private void UpdateContext(KerberosTgsResponse response) { if (response.Response != null) { if (response.Response.padata != null && response.Response.padata.Elements != null) { foreach (PA_DATA paData in response.Response.padata.Elements) { var parsedPaData = PaDataParser.ParseRepPaData(paData); if (parsedPaData is PaFxFastRep) { var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep(); var kerbRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(Context.FastArmorkey); var strKey = kerbRep.FastResponse.strengthen_key; Context.ReplyKey = KerberosUtility.KrbFxCf2(strKey, Context.ReplyKey, "strengthenkey", "replykey"); } } } KeyUsageNumber usage = Context.Subkey == null ? KeyUsageNumber.TGS_REP_encrypted_part : KeyUsageNumber.TGS_REP_encrypted_part_subkey; response.DecryptTgsResponse(Context.ReplyKey.keyvalue.ByteArrayValue, usage); Context.SessionKey = response.EncPart.key; //Fix me: when hide-client-names is set to true, response.Response.cname is not the real CName. Context.Ticket = new KerberosTicket(response.Response.ticket, response.Response.cname, response.EncPart.key); Context.SelectedEType = (EncryptionType)Context.Ticket.Ticket.enc_part.etype.Value; } }
public KerberosFastResponse(KrbFastResponse fastResponse) { FastResponse = fastResponse; int len = fastResponse.padata.Elements.Length; PaData = new IPaData[len]; for (int i = 0; i < len; i++) { PaData[i] = PaDataParser.ParseRepPaData(fastResponse.padata.Elements[i]); } }
private void UpdateContext(KerberosAsRequest request) { if (request.Request != null && request.Request.req_body != null) { Context.Addresses = request.Request.req_body.addresses; Context.Nonce = request.Request.req_body.nonce; } if (request.Request.padata != null) { var padataList = request.Request.padata.Elements; foreach (var padata in padataList) { var parsed = PaDataParser.ParseReqPaData(padata); if (parsed is PaFxFastReq) { Context.ReplyKey = Context.FastArmorkey; } } } }
private void UpdateContext(KerberosKrbError error) { switch (error.ErrorCode) { case KRB_ERROR_CODE.KDC_ERR_PREAUTH_REQUIRED: { var seqOfPadata = new Asn1SequenceOf <PA_DATA>(); seqOfPadata.BerDecode(new Asn1DecodingBuffer(error.KrbError.e_data.ByteArrayValue)); var padataCount = seqOfPadata.Elements.Length; for (int i = 0; i < padataCount; i++) { var padata = PaDataParser.ParseRepPaData(seqOfPadata.Elements[i]); //Fix me: PaETypeInfo is also possible if (padata is PaETypeInfo2) { var etypeinfo = padata as PaETypeInfo2; string salt; var etype = negotiateEtype(etypeinfo.ETypeInfo2.Elements, Context.SupportedEType.Elements, out salt); Context.SelectedEType = (EncryptionType)etype; if (!string.IsNullOrEmpty(salt)) { Context.CName.Salt = salt; } Context.ReplyKey = KerberosUtility.MakeKey(Context.SelectedEType, Context.CName.Password, Context.CName.Salt); } if (padata is PaFxFastRep) { //Fix me: Do something. } } break; } default: break; } }
private void UpdateContext(KerberosAsResponse response) { KerberosFastResponse kerbFastRep = null; if (response.Response.padata != null && response.Response.padata.Elements != null) { foreach (PA_DATA paData in response.Response.padata.Elements) { var parsedPaData = PaDataParser.ParseRepPaData(paData); if (parsedPaData is PaETypeInfo2) { Asn1DecodingBuffer buffer = new Asn1DecodingBuffer(paData.padata_value.ByteArrayValue); ETYPE_INFO2 eTypeInfo2 = new ETYPE_INFO2(); eTypeInfo2.BerDecode(buffer); if (eTypeInfo2.Elements != null && eTypeInfo2.Elements.Length > 0) { // the salt is received from KDC if (eTypeInfo2.Elements[0].salt != null) { Context.CName.Salt = eTypeInfo2.Elements[0].salt.Value; } continue; } } if (parsedPaData is PaFxFastRep) { var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep(); kerbFastRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(Context.FastArmorkey); var strKey = kerbFastRep.FastResponse.strengthen_key; Context.ReplyKey = KerberosUtility.KrbFxCf2( strKey, //Fix me: should be Context.ReplyKey KerberosUtility.MakeKey(Context.SelectedEType, Context.CName.Password, Context.CName.Salt), "strengthenkey", "replykey"); } } } if (Context.ReplyKey != null) { response.Decrypt(Context.ReplyKey.keyvalue.ByteArrayValue); } else { var encryptType = (EncryptionType)response.Response.enc_part.etype.Value; var key = KeyGenerator.MakeKey(encryptType, Context.CName.Password, Context.CName.Salt); Context.ReplyKey = new EncryptionKey(new KerbInt32((long)encryptType), new Asn1OctetString(key)); response.Decrypt(key); } if (response.EncPart != null) { Context.SessionKey = response.EncPart.key; } if (response.Response != null) { //Response.Response.cname is not the real CName of the ticket when hide-client-names=1 if (kerbFastRep != null && kerbFastRep.FastResponse != null && kerbFastRep.FastResponse.finished != null) { // Windows DC is case insensitive. It may change the cname in the response, e.g. administrator -> Administrator Context.CName.Name = kerbFastRep.FastResponse.finished.cname; Context.Ticket = new KerberosTicket(response.Response.ticket, kerbFastRep.FastResponse.finished.cname, response.EncPart.key); } else { // Windows DC is case insensitive. It may change the cname in the response, e.g. administrator -> Administrator Context.CName.Name = response.Response.cname; Context.Ticket = new KerberosTicket(response.Response.ticket, response.Response.cname, response.EncPart.key); } Context.SelectedEType = (EncryptionType)Context.Ticket.SessionKey.keytype.Value; if (Context.Ticket != null && Context.Ticket.Ticket.sname != null && Context.Ticket.Ticket.sname.name_string != null && Context.Ticket.Ticket.sname.name_string.Elements != null && Context.Ticket.Ticket.sname.name_string.Elements.Length > 1) { int count = Context.Ticket.Ticket.sname.name_string.Elements.Length; Context.Realm = new Realm(Context.Ticket.Ticket.sname.name_string.Elements[count - 1].Value); } } }