/// <summary>
/// accept the authenticate packet, if failed, throw exception.
/// </summary>
/// <param name="authenticatePacket">authenciate packet</param>
/// <exception cref="InvalidOperationException">INVALID message error</exception>
/// <exception cref="InvalidOperationException">mic of authenticate packet is invalid</exception>
private void AcceptAuthenticatePacket(NlmpAuthenticatePacket authenticatePacket)
{
// save the authenticate to valid the mic.
this.authenticate = authenticatePacket;
// retrieve the client authenticate information
ClientAuthenticateInfomation authenticateInformation =
RetrieveClientAuthenticateInformation(authenticatePacket);
// update the version of context
this.version = authenticateInformation.Version;
if (authenticateInformation.ClientTime != 0)
{
this.systemTime = authenticateInformation.ClientTime;
}
byte[] exportedSessionKey = null;
if (this.nlmpServer.Context.ClientCredential == null)
{
if (verifyAuthenticatePacketInDc == null)
{
throw new InvalidOperationException(
"In domain environment, the delegate method " +
"VerifyAuthenticatePacketInDcMethod should not be null");
}
// in domain environment, the authentication is hosted in Active Directory,
// the response pair MUST be sent to DC to verify [MS-APDS] section 3.1.5
// DC will return the authentication result and the session key
DcValidationInfo dcValidationInfo = verifyAuthenticatePacketInDc(
authenticatePacket,
this.challenge.Payload.ServerChallenge);
if (dcValidationInfo.status != NtStatus.STATUS_SUCCESS)
{
throw new InvalidOperationException(
string.Format(
"verify authentication packet in DC failed, NtStatus value ={0}",
dcValidationInfo.status.ToString()));
}
exportedSessionKey = dcValidationInfo.sessionKey;
}
else
{
// in workgroup environment. the authentication is hosted locally.
authenticateInformation = VerifyAuthenticatePacketLocally(
authenticatePacket,
authenticateInformation,
out exportedSessionKey);
}
// save keys
this.nlmpServer.Context.ExportedSessionKey = exportedSessionKey;
// initialize keys and handles
InitializeKeys(exportedSessionKey);
}
/// <summary>
/// constructor
/// </summary>
/// <param name="nlmpVersion">
/// the version of NLMP. this value must be NTLMv1 or NTLMv2. LM is not supported by sdk.
/// </param>
/// <exception cref="ArgumentException">the nlmpversion must be v1 or v2</exception>
public NlmpClientConfig(NlmpVersion nlmpVersion)
{
if (nlmpVersion != NlmpVersion.v1 && nlmpVersion != NlmpVersion.v2)
{
throw new ArgumentException(
string.Format("the nlmpVersion is invalid value:{0}, it must be v1 or v2", nlmpVersion),
"nlmpVersion");
}
this.Version = nlmpVersion;
}
/// <summary>
/// constructor
/// </summary>
/// <param name="nlmpVersion">
/// the version of NLMP. this value must be NTLMv1 or NTLMv2. LM is not supported by sdk.
/// </param>
/// <exception cref="ArgumentException">the nlmpversion must be v1 or v2</exception>
public NlmpClientConfig(NlmpVersion nlmpVersion)
{
if (nlmpVersion != NlmpVersion.v1 && nlmpVersion != NlmpVersion.v2)
{
throw new ArgumentException(
string.Format("the nlmpVersion is invalid value:{0}, it must be v1 or v2", nlmpVersion),
"nlmpVersion");
}
this.Version = nlmpVersion;
}
/// <summary>
/// constructor
/// </summary>
/// <param name="flags">the negotiate flags indicates the capabilities of server or client</param>
/// <param name="clientCredential">
/// the credential of client. server sdk can not retrieve password from AD/Account Database;<para/>
/// instead, server sdk get the user credential from this parameter.
/// </param>
/// <param name="isDomainJoined">whether the server joined to domain</param>
/// <param name="netbiosDomainName">the netbios domain name of server</param>
/// <param name="netbiosMachineName">the netbios machine name of server</param>
public NlmpServerSecurityContext(
NegotiateTypes flags,
NlmpClientCredential clientCredential,
bool isDomainJoined,
string netbiosDomainName,
string netbiosMachineName)
{
this.version = new NlmpVersion();
this.nlmpServer = new NlmpServer();
this.nlmpServer.Context.NegFlg = flags;
this.nlmpServer.Context.ClientCredential = clientCredential;
this.nlmpServer.Context.IsDomainJoined = isDomainJoined;
this.nlmpServer.Context.NbDomainName = netbiosDomainName;
this.nlmpServer.Context.NbMachineName = netbiosMachineName;
this.needContinueProcessing = true;
}
/// <summary>
/// constructor
/// </summary>
/// <param name="flags">the negotiate flags indicates the capabilities of server or client</param>
/// <param name="isDomainJoined">whether the server joined to domain</param>
/// <param name="netbiosDomainName">the netbios domain name of server</param>
/// <param name="netbiosMachineName">the netbios machine name of server</param>
/// <param name="verifyAuthenticatePacketInDcMethod">
/// the delegate method used to verify authentication packet in AD/Account Database;
/// </param>
public NlmpServerSecurityContext(
NegotiateTypes flags,
bool isDomainJoined,
string netbiosDomainName,
string netbiosMachineName,
VerifyAuthenticatePacketInDcMethod verifyAuthenticatePacketInDcMethod)
{
this.version = new NlmpVersion();
this.nlmpServer = new NlmpServer();
this.nlmpServer.Context.NegFlg = flags;
this.nlmpServer.Context.ClientCredential = null;
this.nlmpServer.Context.IsDomainJoined = isDomainJoined;
this.nlmpServer.Context.NbDomainName = netbiosDomainName;
this.nlmpServer.Context.NbMachineName = netbiosMachineName;
this.needContinueProcessing = true;
this.verifyAuthenticatePacketInDc = verifyAuthenticatePacketInDcMethod;
}
public void GetSecurityToken(
NlmpVersion ntlmVersion,
string domainName,
string userName,
string password,
ulong serverTime,
ulong serverChallenge,
out byte[] caseInsensitivePassword,
out byte[] caseSensitivePassword)
{
if (ntlmVersion != NlmpVersion.v1 && ntlmVersion != NlmpVersion.v2)
{
throw new ArgumentException(
string.Format("the ntlmVersion({0}) must be valid NlmpVersion value", ntlmVersion), "ntlmVersion");
}
caseInsensitivePassword = null;
caseSensitivePassword = null;
#region Prepare the TargetInfo
byte[] targetInfo = null;
List<AV_PAIR> pairs = new List<AV_PAIR>();
NlmpUtility.AddAVPair(pairs, AV_PAIR_IDs.MsvAvEOL, 0x00, null);
targetInfo = NlmpUtility.AvPairCollectionGetBytes(pairs);
#endregion
#region Prepare the Nlmp Negotiate Flags
// the flags for negotiage
NegotiateTypes nlmpFlags = NegotiateTypes.NTLMSSP_NEGOTIATE_NTLM | NegotiateTypes.NTLM_NEGOTIATE_OEM;
#endregion
// exported to application for the SessionKey.
byte[] sessionBaseKey = null;
#region Prepare the keys
// responseKeyNT
byte[] responseKeyNT = NlmpUtility.GetResponseKeyNt(ntlmVersion, domainName, userName, password);
// responseKeyLM
byte[] responseKeyLM = NlmpUtility.GetResponseKeyLm(ntlmVersion, domainName, userName, password);
#endregion
#region Compute Resonse
// clientChallenge, a 8 bytes random number.
ulong clientChallenge = BitConverter.ToUInt64(NlmpUtility.Nonce(8), 0);
// compute response
NlmpUtility.ComputeResponse(
ntlmVersion, nlmpFlags, responseKeyNT, responseKeyLM, serverChallenge, clientChallenge, serverTime,
targetInfo, out caseSensitivePassword, out caseInsensitivePassword, out sessionBaseKey);
#endregion
}
public void GetSecurityToken(
NlmpVersion ntlmVersion,
string domainName,
string userName,
string password,
ulong serverTime,
ulong serverChallenge,
out byte[] caseInsensitivePassword,
out byte[] caseSensitivePassword)
{
if (ntlmVersion != NlmpVersion.v1 && ntlmVersion != NlmpVersion.v2)
{
throw new ArgumentException(
string.Format("the ntlmVersion({0}) must be valid NlmpVersion value", ntlmVersion), "ntlmVersion");
}
caseInsensitivePassword = null;
caseSensitivePassword = null;
#region Prepare the TargetInfo
byte[] targetInfo = null;
List <AV_PAIR> pairs = new List <AV_PAIR>();
NlmpUtility.AddAVPair(pairs, AV_PAIR_IDs.MsvAvEOL, 0x00, null);
targetInfo = NlmpUtility.AvPairCollectionGetBytes(pairs);
#endregion
#region Prepare the Nlmp Negotiate Flags
// the flags for negotiate
NegotiateTypes nlmpFlags = NegotiateTypes.NTLMSSP_NEGOTIATE_NTLM | NegotiateTypes.NTLM_NEGOTIATE_OEM;
#endregion
// exported to application for the SessionKey.
byte[] sessionBaseKey = null;
#region Prepare the keys
// responseKeyNT
byte[] responseKeyNT = NlmpUtility.GetResponseKeyNt(ntlmVersion, domainName, userName, password);
// responseKeyLM
byte[] responseKeyLM = NlmpUtility.GetResponseKeyLm(ntlmVersion, domainName, userName, password);
#endregion
#region Compute Response
// clientChallenge, a 8 bytes random number.
ulong clientChallenge = BitConverter.ToUInt64(NlmpUtility.Nonce(8), 0);
// compute response
NlmpUtility.ComputeResponse(
ntlmVersion, nlmpFlags, responseKeyNT, responseKeyLM, serverChallenge, clientChallenge, serverTime,
targetInfo, out caseSensitivePassword, out caseInsensitivePassword, out sessionBaseKey);
#endregion
}
/// <summary>
/// to create a SessionSetupAndx request packet.
/// </summary>
/// <param name="messageId">This field SHOULD be the multiplex ID that is used to associate a response with a
/// request.</param>
/// <param name="flags">An 8-bit field of 1-bit flags describing various features in effect for the
/// message</param>
/// <param name="flags2">A 16-bit field of 1-bit flags that represent various features in effect for the
/// message. Unspecified bits are reserved and MUST be zero.</param>
/// <param name="maxBufferSize">The maximum size, in bytes, of the largest SMB message that the client can
/// receive. This is the size of the largest SMB message that the server MAY send to the client. SMB message
/// size includes the size of the SMB header, parameter, and data blocks. This size MUST not include any
/// transport-layer framing or other transport-layer data</param>
/// <param name="maxMpxCount">The maximum number of pending multiplexed requests supported by the client. This
/// value MUST be less than or equal to the MaxMpxCount value provided by the server in the SMB_COM_NEGOTIATE
/// response</param>
/// <param name="vcNumber">The number of this VC (virtual circuit) between the client and the server. This
/// field SHOULD be set to a value of 0 for the first virtual circuit between the client and the server and it
/// SHOULD be set to a unique nonzero value for additional virtual circuit.</param>
/// <param name="sessionKey">The client MUST set this to be equal to the SessionKey field in the
/// SMB_COM_NEGOTIATE response for this SMB connection</param>
/// <param name="capabilities">A 32-bit field providing a set of client capability indicators. The client uses
/// this field to report its own set of capabilities to the server. The client capabilities are a subset of the
/// server capabilities, specified in section </param>
/// <param name="userInfo">the user account information with which the user authenticates.</param>
/// <param name="nativeOs">A string representing the native operating system of the CIFS client. </param>
/// <param name="nativeLanMan">A string that represents the native LAN manager type of the client.</param>
/// <param name="andxPacket">the andx packet.</param>
/// <param name="ntlmAuthenticationPolicy">the NT LAN Manager challenge/response authentication mechanism
/// to be used.</param>
/// <param name="lmAuthenticationPolicy">the LAN Manager challenge/response authentication mechanism
/// to be used. </param>
/// <returns>a SessionSetupAndx request packet</returns>
/// <exception cref="System.ArgumentNullException">the userInfo must not be null.</exception>
public SmbSessionSetupAndxRequestPacket CreateSessionSetupAndxRequest(
ushort messageId,
SmbFlags flags,
SmbFlags2 flags2,
ushort maxBufferSize,
ushort maxMpxCount,
ushort vcNumber,
uint sessionKey,
Capabilities capabilities,
CifsUserAccount userInfo,
string nativeOs,
string nativeLanMan,
SmbPacket andxPacket,
NTLMAuthenticationPolicyValues ntlmAuthenticationPolicy,
LMAuthenticationPolicyValues lmAuthenticationPolicy)
{
#region Check parameters
if (userInfo == null)
{
throw new ArgumentNullException("userInfo");
}
if (nativeOs == null)
{
nativeOs = string.Empty;
}
if (nativeLanMan == null)
{
nativeLanMan = string.Empty;
}
#endregion
#region GetConnection and create SmbSessionSetupAndxRequestPacket
CifsClientPerConnection connection = this.Context.GetConnection(this.connectionId);
if (connection == null)
{
throw new InvalidOperationException("No connection set up."
+ " Please call this method after receiving successful Negotiate response.");
}
this.context.NtlmAuthenticationPolicy = ntlmAuthenticationPolicy;
this.context.LmAuthenticationPolicy = lmAuthenticationPolicy;
this.context.PlaintextAuthenticationPolicy = PlaintextAuthenticationPolicyValues.Disabled;
bool isUnicode = (flags2 & SmbFlags2.SMB_FLAGS2_UNICODE) == SmbFlags2.SMB_FLAGS2_UNICODE;
SmbSessionSetupAndxRequestPacket packet = new SmbSessionSetupAndxRequestPacket();
packet.SmbHeader = CifsMessageUtils.CreateSmbHeader(SmbCommand.SMB_COM_SESSION_SETUP_ANDX,
messageId, 0, 0, flags, flags2);
SMB_COM_SESSION_SETUP_ANDX_Request_SMB_Parameters smbParameters =
new SMB_COM_SESSION_SETUP_ANDX_Request_SMB_Parameters();
smbParameters.AndXReserved = 0;
smbParameters.MaxBufferSize = maxBufferSize;
smbParameters.MaxMpxCount = maxMpxCount;
smbParameters.VcNumber = vcNumber;
smbParameters.SessionKey = sessionKey;
smbParameters.OEMPasswordLen = 0;
smbParameters.UnicodePasswordLen = 0;
smbParameters.Capabilities = capabilities;
smbParameters.Reserved = 0;
smbParameters.WordCount = (byte)(Marshal.SizeOf(smbParameters) / NumBytesOfWord);
if (andxPacket == null)
{
smbParameters.AndXCommand = SmbCommand.SMB_COM_NO_ANDX_COMMAND;
}
else
{
smbParameters.AndXCommand = andxPacket.SmbHeader.Command;
}
SMB_COM_SESSION_SETUP_ANDX_Request_SMB_Data smbData = new SMB_COM_SESSION_SETUP_ANDX_Request_SMB_Data();
smbData.AccountName = CifsMessageUtils.ToSmbStringBytes(userInfo.UserName, isUnicode);
smbData.PrimaryDomain = CifsMessageUtils.ToSmbStringBytes(userInfo.DomainName, isUnicode);
smbData.NativeOS = CifsMessageUtils.ToSmbStringBytes(nativeOs, isUnicode);
smbData.NativeLanMan = CifsMessageUtils.ToSmbStringBytes(nativeLanMan, isUnicode);
// The size of the preceding SmbParameters part plus Header part is an odd number for all cifs messages
// If the format is Unicode, needs to add one 16 bits align pad
if (isUnicode)
{
// pad 1 byte for 16-bits align:
smbData.Pad = new byte[1];
}
else
{
smbData.Pad = new byte[0];
}
#endregion
#region Get caseSensitivePassword, caseInsensitivePassword and ImplicitNtlmSessionKey
// Initialize Implicit NTLM Token:
NlmpVersion ntlmVersion = new NlmpVersion();
if (ntlmAuthenticationPolicy == NTLMAuthenticationPolicyValues.Disabled)
{
ntlmVersion = NlmpVersion.v1;
}
else
{
ntlmVersion = NlmpVersion.v2;
}
byte[] caseInsensitivePassword = null;
byte[] caseSensitivePassword = null;
byte[] sessionBaseKey = null;
byte[] responseKeyNT = NlmpUtility.GetResponseKeyNt(ntlmVersion, userInfo.DomainName, userInfo.UserName, userInfo.Password);
byte[] responseKeyLM = NlmpUtility.GetResponseKeyLm(ntlmVersion, userInfo.DomainName, userInfo.UserName, userInfo.Password);
ulong clientChallenge = BitConverter.ToUInt64(NlmpUtility.Nonce(8), 0);
NegotiateTypes negotiateFlags = NegotiateTypes.NTLMSSP_NEGOTIATE_NTLM | NegotiateTypes.NTLM_NEGOTIATE_OEM;
NlmpUtility.ComputeResponse(ntlmVersion,
negotiateFlags,
responseKeyNT,
responseKeyLM,
connection.Challenge,
clientChallenge,
connection.SystemTime,
Encoding.Unicode.GetBytes(connection.ServerNetbiosName),
out caseSensitivePassword,
out caseInsensitivePassword,
out sessionBaseKey);
byte[] implicitNtlmSessionKey = new byte[sessionBaseKey.Length + caseSensitivePassword.Length];
Array.Copy(sessionBaseKey, implicitNtlmSessionKey, sessionBaseKey.Length);
Array.Copy(caseSensitivePassword, 0, implicitNtlmSessionKey, sessionBaseKey.Length, caseSensitivePassword.Length);
packet.ImplicitNtlmSessionKey = implicitNtlmSessionKey;
#endregion
#region Update Password
// Update caseSensitivePassword if it is PlainTextPassword
if (ntlmAuthenticationPolicy == NTLMAuthenticationPolicyValues.Disabled
&& lmAuthenticationPolicy == LMAuthenticationPolicyValues.Disabled)
{
if (isUnicode)
{
caseSensitivePassword = NlmpUtility.StringGetBytes(userInfo.Password, true);
}
else
{
caseInsensitivePassword = NlmpUtility.StringGetBytes(userInfo.Password, false);
}
this.context.PlaintextAuthenticationPolicy = PlaintextAuthenticationPolicyValues.Enabled;
}
// Set smbData and smbParameters for the Password
if (caseSensitivePassword != null)
{
smbData.UnicodePassword = caseSensitivePassword;
smbParameters.UnicodePasswordLen = (ushort)caseSensitivePassword.Length;
}
if (caseInsensitivePassword != null)
{
smbData.OEMPassword = caseInsensitivePassword;
smbParameters.OEMPasswordLen = (ushort)caseInsensitivePassword.Length;
}
#endregion
#region Update smbData.ByteCount
smbData.ByteCount = 0;
if (smbData.OEMPassword != null)
{
smbData.ByteCount += (ushort)smbData.OEMPassword.Length;
}
if (smbData.UnicodePassword != null)
{
smbData.ByteCount += (ushort)smbData.UnicodePassword.Length;
}
if (smbData.Pad != null)
{
smbData.ByteCount += (ushort)smbData.Pad.Length;
}
if (smbData.AccountName != null)
{
smbData.ByteCount += (ushort)smbData.AccountName.Length;
}
if (smbData.PrimaryDomain != null)
{
smbData.ByteCount += (ushort)smbData.PrimaryDomain.Length;
}
if (smbData.NativeOS != null)
{
smbData.ByteCount += (ushort)smbData.NativeOS.Length;
}
if (smbData.NativeLanMan != null)
{
smbData.ByteCount += (ushort)smbData.NativeLanMan.Length;
}
#endregion
packet.SmbParameters = smbParameters;
packet.SmbData = smbData;
packet.AndxPacket = andxPacket;
return packet;
}
/// <summary>
/// accept the authenticate packet, if failed, throw exception.
/// </summary>
/// <param name="authenticatePacket">authenciate packet</param>
/// <exception cref="InvalidOperationException">INVALID message error</exception>
/// <exception cref="InvalidOperationException">mic of authenticate packet is invalid</exception>
private void AcceptAuthenticatePacket(NlmpAuthenticatePacket authenticatePacket)
{
// save the authenticate to valid the mic.
this.authenticate = authenticatePacket;
// retrieve the client authenticate information
ClientAuthenticateInfomation authenticateInformation =
RetrieveClientAuthenticateInformation(authenticatePacket);
// update the version of context
this.version = authenticateInformation.Version;
if (authenticateInformation.ClientTime != 0)
{
this.systemTime = authenticateInformation.ClientTime;
}
byte[] exportedSessionKey = null;
if (this.nlmpServer.Context.ClientCredential == null)
{
if (verifyAuthenticatePacketInDc == null)
{
throw new InvalidOperationException(
"In domain environment, the delegate method " +
"VerifyAuthenticatePacketInDcMethod should not be null");
}
// in domain environment, the authentication is hosted in Active Directory,
// the response pair MUST be sent to DC to verify [MS-APDS] section 3.1.5
// DC will return the authentication result and the session key
DcValidationInfo dcValidationInfo = verifyAuthenticatePacketInDc(
authenticatePacket,
this.challenge.Payload.ServerChallenge);
if (dcValidationInfo.status != NtStatus.STATUS_SUCCESS)
{
throw new InvalidOperationException(
string.Format(
"verify authentication packet in DC failed, NtStatus value ={0}",
dcValidationInfo.status.ToString()));
}
exportedSessionKey = dcValidationInfo.sessionKey;
}
else
{
// in workgroup environment. the authentication is hosted locally.
authenticateInformation = VerifyAuthenticatePacketLocally(
authenticatePacket,
authenticateInformation,
out exportedSessionKey);
}
// save keys
this.nlmpServer.Context.ExportedSessionKey = exportedSessionKey;
// initialize keys and handles
InitializeKeys(exportedSessionKey);
}
/// <summary>
/// constructor
/// </summary>
/// <param name="flags">the negotiate flags indicates the capabilities of server or client</param>
/// <param name="isDomainJoined">whether the server joined to domain</param>
/// <param name="netbiosDomainName">the netbios domain name of server</param>
/// <param name="netbiosMachineName">the netbios machine name of server</param>
/// <param name="verifyAuthenticatePacketInDcMethod">
/// the delegate method used to verify authentication packet in AD/Account Database;
/// </param>
public NlmpServerSecurityContext(
NegotiateTypes flags,
bool isDomainJoined,
string netbiosDomainName,
string netbiosMachineName,
VerifyAuthenticatePacketInDcMethod verifyAuthenticatePacketInDcMethod)
{
this.version = new NlmpVersion();
this.nlmpServer = new NlmpServer();
this.nlmpServer.Context.NegFlg = flags;
this.nlmpServer.Context.ClientCredential = null;
this.nlmpServer.Context.IsDomainJoined = isDomainJoined;
this.nlmpServer.Context.NbDomainName = netbiosDomainName;
this.nlmpServer.Context.NbMachineName = netbiosMachineName;
this.needContinueProcessing = true;
this.verifyAuthenticatePacketInDc = verifyAuthenticatePacketInDcMethod;
}
/// <summary>
/// constructor
/// </summary>
/// <param name="flags">the negotiate flags indicates the capabilities of server or client</param>
/// <param name="clientCredential">
/// the credential of client. server sdk can not retrieve password from AD/Account Database;<para/>
/// instead, server sdk get the user credential from this parameter.
/// </param>
/// <param name="isDomainJoined">whether the server joined to domain</param>
/// <param name="netbiosDomainName">the netbios domain name of server</param>
/// <param name="netbiosMachineName">the netbios machine name of server</param>
public NlmpServerSecurityContext(
NegotiateTypes flags,
NlmpClientCredential clientCredential,
bool isDomainJoined,
string netbiosDomainName,
string netbiosMachineName)
{
this.version = new NlmpVersion();
this.nlmpServer = new NlmpServer();
this.nlmpServer.Context.NegFlg = flags;
this.nlmpServer.Context.ClientCredential = clientCredential;
this.nlmpServer.Context.IsDomainJoined = isDomainJoined;
this.nlmpServer.Context.NbDomainName = netbiosDomainName;
this.nlmpServer.Context.NbMachineName = netbiosMachineName;
this.needContinueProcessing = true;
}
