public static byte[] SEALKEY(NtlmFlags flags, byte[] exportedSessionKey, bool client = true)
{
if ((flags & NtlmFlags.NegotiateExtendedSessionSecurity) != 0)
{
byte[] subkey;
if ((flags & NtlmFlags.Negotiate128) != 0)
{
subkey = exportedSessionKey;
}
else if ((flags & NtlmFlags.Negotiate56) != 0)
{
subkey = new byte[7];
Buffer.BlockCopy(exportedSessionKey, 0, subkey, 0, subkey.Length);
}
else
{
subkey = new byte[5];
Buffer.BlockCopy(exportedSessionKey, 0, subkey, 0, subkey.Length);
}
var magic = client ? ClientSealMagic : ServerSealMagic;
var sealKey = MD5(ConcatenationOf(subkey, magic));
if (subkey != exportedSessionKey)
{
Array.Clear(subkey, 0, subkey.Length);
}
return(sealKey);
}
else if ((flags & NtlmFlags.NegotiateLanManagerKey) != 0)
{
byte[] suffix;
int length;
if ((flags & NtlmFlags.Negotiate56) != 0)
{
suffix = SealKeySuffix56;
length = 7;
}
else
{
suffix = SealKeySuffix40;
length = 5;
}
var sealKey = new byte[length + suffix.Length];
Buffer.BlockCopy(exportedSessionKey, 0, sealKey, 0, length);
Buffer.BlockCopy(suffix, 0, sealKey, length, suffix.Length);
return(sealKey);
}
else
{
return(exportedSessionKey);
}
}
public static byte[] SIGNKEY(NtlmFlags flags, byte[] exportedSessionKey, bool client = true)
{
if ((flags & NtlmFlags.NegotiateExtendedSessionSecurity) != 0)
{
var magic = client ? ClientSignMagic : ServerSignMagic;
return(MD5(ConcatenationOf(exportedSessionKey, magic)));
}
else
{
return(null);
}
}
public void TestNtlmAuthWithDomain()
{
const NtlmFlags initialFlags = NtlmFlags.NegotiateUnicode | NtlmFlags.NegotiateOem | NtlmFlags.NegotiateNtlm |
NtlmFlags.NegotiateNtlm2Key | NtlmFlags.RequestTarget | NtlmFlags.NegotiateDomainSupplied;
var credentials = new NetworkCredential("domain\\username", "password");
var uri = new Uri("imap://imap.gmail.com");
var sasl = new SaslMechanismNtlm(uri, credentials);
string challenge;
byte[] decoded;
challenge = sasl.Challenge(string.Empty);
decoded = Convert.FromBase64String(challenge);
var type1 = new Type1Message(decoded, 0, decoded.Length);
Assert.AreEqual(initialFlags, type1.Flags, "Expected initial NTLM client challenge flags do not match.");
Assert.AreEqual("DOMAIN", type1.Domain, "Expected initial NTLM client challenge domain does not match.");
Assert.AreEqual(string.Empty, type1.Host, "Expected initial NTLM client challenge host does not match.");
Assert.IsFalse(sasl.IsAuthenticated, "NTLM should not be authenticated.");
}
public NtlmNegotiateMessage(NtlmFlags flags, string domain, string workstation, Version osVersion = null) : base(1)
{
Flags = flags & ~(NtlmFlags.NegotiateDomainSupplied | NtlmFlags.NegotiateWorkstationSupplied | NtlmFlags.NegotiateVersion);
// Note: If the NTLMSSP_NEGOTIATE_VERSION flag is set by the client application, the Version field
// MUST be set to the current version (section 2.2.2.10), the DomainName field MUST be set to
// a zero-length string, and the Workstation field MUST be set to a zero-length string.
if (osVersion != null)
{
Flags |= NtlmFlags.NegotiateVersion;
Workstation = string.Empty;
Domain = string.Empty;
OSVersion = osVersion;
}
else
{
if (!string.IsNullOrEmpty(workstation))
{
Flags |= NtlmFlags.NegotiateWorkstationSupplied;
Workstation = workstation.ToUpperInvariant();
}
else
{
Workstation = string.Empty;
}
if (!string.IsNullOrEmpty(domain))
{
Flags |= NtlmFlags.NegotiateDomainSupplied;
Domain = domain.ToUpperInvariant();
}
else
{
Domain = string.Empty;
}
}
}
public NtlmChallengeMessage(NtlmFlags flags, Version osVersion = null) : base(2)
{
serverChallenge = NtlmUtils.NONCE(8);
OSVersion = osVersion;
Flags = flags;
}
