPart.renew_till;
            encTGSRepPart.srealm     = ticket.realm;
            encTGSRepPart.sname      = ticket.sname;
            encTGSRepPart.caddr      = encTicketPart.caddr;
            response.EncPart         = encTGSRepPart;

            return(response);
        }
Beispiel #6
0
        public KileAsResponse CreateAsResponse(
            KileConnection kileConnection,
            KileAccountType accountType,
            string password,
            Asn1SequenceOf <PA_DATA> SeqofPaData,
            EncTicketFlags encTicketFlags,
            AuthorizationData ticketAuthorizationData)
        {
            KileServerContext serverContext = GetServerContextByKileConnection(kileConnection);
            string            cName         = serverContext.UserName.name_string.Elements[0].Value;
            string            cRealm        = serverContext.UserRealm.Value;

            serverContext.Salt             = GenerateSalt(cRealm, cName, accountType);
            serverContext.TicketEncryptKey = new EncryptionKey(new KerbInt32((int)EncryptionType.RC4_HMAC),
                                                               new Asn1OctetString(GetEncryptionKeyByType(EncryptionType.RC4_HMAC)));

            if (password == null)
            {
                throw new ArgumentNullException(nameof(password));
            }
            else
            {
                serverContext.Password = password;
            }
            KileAsResponse response = new KileAsResponse(serverContext);

            // Construct a Ticket
            var ticket = new Ticket();

            ticket.tkt_vno = new Asn1Integer(ConstValue.KERBEROSV5);
            ticket.realm   = new Realm(domain);
            ticket.sname   = serverContext.SName;

            // Set EncTicketPart
            var            encTicketPart  = new EncTicketPart();
            EncryptionType encryptionType = (EncryptionType)serverContext.EncryptType.Elements[0].Value;

            encTicketPart.key                = new EncryptionKey(new KerbInt32((int)encryptionType), new Asn1OctetString(GetEncryptionKeyByType(encryptionType)));
            encTicketPart.flags              = new TicketFlags(KileUtility.ConvertInt2Flags((int)encTicketFlags));
            encTicketPart.crealm             = serverContext.UserRealm;
            encTicketPart.cname              = serverContext.UserName;
            encTicketPart.transited          = new TransitedEncoding(new KerbInt32(4), null);
            encTicketPart.authtime           = KileUtility.CurrentKerberosTime;
            encTicketPart.starttime          = KileUtility.CurrentKerberosTime;
            encTicketPart.endtime            = serverContext.endTime;
            encTicketPart.renew_till         = serverContext.rtime ?? encTicketPart.endtime;
            encTicketPart.caddr              = serverContext.Addresses;
            encTicketPart.authorization_data = ticketAuthorizationData;
            response.TicketEncPart           = encTicketPart;

            // Set AS_REP
            response.Response.pvno     = new Asn1Integer(ConstValue.KERBEROSV5);
            response.Response.msg_type = new Asn1Integer((int)MsgType.KRB_AS_RESP);
            response.Response.padata   = SeqofPaData;
            response.Response.crealm   = serverContext.UserRealm;
            response.Response.cname    = serverContext.UserName;
            response.Response.ticket   = ticket;

            // Set EncASRepPart
            var encASRepPart = new EncASRepPart();

            encASRepPart.key = encTicketPart.key;
            var element = new LastReqElement(new KerbInt32(0), KileUtility.CurrentKerberosTime);

            encASRepPart.last_req   = new LastReq(new LastReqElement[] { element });
            encASRepPart.nonce      = serverContext.Nonce;
            encASRepPart.flags      = encTicketPart.flags;
            encASRepPart.authtime   = encTicketPart.authtime;
            encASRepPart.starttime  = encTicketPart.starttime;
            encASRepPart.endtime    = encTicketPart.endtime;
            encASRepPart.renew_till = encTicketPart.renew_till;
            encASRepPart.srealm     = ticket.realm;
            encASRepPart.sname      = ticket.sname;
            encASRepPart.caddr      = encTicketPart.caddr;
            response.EncPart        = encASRepPart;

            return(response);
        }