private void UpdateContext(KerberosTgsResponse response)
{
if (response.Response != null)
{
if (response.Response.padata != null && response.Response.padata.Elements != null)
{
foreach (PA_DATA paData in response.Response.padata.Elements)
{
var parsedPaData = PaDataParser.ParseRepPaData(paData);
if (parsedPaData is PaFxFastRep)
{
var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep();
var kerbRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(Context.FastArmorkey);
var strKey = kerbRep.FastResponse.strengthen_key;
Context.ReplyKey = KerberosUtility.KrbFxCf2(strKey, Context.ReplyKey, "strengthenkey", "replykey");
}
}
}
KeyUsageNumber usage =
Context.Subkey == null ? KeyUsageNumber.TGS_REP_encrypted_part : KeyUsageNumber.TGS_REP_encrypted_part_subkey;
response.DecryptTgsResponse(Context.ReplyKey.keyvalue.ByteArrayValue, usage);
Context.SessionKey = response.EncPart.key;
//Fix me: when hide-client-names is set to true, response.Response.cname is not the real CName.
Context.Ticket = new KerberosTicket(response.Response.ticket, response.Response.cname, response.EncPart.key);
Context.SelectedEType = (EncryptionType)Context.Ticket.Ticket.enc_part.etype.Value;
}
}
public KerberosFastResponse(KrbFastResponse fastResponse)
{
FastResponse = fastResponse;
int len = fastResponse.padata.Elements.Length;
PaData = new IPaData[len];
for (int i = 0; i < len; i++)
{
PaData[i] = PaDataParser.ParseRepPaData(fastResponse.padata.Elements[i]);
}
}
private void UpdateContext(KerberosAsRequest request)
{
if (request.Request != null && request.Request.req_body != null)
{
Context.Addresses = request.Request.req_body.addresses;
Context.Nonce = request.Request.req_body.nonce;
}
if (request.Request.padata != null)
{
var padataList = request.Request.padata.Elements;
foreach (var padata in padataList)
{
var parsed = PaDataParser.ParseReqPaData(padata);
if (parsed is PaFxFastReq)
{
Context.ReplyKey = Context.FastArmorkey;
}
}
}
}
private void UpdateContext(KerberosKrbError error)
{
switch (error.ErrorCode)
{
case KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED:
{
var seqOfPadata = new Asn1SequenceOf <PA_DATA>();
seqOfPadata.BerDecode(new Asn1DecodingBuffer(error.KrbError.e_data.ByteArrayValue));
var padataCount = seqOfPadata.Elements.Length;
for (int i = 0; i < padataCount; i++)
{
var padata = PaDataParser.ParseRepPaData(seqOfPadata.Elements[i]);
//Fix me: PaETypeInfo is also possible
if (padata is PaETypeInfo2)
{
var etypeinfo = padata as PaETypeInfo2;
string salt;
var etype = negotiateEtype(etypeinfo.ETypeInfo2.Elements, Context.SupportedEType.Elements, out salt);
Context.SelectedEType = (EncryptionType)etype;
if (!string.IsNullOrEmpty(salt))
{
Context.CName.Salt = salt;
}
Context.ReplyKey = KerberosUtility.MakeKey(Context.SelectedEType, Context.CName.Password, Context.CName.Salt);
}
if (padata is PaFxFastRep)
{
//Fix me: Do something.
}
}
break;
}
default:
break;
}
}
private void UpdateContext(KerberosAsResponse response)
{
KerberosFastResponse kerbFastRep = null;
if (response.Response.padata != null && response.Response.padata.Elements != null)
{
foreach (PA_DATA paData in response.Response.padata.Elements)
{
var parsedPaData = PaDataParser.ParseRepPaData(paData);
if (parsedPaData is PaETypeInfo2)
{
Asn1DecodingBuffer buffer = new Asn1DecodingBuffer(paData.padata_value.ByteArrayValue);
ETYPE_INFO2 eTypeInfo2 = new ETYPE_INFO2();
eTypeInfo2.BerDecode(buffer);
if (eTypeInfo2.Elements != null && eTypeInfo2.Elements.Length > 0)
{
// the salt is received from KDC
if (eTypeInfo2.Elements[0].salt != null)
{
Context.CName.Salt = eTypeInfo2.Elements[0].salt.Value;
}
continue;
}
}
if (parsedPaData is PaFxFastRep)
{
var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep();
kerbFastRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(Context.FastArmorkey);
var strKey = kerbFastRep.FastResponse.strengthen_key;
Context.ReplyKey = KerberosUtility.KrbFxCf2(
strKey,
//Fix me: should be Context.ReplyKey
KerberosUtility.MakeKey(Context.SelectedEType, Context.CName.Password, Context.CName.Salt),
"strengthenkey",
"replykey");
}
}
}
if (Context.ReplyKey != null)
{
response.Decrypt(Context.ReplyKey.keyvalue.ByteArrayValue);
}
else
{
var encryptType = (EncryptionType)response.Response.enc_part.etype.Value;
var key = KeyGenerator.MakeKey(encryptType, Context.CName.Password, Context.CName.Salt);
Context.ReplyKey = new EncryptionKey(new KerbInt32((long)encryptType), new Asn1OctetString(key));
response.Decrypt(key);
}
if (response.EncPart != null)
{
Context.SessionKey = response.EncPart.key;
}
if (response.Response != null)
{
//Response.Response.cname is not the real CName of the ticket when hide-client-names=1
if (kerbFastRep != null && kerbFastRep.FastResponse != null && kerbFastRep.FastResponse.finished != null)
{
// Windows DC is case insensitive. It may change the cname in the response, e.g. administrator -> Administrator
Context.CName.Name = kerbFastRep.FastResponse.finished.cname;
Context.Ticket = new KerberosTicket(response.Response.ticket, kerbFastRep.FastResponse.finished.cname, response.EncPart.key);
}
else
{
// Windows DC is case insensitive. It may change the cname in the response, e.g. administrator -> Administrator
Context.CName.Name = response.Response.cname;
Context.Ticket = new KerberosTicket(response.Response.ticket, response.Response.cname, response.EncPart.key);
}
Context.SelectedEType = (EncryptionType)Context.Ticket.SessionKey.keytype.Value;
if (Context.Ticket != null && Context.Ticket.Ticket.sname != null &&
Context.Ticket.Ticket.sname.name_string != null &&
Context.Ticket.Ticket.sname.name_string.Elements != null &&
Context.Ticket.Ticket.sname.name_string.Elements.Length > 1)
{
int count = Context.Ticket.Ticket.sname.name_string.Elements.Length;
Context.Realm = new Realm(Context.Ticket.Ticket.sname.name_string.Elements[count - 1].Value);
}
}
}
