Permalink
Browse files

Merge pull request #2 from ZhongZhaofeng/master

Validate with baseKey (key value after md4).
  • Loading branch information...
SteveSyfuhs committed Jun 15, 2017
2 parents 5fc1c12 + 07c7e93 commit 69bc62de8ca28905b102467a6abad1f9ad457860
@@ -1,4 +1,4 @@
using Syfuhs.Security.Kerberos.Crypto;
using Syfuhs.Security.Kerberos.Crypto;
using System;
using System.Security;
using System.Security.Cryptography;
@@ -17,6 +17,14 @@ public RC4DecryptedData(KrbApReq token, byte[] decryptingKey)
this.decryptingKey = decryptingKey;
}
private readonly byte[] baseKey;
public RC4DecryptedData(KrbApReq token, byte[] decryptingKey, byte[] baseKey)
{
this.token = token;
this.decryptingKey = decryptingKey;
this.baseKey = baseKey;
}
private static byte[] GetSalt(int usage)
{
switch (usage)
@@ -45,7 +53,11 @@ private static byte[] GetSalt(int usage)
public override void Decrypt()
{
var baseKey = MD4(decryptingKey);
var baseKey = this.baseKey;
if (this.decryptingKey != null && this.decryptingKey.Length > 0)
{
baseKey = MD4(decryptingKey);
}
var ciphertext = token.Ticket.EncPart.Cipher;
@@ -1,4 +1,4 @@
using Syfuhs.Security.Kerberos.Crypto;
using Syfuhs.Security.Kerberos.Crypto;
using Syfuhs.Security.Kerberos.Entities;
namespace Syfuhs.Security.Kerberos
@@ -47,6 +47,29 @@ public DecryptedData Decrypt(byte[] key)
return decryptor;
}
public DecryptedData DecryptWithBaseKey(byte[] basekey)
{
DecryptedData decryptor = null;
switch (NegotiationToken.MechToken.InnerContextToken.Ticket.EncPart.EType)
{
case EncryptionType.RC4_HMAC_NT:
case EncryptionType.RC4_HMAC_NT_EXP:
decryptor = new RC4DecryptedData(NegotiationToken.MechToken.InnerContextToken, null, basekey);
break;
case EncryptionType.AES128_CTS_HMAC_SHA1_96:
case EncryptionType.AES256_CTS_HMAC_SHA1_96:
break;
}
if (decryptor != null)
{
decryptor.Decrypt();
}
return decryptor;
}
public override string ToString()
{
var mech = MechType.Mechanism;
@@ -1,4 +1,4 @@
using System;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
@@ -10,16 +10,24 @@ namespace Syfuhs.Security.Kerberos
{
public class SimpleKerberosValidator
{
public enum KeyType
{
Plan,
Base
}
private static readonly HashSet<string> TokenCache = new HashSet<string>();
private readonly byte[] key;
private readonly KeyType keyType;
public SimpleKerberosValidator(string key)
: this(Encoding.Unicode.GetBytes(key))
: this(KeyType.Plan, Encoding.Unicode.GetBytes(key))
{ }
public SimpleKerberosValidator(byte[] key)
public SimpleKerberosValidator(KeyType keyType, byte[] key)
{
this.keyType = keyType;
this.key = key;
ValidateAfterDecrypt = true;
@@ -52,7 +60,7 @@ private ClaimsIdentity Validate(byte[] requestBytes)
Logger("Request: ");
Logger(kerberosRequest.ToString());
var decryptedToken = kerberosRequest.Decrypt(key);
var decryptedToken = this.keyType == KeyType.Plan ? kerberosRequest.Decrypt(key) : kerberosRequest.DecryptWithBaseKey(key);
if (decryptedToken == null)
{

0 comments on commit 69bc62d

Please sign in to comment.