private void UpdateContext(KerberosTgsResponse response)
{
if (response.Response != null)
{
if (response.Response.padata != null && response.Response.padata.Elements != null)
{
foreach (PA_DATA paData in response.Response.padata.Elements)
{
var parsedPaData = PaDataParser.ParseRepPaData(paData);
if (parsedPaData is PaFxFastRep)
{
var armoredRep = ((PaFxFastRep)parsedPaData).GetArmoredRep();
var kerbRep = ((PaFxFastRep)parsedPaData).GetKerberosFastRep(Context.FastArmorkey);
var strKey = kerbRep.FastResponse.strengthen_key;
Context.ReplyKey = KerberosUtility.KrbFxCf2(strKey, Context.ReplyKey, "strengthenkey", "replykey");
}
}
}
KeyUsageNumber usage =
Context.Subkey == null ? KeyUsageNumber.TGS_REP_encrypted_part : KeyUsageNumber.TGS_REP_encrypted_part_subkey;
response.DecryptTgsResponse(Context.ReplyKey.keyvalue.ByteArrayValue, usage);
Context.SessionKey = response.EncPart.key;
//Fix me: when hide-client-names is set to true, response.Response.cname is not the real CName.
Context.Ticket = new KerberosTicket(response.Response.ticket, response.Response.cname, response.EncPart.key);
Context.SelectedEType = (EncryptionType)Context.Ticket.Ticket.enc_part.etype.Value;
}
}
public void DecryptTgsResponse(byte[] key, KeyUsageNumber usage = KeyUsageNumber.TGS_REP_encrypted_part)
{
var encryptType = (EncryptionType)Response.enc_part.etype.Value;
var encPartRawData = KerberosUtility.Decrypt(
encryptType,
key,
Response.enc_part.cipher.ByteArrayValue,
(int)usage);
EncPart = new EncTGSRepPart();
EncPart.BerDecode(new Asn1DecodingBuffer(encPartRawData));
KerberosUtility.OnDumpMessage("KRB5:TGS-REP(enc-part)",
"Encrypted part of TGS-REP",
KerberosUtility.DumpLevel.PartialMessage,
encPartRawData);
}
public void DecryptTgsResponse(byte[] key, KeyUsageNumber usage = KeyUsageNumber.TGS_REP_encrypted_part)
{
var encryptType = (EncryptionType)Response.enc_part.etype.Value;
var encPartRawData = KerberosUtility.Decrypt(
encryptType,
key,
Response.enc_part.cipher.ByteArrayValue,
(int)usage);
EncPart = new EncTGSRepPart();
EncPart.BerDecode(new Asn1DecodingBuffer(encPartRawData));
KerberosUtility.OnDumpMessage("KRB5:TGS-REP(enc-part)",
"Encrypted part of TGS-REP",
KerberosUtility.DumpLevel.PartialMessage,
encPartRawData);
}
private KerberosTgsResponse ExpectTgsResponse(KeyUsageNumber usage = KeyUsageNumber.TGS_REP_encrypted_part)
{
var response = this.client.ExpectPdu(KerberosConstValue.TIMEOUT_DEFAULT, typeof(KerberosTgsResponse));
if (response == null || !(response is KerberosTgsResponse))
{
throw new Exception("Expected KerberosAsResponse data is null");
}
KerberosTgsResponse tgsResponse = response as KerberosTgsResponse;
if (this.Context.ReplyKey == null)
{
throw new Exception("Reply key is null");
}
tgsResponse.DecryptTgsResponse(this.Context.ReplyKey.keyvalue.ByteArrayValue, usage);
return(tgsResponse);
}
/// <summary>
/// Create an instance.
/// </summary>
public KerberosApRequest(long pvno, APOptions ap_options, KerberosTicket ticket, Authenticator authenticator, KeyUsageNumber keyUsageNumber)
{
Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer();
authenticator.BerEncode(asnBuffPlainAuthenticator, true);
KerberosUtility.OnDumpMessage("KRB5:Authenticator",
"Authenticator in AP-REQ structure",
KerberosUtility.DumpLevel.PartialMessage,
asnBuffPlainAuthenticator.Data);
byte[] encAsnEncodedAuth = KerberosUtility.Encrypt((EncryptionType)ticket.SessionKey.keytype.Value,
ticket.SessionKey.keyvalue.ByteArrayValue,
asnBuffPlainAuthenticator.Data,
(int)keyUsageNumber);
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(ticket.SessionKey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedAuth);
long msg_type = (long)MsgType.KRB_AP_REQ;
Request = new AP_REQ(new Asn1Integer(pvno), new Asn1Integer(msg_type), ap_options, ticket.Ticket, encrypted);
Authenticator = authenticator;
}
private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subKey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumType checksumType, byte[] checksumBody)
{
Authenticator authenticator = CreateAuthenticator(ticket, data, subKey, checksumType, checksumBody);
KerberosApRequest apRequest = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);
return(apRequest);
}
/// <summary>
/// Create an instance.
/// </summary>
public KerberosApRequest(long pvno, APOptions ap_options, KerberosTicket ticket, Authenticator authenticator, KeyUsageNumber keyUsageNumber)
{
Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer();
authenticator.BerEncode(asnBuffPlainAuthenticator, true);
KerberosUtility.OnDumpMessage("KRB5:Authenticator",
"Authenticator in AP-REQ structure",
KerberosUtility.DumpLevel.PartialMessage,
asnBuffPlainAuthenticator.Data);
byte[] encAsnEncodedAuth = KerberosUtility.Encrypt((EncryptionType)ticket.SessionKey.keytype.Value,
ticket.SessionKey.keyvalue.ByteArrayValue,
asnBuffPlainAuthenticator.Data,
(int)keyUsageNumber);
var encrypted = new EncryptedData();
encrypted.etype = new KerbInt32(ticket.SessionKey.keytype.Value);
encrypted.cipher = new Asn1OctetString(encAsnEncodedAuth);
long msg_type = (long)MsgType.KRB_AP_REQ;
Request = new AP_REQ(new Asn1Integer(pvno), new Asn1Integer(msg_type), ap_options, ticket.Ticket, encrypted);
Authenticator = authenticator;
}
private KerberosApRequest CreateApRequest(APOptions option, KerberosTicket ticket, EncryptionKey subkey, AuthorizationData data, KeyUsageNumber keyUsageNumber, ChecksumType checksumType, byte[] checksumBody)
{
Authenticator authenticator = CreateAuthenticator(ticket, data, subkey, checksumType, checksumBody);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno, option, ticket, authenticator, keyUsageNumber);
return apReq;
}
/// <summary>
/// Receive a TGS response
/// </summary>
/// <param name="usage">Key usage number to decrypt TGS response</param>
/// <returns></returns>
public KerberosTgsResponse ExpectTgsResponse(KeyUsageNumber usage = KeyUsageNumber.TGS_REP_encrypted_part)
{
var response = this.ExpectPdu(KerberosConstValue.TIMEOUT_DEFAULT, typeof(KerberosTgsResponse));
this.testSite.Assert.IsNotNull(response, "Response should not be null");
this.testSite.Assert.IsInstanceOfType(response, typeof(KerberosTgsResponse), "Response type mismatch");
KerberosTgsResponse tgsResponse = response as KerberosTgsResponse;
this.testSite.Log.Add(LogEntryKind.Debug, "Receive TGS response.");
this.testSite.Assume.IsNotNull(Context.ReplyKey, "Reply key should not be null.");
tgsResponse.DecryptTgsResponse(Context.ReplyKey.keyvalue.ByteArrayValue, usage);
return tgsResponse;
}
