/// <summary> /// Encode common part of DigestValidationRequest /// </summary> /// <param name="serverName">server name</param> /// <param name="domainName">domain name</param> /// <param name="accountName">account name</param> /// <param name="digestType">digest type</param> /// <param name="digestChallengeAlgorithm">digest challenge algorithm</param> /// <param name="dpspResponse">dpspResponse</param> /// <param name="payload">DIGEST_VALIDATION_REQ_Payload structure</param> /// <param name="digestValidationReq">digestValidationReq</param> private static void EncodeCommonPartOfDigestValidationRequest( string serverName, string domainName, string accountName, DigestType_Values digestType, string digestChallengeAlgorithm, DpspResponse dpspResponse, ref DIGEST_VALIDATION_REQ_Payload payload, ref DIGEST_VALIDATION_REQ digestValidationReq ) { digestValidationReq.MessageType = DIGEST_VALIDATION_REQ_MessageType_Values.Default; digestValidationReq.Version = DIGEST_VALIDATION_REQ_Version_Values.Default; digestValidationReq.DigestType = digestType; digestValidationReq = SetQopType(dpspResponse, digestValidationReq); digestValidationReq = SetAlgType(digestChallengeAlgorithm, digestValidationReq); digestValidationReq.CharsetType = CharsetType_Values.UTF8; digestValidationReq.NameFormat = NameFormat_Values.None; digestValidationReq.Flags = DIGEST_VALIDATION_FLAGS.FormatOfUserNameAndRealmIsDeterminedByDC | DIGEST_VALIDATION_FLAGS.RequestIsSentFromServer; digestValidationReq.Reserved3 = DIGEST_VALIDATION_REQ_Reserved3_Values.Default; digestValidationReq.Reserved4 = Reserved4_Values.Default; digestValidationReq.Pad1 = DIGEST_VALIDATION_REQ_Pad1_Values.Default; // Each of the strings MUST be included. If the string value is empty, // then a terminating null character MUST be used for the value. payload.Username = dpspResponse.GetAttributeValue(DpspUtility.USER_NAME_DIRECTIVE); payload.Realm = dpspResponse.GetAttributeValue(DpspUtility.REALM_DIRECTIVE); payload.Nonce = dpspResponse.GetAttributeValue(DpspUtility.NONCE_DIRECTIVE); payload.CNonce = dpspResponse.GetAttributeValue(DpspUtility.CNONCE_DIRECTIVE); payload.NonceCount = dpspResponse.GetAttributeValue(DpspUtility.NONCE_COUNT_DIRECTIVE); payload.QOP = dpspResponse.GetAttributeValue(DpspUtility.MESSAGE_QOP_DIRECTIVE); payload.Response = dpspResponse.GetAttributeValue(DpspUtility.RESPONSE_DIRECTIVE); payload.AccountName = accountName;; payload.ServerName = serverName; payload.Domain = domainName; }
/// <summary> /// Encode common part of DigestValidationRequest /// </summary> /// <param name="serverName">server name</param> /// <param name="domainName">domain name</param> /// <param name="accountName">account name</param> /// <param name="digestType">digest type</param> /// <param name="digestChallengeAlgorithm">digest challenge algorithm</param> /// <param name="dpspResponse">dpspResponse</param> /// <param name="payload">DIGEST_VALIDATION_REQ_Payload structure</param> /// <param name="digestValidationReq">digestValidationReq</param> private static void EncodeCommonPartOfDigestValidationRequest( string serverName, string domainName, string accountName, DigestType_Values digestType, string digestChallengeAlgorithm, DpspResponse dpspResponse, ref DIGEST_VALIDATION_REQ_Payload payload, ref DIGEST_VALIDATION_REQ digestValidationReq ) { digestValidationReq.MessageType = DIGEST_VALIDATION_REQ_MessageType_Values.Default; digestValidationReq.Version = DIGEST_VALIDATION_REQ_Version_Values.Default; digestValidationReq.DigestType = digestType; digestValidationReq = SetQopType(dpspResponse, digestValidationReq); digestValidationReq = SetAlgType(digestChallengeAlgorithm, digestValidationReq); digestValidationReq.CharsetType = CharsetType_Values.UTF8; digestValidationReq.NameFormat = NameFormat_Values.None; digestValidationReq.Flags = DIGEST_VALIDATION_FLAGS.FormatOfUserNameAndRealmIsDeterminedByDC | DIGEST_VALIDATION_FLAGS.RequestIsSentFromServer; digestValidationReq.Reserved3 = DIGEST_VALIDATION_REQ_Reserved3_Values.Default; digestValidationReq.Reserved4 = Reserved4_Values.Default; digestValidationReq.Pad1 = DIGEST_VALIDATION_REQ_Pad1_Values.Default; // Each of the strings MUST be included. If the string value is empty, // then a terminating null character MUST be used for the value. payload.Username = dpspResponse.GetAttributeValue(DpspUtility.USER_NAME_DIRECTIVE); payload.Realm = dpspResponse.GetAttributeValue(DpspUtility.REALM_DIRECTIVE); payload.Nonce = dpspResponse.GetAttributeValue(DpspUtility.NONCE_DIRECTIVE); payload.CNonce = dpspResponse.GetAttributeValue(DpspUtility.CNONCE_DIRECTIVE); payload.NonceCount = dpspResponse.GetAttributeValue(DpspUtility.NONCE_COUNT_DIRECTIVE); payload.QOP = dpspResponse.GetAttributeValue(DpspUtility.MESSAGE_QOP_DIRECTIVE); payload.Response = dpspResponse.GetAttributeValue(DpspUtility.RESPONSE_DIRECTIVE); payload.AccountName = accountName; ; payload.ServerName = serverName; payload.Domain = domainName; }
/// <summary> /// Construct DIGEST_VALIDATION_REQ structure /// </summary> /// <param name="serverName">server name</param> /// <param name="domainName">domain name</param> /// <param name="accountName">account name</param> /// <param name="httpMethod">http method</param> /// <param name="digestType">digest type</param> /// <param name="digestChallengeAlgorithm">digest challenge algorithm</param> /// <param name="dpspResponse">dpspResponse class instance</param> /// <returns>DIGEST_VALIDATION_REQ structure</returns> /// <exception cref="ArgumentNullException"> /// Thrown when dpspResponse or httpMethod is null /// </exception> /// <exception cref="ArgumentException"> /// Thrown when httpMethod or digestType input is invalid /// </exception> public static DIGEST_VALIDATION_REQ CreateDigestValidationRequestPacket( string serverName, string domainName, string accountName, string httpMethod, DigestType_Values digestType, string digestChallengeAlgorithm, DpspResponse dpspResponse) { if (dpspResponse == null) { throw new ArgumentNullException("dpspResponse"); } if (httpMethod == null) { throw new ArgumentNullException("httpMethod"); } DIGEST_VALIDATION_REQ_Payload payload = new DIGEST_VALIDATION_REQ_Payload(); DIGEST_VALIDATION_REQ digestValidationReq = new DIGEST_VALIDATION_REQ(); if (digestType == DigestType_Values.Basic) { EncodeCommonPartOfDigestValidationRequest( serverName, domainName, accountName, digestType, digestChallengeAlgorithm, dpspResponse, ref payload, ref digestValidationReq); payload.Algorithm = dpspResponse.GetAttributeValue(DpspUtility.ALGORITHM_DIRECTIVE); payload.URI = dpspResponse.GetAttributeValue(DpspUtility.BASIC_DIGEST_URI_DIRECTIVE); if (httpMethod.ToUpper().Equals(HTTP_GET) || httpMethod.ToLower().Equals(HTTP_PUT)) { payload.Method = httpMethod; } else { throw new ArgumentException("invalid http method", "httpMethod"); } } else if (digestType == DigestType_Values.SASL) { EncodeCommonPartOfDigestValidationRequest( serverName, domainName, accountName, digestType, digestChallengeAlgorithm, dpspResponse, ref payload, ref digestValidationReq); payload.Method = SASL_AUTHENTICATE; payload.URI = dpspResponse.GetAttributeValue(DpspUtility.SASL_DIGEST_URI_DIRECTIVE); payload.Authzid = dpspResponse.GetAttributeValue(DpspUtility.AUTHZID_DIRECTIVE); payload.Hentity = dpspResponse.GetAttributeValue(DpspUtility.HENTITY_DIRECTIVE); } else { throw new ArgumentException( "invalid digestType value", "digestType"); } digestValidationReq.Payload = payload.GetBytes(); digestValidationReq = UpdatePacketInfo(digestValidationReq); return digestValidationReq; }
/// <summary> /// This method constructs the digest request structure which is required to send from protocol client to protocol server. /// </summary> /// <param name="digestType">It indicates the DigestType field of the DIGEST_VALIDATION_REQ</param> /// <param name="algType">It indicates the AlgType field of the DIGEST_VALIDATION_REQ </param> /// <param name="ignoredFields">It indicates the fields that should be ignored by DC in DIGEST_VALIDATION_REQ </param> /// <param name="digestReq">The request structure for digest validation</param> private void GetDigestRequest( DigestType_Values digestType, AlgType_Values algType, IgnoredFields ignoredFields, out DIGEST_VALIDATION_REQ digestReq) { // create a temporary payload structure DIGEST_VALIDATION_REQ_Payload reqLoad = new DIGEST_VALIDATION_REQ_Payload(); reqLoad.AccountName = currentUserName; reqLoad.Algorithm = acceptedAlgType; reqLoad.Authzid = ""; reqLoad.Nonce = GenerateNonce(); reqLoad.CNonce = reqLoad.Nonce; reqLoad.Hentity = ""; reqLoad.NonceCount = nonceCountString; reqLoad.QOP = ""; reqLoad.Realm = sutDomainName; reqLoad.URI = "/"; reqLoad.Username = currentUserName; string servicename = serverName; string response = string.Empty; if (digestType == DigestType_Values.Basic) { reqLoad.Method = httpRequestMethodString; // calling RFC 2617 algorithms for calculating H(A1) and Response, when HTTP is involved. string strHA1 = DigestCalcHA1HTTP( reqLoad.Algorithm, reqLoad.Username, reqLoad.Realm, currentPassword, reqLoad.Nonce, reqLoad.CNonce, false); digestSessionKey = strHA1; response = DigestCalcResponseHTTP( strHA1, reqLoad.Nonce, reqLoad.NonceCount, reqLoad.CNonce, reqLoad.QOP, reqLoad.Method, reqLoad.URI, reqLoad.Hentity, false); } else if (digestType == DigestType_Values.SASL) { reqLoad.Method = saslRequestMethodString; // calling RFC 2617 algorithms for calculating H(A1) and Response, when SASL is involved. string strHA1 = DigestCalcHA1SASL( reqLoad.Authzid, reqLoad.Username, reqLoad.Realm, currentPassword, reqLoad.Nonce, reqLoad.CNonce, false); digestSessionKey = strHA1; response = DigestCalcResponseSASL( strHA1, reqLoad.Nonce, reqLoad.NonceCount, reqLoad.CNonce, reqLoad.QOP, reqLoad.URI, false, false); } string basicDigestCredentialString = "Digest username="******",realm=" + reqLoad.Realm + ",nonce=" + reqLoad.Nonce + ",uri=" + reqLoad.URI + ",cnonce=" + reqLoad.CNonce + ",nc=" + reqLoad.NonceCount + ",algorithm=" + reqLoad.Algorithm + ",response=" + response + ",qop=" + reqLoad.QOP + ",charset=" + encodingCodePageString + ",service-name=" + servicename; DpspResponse dpspResponse = DpspBasicResponse.Decode(basicDigestCredentialString); DIGEST_VALIDATION_REQ digestValidationReq = ApdsUtility.CreateDigestValidationRequestPacket( clientComputerName, string.Empty, string.Empty, reqLoad.Method, digestType, acceptedAlgType, dpspResponse); digestValidationReq.CharsetType = CharsetType_Values.ISO8859_1; digestValidationReq.AlgType = algType; digestValidationReq.Flags = (DIGEST_VALIDATION_FLAGS)5; digestValidationReq.Reserved3 = (DIGEST_VALIDATION_REQ_Reserved3_Values)ignoredFields.reserved3; digestValidationReq.Reserved4 = (Reserved4_Values)ignoredFields.reserved4; digestReq = digestValidationReq; }
/// <summary> /// Send Digest request message to DC, and validate the credentials. /// </summary> /// <param name="isValidationSuccess">Indicates whether the validation from server will be success.</param> /// <param name="digestType">Indicates the DigestType field of the request.</param> /// <param name="algType">Indicates the AlgType field of the request.</param> /// <param name="ignoredFields">It indicates the fields that should be ignored by DC in DIGEST_VALIDATION_REQ.</param> /// <returns>Indicates the result status of DC response.</returns> public Status GenerateDigestRequest( Boolean isValidationSuccess, AccountInformation accountInfo, DigestType_Values digestType, AlgType_Values algType, IgnoredFields ignoredFields) { DIGEST_VALIDATION_REQ digestReq; _NETLOGON_LOGON_INFO_CLASS logonLevel = _NETLOGON_LOGON_INFO_CLASS.NetlogonGenericInformation; _NETLOGON_VALIDATION_INFO_CLASS validationLevel = _NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationGenericInfo2; //Compute the password GenerateCurrentCredentials(accountInfo); //Get Digest Request GetDigestRequest(digestType, algType, ignoredFields, out digestReq); //Create digest validation logon info _NETLOGON_LEVEL netlogonLevel = ApdsUtility.CreateDpspLogonInfo( NrpcParameterControlFlags.AllowLogonWithComputerAccount, digestReq); //Create Secure Channel EstablishSecureChannel(); //Client calls EncryptNetlogonLevel _NETLOGON_LEVEL encryptedLogonLevel = nrpcClient.EncryptNetlogonLevel( (_NETLOGON_LOGON_INFO_CLASS)logonLevel, netlogonLevel); //Client calls NetrLogonSamLogonEx _NETLOGON_VALIDATION?validationInfomation; byte?authoritative; NrpcNetrLogonSamLogonExtraFlags?extraFlags = NrpcNetrLogonSamLogonExtraFlags.None; result = nrpcClient.NetrLogonSamLogonEx( nrpcClient.Handle, sutComputerName, clientComputerName, logonLevel, encryptedLogonLevel, validationLevel, out validationInfomation, out authoritative, ref extraFlags); // Whether this method use pass-through mechanism or not. bool isPassThroughMethod = false; // //The Digest validation protocol SHOULD use the generic pass-through mechanism. //For generic pass-through, the LogonLevel is 4(NetlogonGenericInformation) as defined in [MS-NRPC] section 3.2.4.1. //So when the LogonLevel is 4, we can say that NRPC pass-through authentication method is used. // if ((int)logonLevel == 4) { isPassThroughMethod = true; } // //Verify MS-APDS requirment:MS-APDS_R5 // Site.CaptureRequirementIfIsTrue( isPassThroughMethod, 5, @"For domain support, authentication protocols MUST use an NRPC pass-through authentication ([MS-NRPC] section 3.2) method with parameters determined by the authentication protocol being used[to return the response structures to member server]."); // //Verify MS-APDS requirment:MS-APDS_R15 // Site.CaptureRequirementIfAreEqual <int>( 5, (int)validationLevel, 15, @"Digest response messages MUST be encoded as opaque blobs and transported by the generic pass-through capability of Netlogon."); // //Configured in PTFConfig file,default SHOULD to true and MAY to false. // string isR169Implemented = "true"; // //Check OS version // if (isWindows) { // //Verify MS-APDS requirment:MS-APDS_R100169 // Site.CaptureRequirementIfAreEqual <int>( 5, (int)validationLevel, 100169, @"In Windows, the Digest validation protocol uses the generic pass-through mechanism."); if (null == isR169Implemented) { Site.Properties.Add("R169Implemented", Boolean.TrueString); isR169Implemented = Boolean.TrueString; } } if (null != isR169Implemented) { bool implSigns = Boolean.Parse(isR169Implemented); bool isSatisfied = ((int)_NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationGenericInfo2 == 5); // //Verify MS-APDS requirment:MS-APDS_R169 // Site.CaptureRequirementIfAreEqual <Boolean>( implSigns, isSatisfied, 169, string.Format(@"The Digest validation protocol SHOULD use the generic pass-through mechanism. This requirement is {0} implemented.", implSigns ? "" : "not")); } byte[] buf; bool isDigestResStructure = true; DIGEST_VALIDATION_RESP digestValidationResponse = new DIGEST_VALIDATION_RESP(); // Judge whether the digest response is exist, validationData is response point. // if validationData equals 0, no response return from NRPC. if (validationInfomation.Value.ValidationGeneric2 == null) { isDigestResStructure = false; } else { // decrypt validation info buf = NrpcUtility.DecryptBuffer( (nrpcClient.Context.NegotiateFlags & NrpcNegotiateFlags.SupportsAESAndSHA2) == NrpcNegotiateFlags.SupportsAESAndSHA2, nrpcClient.Context.SessionKey, validationInfomation.Value.ValidationGeneric2[0].ValidationData); _NETLOGON_VALIDATION decryptValidationInfo = new _NETLOGON_VALIDATION(); decryptValidationInfo.ValidationGeneric2 = new _NETLOGON_VALIDATION_GENERIC_INFO2[1]; decryptValidationInfo.ValidationGeneric2[0].ValidationData = buf; digestValidationResponse = ApdsUtility.ConvertDataToDigestValidationResponse(decryptValidationInfo); VerifyMessageSyntaxDigestValidCredential(digestValidationResponse, validationLevel, (uint)buf.Length); } if (result != NtStatus.STATUS_SUCCESS) { // //Verify MS-APDS requirment:MS-APDS_R292 // Site.CaptureRequirementIfIsFalse( isDigestResStructure, 292, "[If unsuccessful]It[DC] MUST NOT send back the DIGEST_VALIDATION_RESP message."); VerifyMessageSyntxDigestInvalidResp((uint)result, digestValidationResponse.AuthDataSize); } return((Status)result); }
/// <summary> /// Construct DIGEST_VALIDATION_REQ structure /// </summary> /// <param name="serverName">server name</param> /// <param name="domainName">domain name</param> /// <param name="accountName">account name</param> /// <param name="httpMethod">http method</param> /// <param name="digestType">digest type</param> /// <param name="digestChallengeAlgorithm">digest challenge algorithm</param> /// <param name="dpspResponse">dpspResponse class instance</param> /// <returns>DIGEST_VALIDATION_REQ structure</returns> /// <exception cref="ArgumentNullException"> /// Thrown when dpspResponse or httpMethod is null /// </exception> /// <exception cref="ArgumentException"> /// Thrown when httpMethod or digestType input is invalid /// </exception> public static DIGEST_VALIDATION_REQ CreateDigestValidationRequestPacket( string serverName, string domainName, string accountName, string httpMethod, DigestType_Values digestType, string digestChallengeAlgorithm, DpspResponse dpspResponse) { if (dpspResponse == null) { throw new ArgumentNullException("dpspResponse"); } if (httpMethod == null) { throw new ArgumentNullException("httpMethod"); } DIGEST_VALIDATION_REQ_Payload payload = new DIGEST_VALIDATION_REQ_Payload(); DIGEST_VALIDATION_REQ digestValidationReq = new DIGEST_VALIDATION_REQ(); if (digestType == DigestType_Values.Basic) { EncodeCommonPartOfDigestValidationRequest( serverName, domainName, accountName, digestType, digestChallengeAlgorithm, dpspResponse, ref payload, ref digestValidationReq); payload.Algorithm = dpspResponse.GetAttributeValue(DpspUtility.ALGORITHM_DIRECTIVE); payload.URI = dpspResponse.GetAttributeValue(DpspUtility.BASIC_DIGEST_URI_DIRECTIVE); if (httpMethod.ToUpper().Equals(HTTP_GET) || httpMethod.ToLower().Equals(HTTP_PUT)) { payload.Method = httpMethod; } else { throw new ArgumentException("invalid http method", "httpMethod"); } } else if (digestType == DigestType_Values.SASL) { EncodeCommonPartOfDigestValidationRequest( serverName, domainName, accountName, digestType, digestChallengeAlgorithm, dpspResponse, ref payload, ref digestValidationReq); payload.Method = SASL_AUTHENTICATE; payload.URI = dpspResponse.GetAttributeValue(DpspUtility.SASL_DIGEST_URI_DIRECTIVE); payload.Authzid = dpspResponse.GetAttributeValue(DpspUtility.AUTHZID_DIRECTIVE); payload.Hentity = dpspResponse.GetAttributeValue(DpspUtility.HENTITY_DIRECTIVE); } else { throw new ArgumentException( "invalid digestType value", "digestType"); } digestValidationReq.Payload = payload.GetBytes(); digestValidationReq = UpdatePacketInfo(digestValidationReq); return(digestValidationReq); }