public PA_SVR_REFERRAL_DATA(
PrincipalName param0,
Realm param1)
{
this.referred_name = param0;
this.referred_realm = param1;
}
public KDC_REQ_BODY(
KDCOptions param0,
PrincipalName param1,
Realm param2,
PrincipalName param3,
KerberosTime param4,
KerberosTime param5,
KerberosTime param6,
KerbUInt32 param7,
Asn1SequenceOf <KerbInt32> param8,
HostAddresses param9,
EncryptedData param10,
Asn1SequenceOf <Ticket> param11)
{
this.kdc_options = param0;
this.cname = param1;
this.realm = param2;
this.sname = param3;
this.from = param4;
this.till = param5;
this.rtime = param6;
this.nonce = param7;
this.etype = param8;
this.addresses = param9;
this.enc_authorization_data = param10;
this.additional_tickets = param11;
}
private KDC_REQ_BODY CreateKdcRequestBody(KdcOptions kdcOptions, PrincipalName sName, AuthorizationData authData = null)
{
KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sName);
if (authData == null)
{
return(kdcReqBody);
}
Asn1BerEncodingBuffer asnEncBuffer = new Asn1BerEncodingBuffer();
authData.BerEncode(asnEncBuffer, true);
EncryptedData encryptData = new EncryptedData();
encryptData.etype = new KerbInt32(0);
byte[] encryptAsnEncoded = asnEncBuffer.Data;
if (this.Context.SessionKey != null && this.Context.SessionKey.keytype != null && this.Context.SessionKey.keyvalue != null && this.Context.SessionKey.keyvalue.Value != null)
{
encryptAsnEncoded = KerberosUtility.Encrypt(
(EncryptionType)this.Context.SessionKey.keytype.Value,
this.Context.SessionKey.keyvalue.ByteArrayValue,
encryptAsnEncoded,
(int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData
);
encryptData.etype = new KerbInt32(this.Context.SessionKey.keytype.Value);
}
encryptData.cipher = new Asn1OctetString(encryptAsnEncoded);
kdcReqBody.enc_authorization_data = encryptData;
return(kdcReqBody);
}
private void SendTgsRequest(string sName, KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPadata = null, AuthorizationData dataInAuthentiator = null, AuthorizationData dataInEncAuthData = null, MsgType msgType = MsgType.KRB_TGS_REQ)
{
if (string.IsNullOrEmpty(sName))
{
throw new ArgumentNullException("sName");
}
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData); // almost same as AS request
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
ChecksumType checksumType = KerberosUtility.GetChecksumType(this.Context.SelectedEType);
PA_DATA paTgsReq = CreatePaTgsReqest(checksumType, bodyBuffer.Data, dataInAuthentiator); // use AS session key encrypt authenticator.
Asn1SequenceOf <PA_DATA> tempPaData = null;
if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf <PA_DATA>(new PA_DATA[] { paTgsReq });
}
else
{
PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1];
Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length);
paDatas[seqPadata.Elements.Length] = paTgsReq;
tempPaData = new Asn1SequenceOf <PA_DATA>(paDatas);
}
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType);
tgsRequest.Request.msg_type.Value = (long)msgType;
this.client.SendPdu(tgsRequest);
}
public EncASRepPart(
EncryptionKey param0,
LastReq param1,
KerbUInt32 param2,
KerberosTime param3,
TicketFlags param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
KerberosTime param8,
Realm param9,
PrincipalName param10,
HostAddresses param11,
Asn1SequenceOf <PA_DATA> param12)
{
this.key = param0;
this.last_req = param1;
this.nonce = param2;
this.key_expiration = param3;
this.flags = param4;
this.authtime = param5;
this.starttime = param6;
this.endtime = param7;
this.renew_till = param8;
this.srealm = param9;
this.sname = param10;
this.caddr = param11;
this.pa_datas = param12;
}
public KrbCredInfo(
EncryptionKey param0,
Realm param1,
PrincipalName param2,
TicketFlags param3,
KerberosTime param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
Realm param8,
PrincipalName param9,
HostAddresses param10)
{
this.key = param0;
this.prealm = param1;
this.pname = param2;
this.flags = param3;
this.authtime = param4;
this.starttime = param5;
this.endtime = param6;
this.renew_till = param7;
this.srealm = param8;
this.sname = param9;
this.caddr = param10;
}
public EncTicketPart(
TicketFlags param0,
EncryptionKey param1,
Realm param2,
PrincipalName param3,
TransitedEncoding param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
KerberosTime param8,
HostAddresses param9,
AuthorizationData param10)
{
this.flags = param0;
this.key = param1;
this.crealm = param2;
this.cname = param3;
this.transited = param4;
this.authtime = param5;
this.starttime = param6;
this.endtime = param7;
this.renew_till = param8;
this.caddr = param9;
this.authorization_data = param10;
}
public EncTicketPart(
TicketFlags param0,
EncryptionKey param1,
Realm param2,
PrincipalName param3,
TransitedEncoding param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
KerberosTime param8,
HostAddresses param9,
AuthorizationData param10)
{
this.flags = param0;
this.key = param1;
this.crealm = param2;
this.cname = param3;
this.transited = param4;
this.authtime = param5;
this.starttime = param6;
this.endtime = param7;
this.renew_till = param8;
this.caddr = param9;
this.authorization_data = param10;
}
public KDC_REQ_BODY(
KDCOptions param0,
PrincipalName param1,
Realm param2,
PrincipalName param3,
KerberosTime param4,
KerberosTime param5,
KerberosTime param6,
KerbUInt32 param7,
Asn1SequenceOf<KerbInt32> param8,
HostAddresses param9,
EncryptedData param10,
Asn1SequenceOf<Ticket> param11)
{
this.kdc_options = param0;
this.cname = param1;
this.realm = param2;
this.sname = param3;
this.from = param4;
this.till = param5;
this.rtime = param6;
this.nonce = param7;
this.etype = param8;
this.addresses = param9;
this.enc_authorization_data = param10;
this.additional_tickets = param11;
}
public KrbCredInfo(
EncryptionKey param0,
Realm param1,
PrincipalName param2,
TicketFlags param3,
KerberosTime param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
Realm param8,
PrincipalName param9,
HostAddresses param10)
{
this.key = param0;
this.prealm = param1;
this.pname = param2;
this.flags = param3;
this.authtime = param4;
this.starttime = param5;
this.endtime = param6;
this.renew_till = param7;
this.srealm = param8;
this.sname = param9;
this.caddr = param10;
}
public PA_SVR_REFERRAL_DATA(
PrincipalName param0,
Realm param1)
{
this.referred_name = param0;
this.referred_realm = param1;
}
public EncASRepPart(
EncryptionKey param0,
LastReq param1,
KerbUInt32 param2,
KerberosTime param3,
TicketFlags param4,
KerberosTime param5,
KerberosTime param6,
KerberosTime param7,
KerberosTime param8,
Realm param9,
PrincipalName param10,
HostAddresses param11,
Asn1SequenceOf<PA_DATA> param12)
{
this.key = param0;
this.last_req = param1;
this.nonce = param2;
this.key_expiration = param3;
this.flags = param4;
this.authtime = param5;
this.starttime = param6;
this.endtime = param7;
this.renew_till = param8;
this.srealm = param9;
this.sname = param10;
this.caddr = param11;
this.pa_datas = param12;
}
public KRB_ERROR(
Asn1Integer param0,
Asn1Integer param1,
KerberosTime param2,
Microseconds param3,
KerberosTime param4,
Microseconds param5,
KerbInt32 param6,
Realm param7,
PrincipalName param8,
Realm param9,
PrincipalName param10,
KerberosString param11,
Asn1OctetString param12)
{
this.pvno = param0;
this.msg_type = param1;
this.ctime = param2;
this.cusec = param3;
this.stime = param4;
this.susec = param5;
this.error_code = param6;
this.crealm = param7;
this.cname = param8;
this.realm = param9;
this.sname = param10;
this.e_text = param11;
this.e_data = param12;
}
public KRB_ERROR(
Asn1Integer param0,
Asn1Integer param1,
KerberosTime param2,
Microseconds param3,
KerberosTime param4,
Microseconds param5,
KerbInt32 param6,
Realm param7,
PrincipalName param8,
Realm param9,
PrincipalName param10,
KerberosString param11,
Asn1OctetString param12)
{
this.pvno = param0;
this.msg_type = param1;
this.ctime = param2;
this.cusec = param3;
this.stime = param4;
this.susec = param5;
this.error_code = param6;
this.crealm = param7;
this.cname = param8;
this.realm = param9;
this.sname = param10;
this.e_text = param11;
this.e_data = param12;
}
/// <summary>
/// Create context
/// </summary>
/// <param name="domain">Domain name</param>
/// <param name="cName">Principal name</param>
/// <param name="password">Password of principal</param>
/// <param name="accountType">Accoundtype, user or device</param>
public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt = null)
: this()
{
if (domain == null)
{
throw new ArgumentNullException("domain");
}
if (cName == null)
{
throw new ArgumentNullException("cName");
}
if (password == null)
{
throw new ArgumentNullException("password");
}
this.Realm = new Realm(domain);
PrincipalName name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));
if (null == salt)
{
if (accountType == KerberosAccountType.User)
salt = KerberosUtility.GenerateSalt(domain, cName, accountType);
else if (accountType == KerberosAccountType.Device)
salt = KerberosUtility.GenerateSalt(domain, cName, accountType);
else
{
throw new ArgumentOutOfRangeException("Account type not support");
}
}
this.CName = new Principal(accountType, this.Realm, name, password, salt);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="type">Type of Principal</param>
/// <param name="name">Principal name</param>
/// <param name="password">Password of principal</param>
/// <param name="salt">Salt of principal</param>
public Principal(KerberosAccountType type, string realm, string name, string password, string salt)
{
Type = type;
Realm = new Realm(realm);
Name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(name));
Password = password;
Salt = salt;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="type">Type of Principal</param>
/// <param name="name">Principal name</param>
/// <param name="password">Password of principal</param>
public Principal(KerberosAccountType type, Realm realm, PrincipalName name, string password, string salt)
{
Type = type;
Realm = realm;
Name = name;
Password = password;
Salt = salt;
}
public ChangePasswdData(
Asn1OctetString param0,
PrincipalName param1,
Realm param2)
{
this.newpasswd = param0;
this.targname = param1;
this.targrealm = param2;
}
public ChangePasswdData(
Asn1OctetString param0,
PrincipalName param1,
Realm param2)
{
this.newpasswd = param0;
this.targname = param1;
this.targrealm = param2;
}
public AD_KDCIssued(
Checksum param0,
Realm param1,
PrincipalName param2,
AuthorizationData param3)
{
this.ad_checksum = param0;
this.i_realm = param1;
this.i_sname = param2;
this.elements = param3;
}
public Ticket(
Asn1Integer param0,
Realm param1,
PrincipalName param2,
EncryptedData param3)
{
this.tkt_vno = param0;
this.realm = param1;
this.sname = param2;
this.enc_part = param3;
}
public AD_KDCIssued(
Checksum param0,
Realm param1,
PrincipalName param2,
AuthorizationData param3)
{
this.ad_checksum = param0;
this.i_realm = param1;
this.i_sname = param2;
this.elements = param3;
}
public Ticket(
Asn1Integer param0,
Realm param1,
PrincipalName param2,
EncryptedData param3)
{
this.tkt_vno = param0;
this.realm = param1;
this.sname = param2;
this.enc_part = param3;
}
public KrbFastFinished(
KerberosTime param0,
Microseconds param1,
Realm param2,
PrincipalName param3,
Checksum param4)
{
this.timestamp = param0;
this.usec = param1;
this.crealm = param2;
this.cname = param3;
this.ticket_checksum = param4;
}
private KerberosAsRequest SendAsRequest(KdcOptions kdcOptions, Asn1SequenceOf <PA_DATA> seqPaData)
{
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData);
this.client.SendPdu(asRequest);
return(asRequest);
}
public static string PrincipalName2String(PrincipalName name)
{
StringBuilder sb = new StringBuilder();
for (int i = 0; i < name.name_string.Elements.Length; i++)
{
sb.Append(name.name_string.Elements[i]);
if (i != name.name_string.Elements.Length - 1)
{
sb.Append("/");
}
}
return(sb.ToString());
}
private KDC_REQ_BODY CreateKdcRequestBody(KdcOptions kdcOptions, PrincipalName sName)
{
KerbUInt32 nonce = new KerbUInt32((uint)Math.Abs((int)DateTime.Now.Ticks));
KerberosTime till = new KerberosTime(KerberosConstValue.TGT_TILL_TIME);
KerberosTime rtime = new KerberosTime(KerberosConstValue.TGT_RTIME);
HostAddresses addresses =
new HostAddresses(new HostAddress[1] {
new HostAddress(new KerbInt32((int)AddressType.NetBios),
new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName())))
});
KDCOptions options = new KDCOptions(KerberosUtility.ConvertInt2Flags((int)kdcOptions));
KDC_REQ_BODY kdcReqBody = new KDC_REQ_BODY(options, Context.CName.Name, Context.Realm, sName, null, till, rtime, nonce, Context.SupportedEType, addresses, null, null);
return(kdcReqBody);
}
public AS_REP(
Asn1Integer param0,
Asn1Integer param1,
Asn1SequenceOf <PA_DATA> param2,
Realm param3,
PrincipalName param4,
Ticket param5,
EncryptedData param6)
{
this.pvno = param0;
this.msg_type = param1;
this.padata = param2;
this.crealm = param3;
this.cname = param4;
this.ticket = param5;
this.enc_part = param6;
}
public AS_REP(
Asn1Integer param0,
Asn1Integer param1,
Asn1SequenceOf<PA_DATA> param2,
Realm param3,
PrincipalName param4,
Ticket param5,
EncryptedData param6)
{
this.pvno = param0;
this.msg_type = param1;
this.padata = param2;
this.crealm = param3;
this.cname = param4;
this.ticket = param5;
this.enc_part = param6;
}
public Authenticator(
Asn1Integer param0,
Realm param1,
PrincipalName param2,
Checksum param3,
Microseconds param4,
KerberosTime param5,
EncryptionKey param6,
KerbUInt32 param7,
AuthorizationData param8)
{
this.authenticator_vno = param0;
this.crealm = param1;
this.cname = param2;
this.cksum = param3;
this.cusec = param4;
this.ctime = param5;
this.subkey = param6;
this.seq_number = param7;
this.authorization_data = param8;
}
public Authenticator(
Asn1Integer param0,
Realm param1,
PrincipalName param2,
Checksum param3,
Microseconds param4,
KerberosTime param5,
EncryptionKey param6,
KerbUInt32 param7,
AuthorizationData param8)
{
this.authenticator_vno = param0;
this.crealm = param1;
this.cname = param2;
this.cksum = param3;
this.cusec = param4;
this.ctime = param5;
this.subkey = param6;
this.seq_number = param7;
this.authorization_data = param8;
}
/// <summary>
/// Create context
/// </summary>
/// <param name="domain">Domain name</param>
/// <param name="cName">Principal name</param>
/// <param name="password">Password of principal</param>
/// <param name="accountType">Accoundtype, user or device</param>
public KerberosContext(string domain, string cName, string password, KerberosAccountType accountType, string salt = null)
: this()
{
if (domain == null)
{
throw new ArgumentNullException("domain");
}
if (cName == null)
{
throw new ArgumentNullException("cName");
}
if (password == null)
{
throw new ArgumentNullException("password");
}
this.Realm = new Realm(domain);
PrincipalName name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));
if (null == salt)
{
if (accountType == KerberosAccountType.User)
{
salt = KerberosUtility.GenerateSalt(domain, cName, accountType);
}
else if (accountType == KerberosAccountType.Device)
{
salt = KerberosUtility.GenerateSalt(domain, cName, accountType);
}
else
{
throw new ArgumentOutOfRangeException("Account type not support");
}
}
this.CName = new Principal(accountType, this.Realm, name, password, salt);
}
public PaFxFastReq CreateAsPaFxFast(
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
Asn1SequenceOf<PA_DATA> seqPaData,
string sName,
KDC_REQ_BODY kdcReqBody,
KrbFastArmorType armorType
)
{
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
var armorKey = KerberosUtility.MakeArmorKey(
Context.SelectedEType,
subKey.keyvalue.ByteArrayValue,
Context.ArmorSessionKey.keyvalue.ByteArrayValue);
Context.FastArmorkey = new EncryptionKey(new KerbInt32((long)Context.SelectedEType), new Asn1OctetString(armorKey));
Asn1BerEncodingBuffer encodebuf = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(encodebuf);
var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
var chksum = KerberosUtility.GetChecksum(
armorKey,
encodebuf.Data,
(int)KeyUsageNumber.FAST_REQ_CHECKSUM,
checksumType);
Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));
Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, subKey);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
Context.ArmorTicket,
plaintextAuthenticator,
KeyUsageNumber.AP_REQ_Authenticator);
KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);
KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
FastArmorApRequest fastArmor = new FastArmorApRequest(apReq.Request);
fastArmor.armorType = armorType;
KerberosArmoredRequest armoredReq
= new KerberosArmoredRequest(fastArmor, checkSum, (long)Context.SelectedEType, armorKey, fastReq);
PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
return paFxfast;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="type">Type of Principal</param>
/// <param name="name">Principal name</param>
/// <param name="password">Password of principal</param>
/// <param name="salt">Salt of principal</param>
public Principal(KerberosAccountType type, string realm, string name, string password, string salt)
{
Type = type;
Realm = new Realm(realm);
Name = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(name));
Password = password;
Salt = salt;
}
/// <summary>
/// Create a Kerberos ticket
/// </summary>
/// <param name="ticket">Ticket</param>
/// <param name="ticketOwner">Owner of ticket</param>
/// <param name="sessionKey">Session key in ticket</param>
public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey)
{
this.Ticket = ticket;
this.TicketOwner = ticketOwner;
this.SessionKey = sessionKey;
}
/// <summary>
/// Create and send AS request for Password change
/// </summary>
/// <param name="kdcOptions">KDC options</param>
/// <param name="seqPaData">A sequence of preauthentication data</param>
public void SendAsRequestForPwdChange(KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> seqPaData)
{
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(KerberosConstValue.KERBEROS_KADMIN_SNAME.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData);
this.SendPdu(asRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request for password change.");
}
/// <summary>
/// Create and send FAST AS request with an unknown armor type
/// </summary>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="armorType">armorType</param>
public void SendAsRequestWithFast(
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
KrbFastArmorType armorType
)
{
Context.Subkey = subKey;
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody, armorType);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
this.SendPdu(asRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
}
/// <summary>
/// Create a Kerberos ticket
/// </summary>
/// <param name="ticket">Ticket</param>
/// <param name="ticketOwner">Owner of ticket</param>
/// <param name="sessionKey">Session key in ticket</param>
public KerberosTicket(Ticket ticket, PrincipalName ticketOwner, EncryptionKey sessionKey)
{
this.Ticket = ticket;
this.TicketOwner = ticketOwner;
this.SessionKey = sessionKey;
}
/// <summary>
/// Create and send FAST AS request
/// </summary>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
public void SendAsRequestWithFastHideCName(
KdcOptions kdcOptions,
string cName,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
ApOptions apOptions)
{
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
Context.Subkey = subKey;
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname);
kdcReqBody.cname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_PRINCIPAL), KerberosUtility.String2SeqKerbString(cName));
var pafxfast = CreateAsPaFxFast(subKey, fastOptions, apOptions, innerSeqPaData, sName, kdcReqBody);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements));
this.SendPdu(asRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request with FAST PA-DATA.");
}
/// <summary>
/// Create and send TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="seqPadata">A sequence of preauthentication data</param>
/// <param name="checksumType">Checksum type of PA-TGS-REQ</param>
/// <param name="additionalTicket">Additional ticket</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequest(string sName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> seqPadata = null,
Ticket additionalTicket = null,
AuthorizationData dataInAuthenticator = null,
AuthorizationData dataInEncAuthData = null)
{
if (sName == null)
{
throw new ArgumentNullException("sName");
}
PrincipalName sname = new PrincipalName(
new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, dataInEncAuthData);
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
PA_DATA paTgsReq = CreatePaTgsReq(checksumType, bodyBuffer.Data, dataInAuthenticator);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (seqPadata == null || seqPadata.Elements == null || seqPadata.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq });
}
else
{
PA_DATA[] paDatas = new PA_DATA[seqPadata.Elements.Length + 1];
Array.Copy(seqPadata.Elements, paDatas, seqPadata.Elements.Length);
paDatas[seqPadata.Elements.Length] = paTgsReq;
tempPaData = new Asn1SequenceOf<PA_DATA>(paDatas);
}
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, tempPaData, Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send TGS request.");
}
private Authenticator CreateAuthenticator(PrincipalName cname, Realm realm, EncryptionKey subkey = null, AuthorizationData data = null)
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create authenticator");
Random r = new Random();
int seqNum = r.Next();
Authenticator plaintextAuthenticator = new Authenticator
{
authenticator_vno = new Asn1Integer(KerberosConstValue.KERBEROSV5),
crealm = realm,
cusec = new Microseconds(0),
ctime = KerberosUtility.CurrentKerberosTime,
seq_number = new KerbUInt32(seqNum),
cname = cname,
subkey = subkey,
authorization_data = data
};
AuthCheckSum checksum = new AuthCheckSum { Lgth = KerberosConstValue.AUTHENTICATOR_CHECKSUM_LENGTH };
checksum.Bnd = new byte[checksum.Lgth];
checksum.Flags = (int)(ChecksumFlags.GSS_C_MUTUAL_FLAG | ChecksumFlags.GSS_C_INTEG_FLAG);
byte[] checkData = ArrayUtility.ConcatenateArrays(BitConverter.GetBytes(checksum.Lgth),
checksum.Bnd, BitConverter.GetBytes(checksum.Flags));
plaintextAuthenticator.cksum = new Checksum(new KerbInt32((int)ChecksumType.ap_authenticator_8003), new Asn1OctetString(checkData));
return plaintextAuthenticator;
}
private KDC_REQ_BODY CreateKdcRequestBody(
KdcOptions kdcOptions,
PrincipalName sName,
AuthorizationData data = null
)
{
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sName);
if (data == null)
return kdcReqBody;
Asn1BerEncodingBuffer asnBuffer = new Asn1BerEncodingBuffer();
// Fix me: NullReferenceException if data is null.
if (data != null) data.BerEncode(asnBuffer, true);
EncryptedData eData = new EncryptedData();
eData.etype = new KerbInt32(0);
byte[] encAsnEncoded = asnBuffer.Data;
if (Context.SessionKey != null && Context.SessionKey.keytype != null
&& Context.SessionKey.keyvalue != null && Context.SessionKey.keyvalue.Value != null)
{
encAsnEncoded = KerberosUtility.Encrypt((EncryptionType)Context.SessionKey.keytype.Value,
Context.SessionKey.keyvalue.ByteArrayValue,
asnBuffer.Data,
(int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData);
eData.etype = new KerbInt32(Context.SessionKey.keytype.Value);
}
eData.cipher = new Asn1OctetString(encAsnEncoded);
kdcReqBody.enc_authorization_data = eData;
return kdcReqBody;
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="type">Type of Principal</param>
/// <param name="name">Principal name</param>
/// <param name="password">Password of principal</param>
public Principal(KerberosAccountType type, Realm realm, PrincipalName name, string password, string salt)
{
Type = type;
Realm = realm;
Name = name;
Password = password;
Salt = salt;
}
/// <summary>
/// Create and send FAST TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequestWithExplicitFast(
string sName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
FastOptions fastOptions,
ApOptions apOptions,
AuthorizationData data = null)
{
Context.Subkey = subKey;
Context.ReplyKey = subKey;
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
//Create PA-TGS-REQ
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
KerberosApRequest apRequest = CreateApRequest(
option,
Context.Ticket,
subKey,
data,
KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
checksumType,
bodyBuffer.Data);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
}
else
{
tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
}
//Create explicit FAST armor
EncryptionKey explicitSubkey = KerberosUtility.MakeKey(
Context.SelectedEType,
"Password04!",
"This is a salt");
Authenticator plaintextAuthenticator = CreateAuthenticator(Context.ArmorTicket, null, explicitSubkey);
KerberosApRequest apReq = new KerberosApRequest(Context.Pvno,
new APOptions(KerberosUtility.ConvertInt2Flags((int)apOptions)),
Context.ArmorTicket,
plaintextAuthenticator,
KeyUsageNumber.AP_REQ_Authenticator);
FastArmorApRequest explicitArmor = new FastArmorApRequest(apReq.Request);
//Create armor key
var armorKey = GetArmorKey(Context.ArmorSessionKey, subKey, explicitSubkey);
Context.FastArmorkey = armorKey;
//Create PA-FX-FAST
var pafxfast = CreateTgsPaFxFast(armorKey, Context.ArmorTicket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue, explicitArmor);
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
}
/// <summary>
/// Create and send FAST TGS request
/// </summary>
/// <param name="sName">Service principal name</param>
/// <param name="kdcOptions">KDC options</param>
/// <param name="innerSeqPaData">A sequence of preauthentication data in FAST request</param>
/// <param name="outerSeqPaData">A sequence of preauthentication data</param>
/// <param name="subKey">Sub-session key for authenticator in FAST armor field</param>
/// <param name="fastOptions">FAST options</param>
/// <param name="apOptions">AP options in FAST armor field</param>
/// <param name="data">Authorization data</param>
public void SendTgsRequestWithFastHideCName(
string sName,
PrincipalName cName,
KdcOptions kdcOptions,
Asn1SequenceOf<PA_DATA> innerSeqPaData,
Asn1SequenceOf<PA_DATA> outerSeqPaData,
EncryptionKey subKey,
ApOptions apOptions,
AuthorizationData data = null)
{
var fastOptions = new Protocols.TestTools.StackSdk.Security.KerberosV5.Preauth.FastOptions(
KerberosUtility.ConvertInt2Flags((int)FastOptionFlags.Hide_Client_Names));
Context.Subkey = subKey;
Context.ReplyKey = subKey;
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, data);
kdcReqBody.cname = cName;
Asn1BerEncodingBuffer bodyBuffer = new Asn1BerEncodingBuffer();
kdcReqBody.BerEncode(bodyBuffer);
APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None));
ChecksumType checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
KerberosApRequest apRequest = CreateApRequest(
option,
Context.Ticket,
subKey,
data,
KeyUsageNumber.TG_REQ_PA_TGS_REQ_padataOR_AP_REQ_Authenticator,
checksumType,
bodyBuffer.Data);
PaTgsReq paTgsReq = new PaTgsReq(apRequest.Request);
Asn1SequenceOf<PA_DATA> tempPaData = null;
if (outerSeqPaData == null || outerSeqPaData.Elements == null || outerSeqPaData.Elements.Length == 0)
{
tempPaData = new Asn1SequenceOf<PA_DATA>(new PA_DATA[] { paTgsReq.Data });
}
else
{
tempPaData.Elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, tempPaData.Elements, outerSeqPaData.Elements.Length);
tempPaData.Elements[outerSeqPaData.Elements.Length] = paTgsReq.Data;
}
var armorKey = GetArmorKey(Context.SessionKey, subKey);
var pafxfast = CreateTgsPaFxFast(armorKey, Context.Ticket, fastOptions, apOptions, tempPaData, sName, paTgsReq.Data.padata_value.ByteArrayValue);
Context.FastArmorkey = armorKey;
PA_DATA[] elements;
if (outerSeqPaData != null && outerSeqPaData.Elements.Length > 0)
{
elements = new PA_DATA[outerSeqPaData.Elements.Length + 1];
Array.Copy(outerSeqPaData.Elements, elements, outerSeqPaData.Elements.Length);
elements[outerSeqPaData.Elements.Length] = pafxfast.Data;
elements[outerSeqPaData.Elements.Length + 1] = paTgsReq.Data;
}
else
{
elements = new PA_DATA[] { pafxfast.Data, paTgsReq.Data };
}
Asn1SequenceOf<PA_DATA> seqPaData = new Asn1SequenceOf<PA_DATA>();
KerberosTgsRequest tgsRequest = new KerberosTgsRequest(KerberosConstValue.KERBEROSV5, kdcReqBody, new Asn1SequenceOf<PA_DATA>(elements), Context.TransportType);
this.SendPdu(tgsRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send FAST TGS request.");
}
private void Smb2KerberosAuthentication(CaseVariant variant)
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Initialize Kerberos Functional Client");
KerberosFunctionalClient kerberosClient = new KerberosFunctionalClient(
TestConfig.DomainName,
TestConfig.UserName,
TestConfig.UserPassword,
KerberosAccountType.User,
KDCIP,
KDCPort,
TransportType.TCP,
OidPkt,
BaseTestSite);
#region Service Ticket
EncryptionKey serviceKey;
EncTicketPart encTicketPart = RetrieveAndDecryptServiceTicket(kerberosClient, out serviceKey);
Ticket serviceTicket = kerberosClient.Context.Ticket.Ticket;
Realm crealm = serviceTicket.realm;
BaseTestSite.Assert.AreEqual(TestConfig.DomainName.ToLower(),
encTicketPart.crealm.Value.ToLower(),
"Realm name in service ticket encrypted part should match as expected, case insensitive");
BaseTestSite.Assert.AreEqual(TestConfig.UserName.ToLower(),
KerberosUtility.PrincipalName2String(encTicketPart.cname).ToLower(),
"User name in service ticket encrypted part should match as expected, case insensitive.");
if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData to the ticket");
AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
AppendNewAuthDataElement(encTicketPart.authorization_data, unknownElement);
}
if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT_OPTIONAL))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData which is inside AD_IF_RELEVANT to the ticket");
AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
AD_IF_RELEVANT ifRelavantElement =
new AD_IF_RELEVANT(new[] { unknownElement });
var dataBuffer = new Asn1BerEncodingBuffer();
ifRelavantElement.BerEncode(dataBuffer);
AuthorizationDataElement unknownElementOptional =
new AuthorizationDataElement(new KerbInt32((long)AuthorizationData_elementType.AD_IF_RELEVANT), new Asn1OctetString(dataBuffer.Data));
AppendNewAuthDataElement(encTicketPart.authorization_data, unknownElementOptional);
}
if (variant.HasFlag(CaseVariant.TICKET_NOT_VALID))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Ticket start time to tomorrow");
DateTime tomorrow = DateTime.Now.AddDays(1);
string kerbTimeString = tomorrow.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
encTicketPart.starttime = new KerberosTime(kerbTimeString, true);
}
if (variant.HasFlag(CaseVariant.TICKET_EXPIRED))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Ticket end time to yesterday");
DateTime yesterday = DateTime.Now.AddDays(-1);
string kerbTimeString = yesterday.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
encTicketPart.endtime = new KerberosTime(kerbTimeString, true);
}
if (variant.HasFlag(CaseVariant.TICKET_WRONG_ENC_KEY))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Modify the Ticket, making it encrypted with wrong key");
serviceKey = KerberosUtility.GenerateKey(serviceKey);
}
EncryptedData data = EncryptTicket(encTicketPart, serviceKey);
serviceTicket.enc_part = data;
if (variant.HasFlag(CaseVariant.TICKET_WRONG_REALM))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the Realm in the Ticket to an unknown realm");
serviceTicket.realm = new Realm("kerb.com");
}
if (variant.HasFlag(CaseVariant.TICKET_WRONG_SNAME))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the SNAME in the Ticket to an unknown service name");
serviceTicket.sname = new PrincipalName(new KerbInt32((long)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString("UnknownService", TestConfig.DomainName));
}
if (variant.HasFlag(CaseVariant.TICKET_WRONG_KVNO))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep,
"Change the KVNO in the Ticket to an invalid Key Version Number (Int32.MaxValue)");
const int invalidKvno = System.Int32.MaxValue;
serviceTicket.enc_part.kvno = new KerbInt32(invalidKvno);
}
#endregion
#region Authenticator
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create Authenticator");
EncryptionKey subkey = KerberosUtility.GenerateKey(kerberosClient.Context.SessionKey);
PrincipalName cname;
if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CNAME_NOT_MATCH))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong cname in the Authenticator");
cname = new PrincipalName(new KerbInt32((long)PrincipalType.NT_PRINCIPAL),
KerberosUtility.String2SeqKerbString(TestConfig.NonAdminUserName, TestConfig.DomainName));
}
else
{
cname = kerberosClient.Context.CName.Name;
}
Authenticator authenticator = CreateAuthenticator(cname, crealm, subkey);
if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CREALM_NOT_MATCH))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong crealm in the Authenticator");
authenticator.crealm = new Realm("kerb.com");
}
if (variant.HasFlag(CaseVariant.AUTHENTICATOR_EXCEED_TIME_SKEW))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Change the ctime in the Authenticator to one hour later");
DateTime oneHourLater = DateTime.Now.AddHours(1);
string kerbTimeString = oneHourLater.ToUniversalTime().ToString("yyyyMMddhhmmssZ");
authenticator.ctime = new KerberosTime(kerbTimeString, true);
}
if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Add a type-unknown AuthorizationData to the Authenticator");
AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
authenticator.authorization_data = new AuthorizationData(new[] { unknownElement });
}
if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR_OPTIONAL))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep,
"Add a type-unknown AuthorizationData which is inside AD_IF_RELEVANT to the Authenticator");
AuthorizationDataElement unknownElement = GenerateUnKnownAuthorizationDataElement();
AD_IF_RELEVANT ifRelavantElement =
new AD_IF_RELEVANT(new[] { unknownElement });
var dataBuffer = new Asn1BerEncodingBuffer();
ifRelavantElement.BerEncode(dataBuffer);
AuthorizationDataElement unknownElementOptional =
new AuthorizationDataElement(new KerbInt32((long)AuthorizationData_elementType.AD_IF_RELEVANT), new Asn1OctetString(dataBuffer.Data));
authenticator.authorization_data = new AuthorizationData(new[] { unknownElementOptional });
}
#endregion
#region AP Request
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create AP Request");
if (variant.HasFlag(CaseVariant.AUTHENTICATOR_WRONG_ENC_KEY))
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Use wrong key to encrypt the Authenticator");
kerberosClient.Context.Ticket.SessionKey = KerberosUtility.GenerateKey(kerberosClient.Context.Ticket.SessionKey);
}
KerberosApRequest request = new KerberosApRequest(
kerberosClient.Context.Pvno,
new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.MutualRequired)),
kerberosClient.Context.Ticket,
authenticator,
KeyUsageNumber.AP_REQ_Authenticator
);
#endregion
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Create GSS Token");
byte[] token = KerberosUtility.AddGssApiTokenHeader(request, OidPkt, GssToken);
Smb2FunctionalClientForKerbAuth smb2Client = new Smb2FunctionalClientForKerbAuth(TestConfig.Timeout, TestConfig, BaseTestSite);
smb2Client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
#region Check the result
byte[] repToken;
uint status = DoSessionSetupWithGssToken(smb2Client, token, out repToken);
if (variant.HasFlag(CaseVariant.AUTHENTICATOR_CNAME_NOT_MATCH) || variant.HasFlag(CaseVariant.AUTHENTICATOR_CREALM_NOT_MATCH))
{
BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
"Session Setup should fail because the cname or crealm in the authenticator does not match the same field in the Ticket");
if (TestConfig.IsWindowsPlatform)
{
KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH, krbError.ErrorCode,
"SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_BADMATCH);
}
smb2Client.Disconnect();
return;
}
if (variant.HasFlag(CaseVariant.AUTHENTICATOR_WRONG_ENC_KEY) || variant.HasFlag(CaseVariant.TICKET_WRONG_ENC_KEY))
{
BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
"Session Setup should fail because Ticket or Authenticator cannot be correctly decrypted");
if (TestConfig.IsWindowsPlatform)
{
KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED, krbError.ErrorCode,
"SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_MODIFIED);
}
smb2Client.Disconnect();
return;
}
if (variant.HasFlag(CaseVariant.AUTHENTICATOR_EXCEED_TIME_SKEW))
{
BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
"Session Setup should fail because the server time and the client time " +
"in the Authenticator differ by (1 hour) more than the allowable clock skew");
if (TestConfig.IsWindowsPlatform)
{
KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_SKEW, krbError.ErrorCode,
"SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_SKEW);
}
smb2Client.Disconnect();
return;
}
if (variant.HasFlag(CaseVariant.TICKET_WRONG_KVNO) ||
variant.HasFlag(CaseVariant.TICKET_WRONG_REALM) ||
variant.HasFlag(CaseVariant.TICKET_WRONG_SNAME))
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "If decryption fails, server would try other keys");
}
if (variant.HasFlag(CaseVariant.TICKET_NOT_VALID))
{
BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
"Session Setup should fail because the starttime (tomorrow) in the Ticket " +
"is later than the current time by more than the allowable clock skew");
if (TestConfig.IsWindowsPlatform)
{
KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV, krbError.ErrorCode,
"SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_TKT_NYV);
}
smb2Client.Disconnect();
return;
}
if (variant.HasFlag(CaseVariant.TICKET_EXPIRED))
{
BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
"Session Setup should fail because the current time is later than the endtime (yesterday)" +
" in the Ticket by more than the allowable clock skew");
if (TestConfig.IsWindowsPlatform)
{
KerberosKrbError krbError = kerberosClient.GetKrbErrorFromToken(repToken);
BaseTestSite.Assert.AreEqual(KRB_ERROR_CODE.KRB_AP_ERR_TKT_EXPIRED, krbError.ErrorCode,
"SMB Server should return {0}", KRB_ERROR_CODE.KRB_AP_ERR_TKT_EXPIRED);
}
smb2Client.Disconnect();
return;
}
if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT))
{
BaseTestSite.Assert.AreNotEqual(Smb2Status.STATUS_SUCCESS, status,
"Session Setup should fail because of the unknown AutherizationData in the ticket");
smb2Client.Disconnect();
return;
}
if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR))
{
BaseTestSite.Log.Add(LogEntryKind.Comment,
"Unknown AuthorizationData in the Authenticator should not fail the request");
}
if (variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_TKT_OPTIONAL) ||
variant.HasFlag(CaseVariant.AUTHDATA_UNKNOWN_TYPE_IN_AUTHENTICATOR_OPTIONAL))
{
BaseTestSite.Log.Add(LogEntryKind.Comment, "Unknown AuthorizationData in AD_IF_RELEVANT is optional. " +
"Server should not fail the request.");
}
KerberosApResponse apRep = kerberosClient.GetApResponseFromToken(repToken, GssToken);
// Get subkey from AP response, which used for signing in smb2
apRep.Decrypt(kerberosClient.Context.Ticket.SessionKey.keyvalue.ByteArrayValue);
smb2Client.SetSessionSigningAndEncryption(true, false, apRep.ApEncPart.subkey.keyvalue.ByteArrayValue);
string path = Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.BasicFileShare);
AccessFile(smb2Client, path);
#endregion
smb2Client.LogOff();
smb2Client.Disconnect();
}
private KDC_REQ_BODY CreateKdcRequestBody(
KdcOptions kdcOptions,
PrincipalName sName,
KerberosTime from,
KerberosTime till
)
{
KerbUInt32 nonce = new KerbUInt32((uint)Math.Abs((int)DateTime.Now.Ticks));
KerberosTime rtime = new KerberosTime(KerberosConstValue.TGT_RTIME);
HostAddresses addresses =
new HostAddresses(new HostAddress[1] { new HostAddress(new KerbInt32((int)AddressType.NetBios),
new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName()))) });
KDCOptions options = new KDCOptions(KerberosUtility.ConvertInt2Flags((int)kdcOptions));
KDC_REQ_BODY kdcReqBody = new KDC_REQ_BODY(options, Context.CName.Name, Context.Realm, sName, from, till, rtime, nonce, Context.SupportedEType, addresses, null, null);
return kdcReqBody;
}
public PaFxFastReq CreateTgsPaFxFast(
EncryptionKey armorKey,
KerberosTicket armorTicket,
FastOptions fastOptions,
ApOptions apOptions,
Asn1SequenceOf<PA_DATA> seqPaData,
string sName,
byte[] apReq,
IFastArmor armor = null
)
{
string domain = this.Context.Realm.Value;
PrincipalName sname = new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST),
KerberosUtility.String2SeqKerbString(sName.Split('/')));
KDC_REQ_BODY innerKdcReqBody = CreateKdcRequestBody(KdcOptions.CANONICALIZE | KdcOptions.FORWARDABLE | KdcOptions.RENEWABLE, sname);
//Generate checksum
var checksumType = KerberosUtility.GetChecksumType(Context.SelectedEType);
var chksum = KerberosUtility.GetChecksum(
armorKey.keyvalue.ByteArrayValue,
apReq,
(int)KeyUsageNumber.FAST_REQ_CHECKSUM,
checksumType);
Checksum checkSum = new Checksum(new KerbInt32((int)checksumType), new Asn1OctetString(chksum));
KerberosFastRequest fastReq = new KerberosFastRequest(fastOptions, seqPaData, innerKdcReqBody);
KerberosArmoredRequest armoredReq
= new KerberosArmoredRequest(armor, checkSum, (long)Context.SelectedEType, armorKey.keyvalue.ByteArrayValue, fastReq);
PA_FX_FAST_REQUEST paFxFastReq = new PA_FX_FAST_REQUEST();
paFxFastReq.SetData(PA_FX_FAST_REQUEST.armored_data, armoredReq.FastArmoredReq);
PaFxFastReq paFxfast = new PaFxFastReq(paFxFastReq);
return paFxfast;
}
/// <summary>
/// Create and send AS request
/// </summary>
/// <param name="kdcOptions">KDC options</param>
/// <param name="seqPaData">A sequence of preauthentication data</param>
public void SendAsRequest(KdcOptions kdcOptions, Asn1SequenceOf<PA_DATA> seqPaData, KerberosTime from, KerberosTime till)
{
string sName = KerberosConstValue.KERBEROS_SNAME;
string domain = this.Context.Realm.Value;
PrincipalName sname =
new PrincipalName(new KerbInt32((int)PrincipalType.NT_SRV_INST), KerberosUtility.String2SeqKerbString(sName, domain));
KDC_REQ_BODY kdcReqBody = CreateKdcRequestBody(kdcOptions, sname, from, till);
KerberosAsRequest asRequest = this.CreateAsRequest(kdcReqBody, seqPaData);
this.SendPdu(asRequest);
this.testSite.Log.Add(LogEntryKind.Debug, "Send AS Request.");
}
