-
Notifications
You must be signed in to change notification settings - Fork 2
/
v1_secure_channel.go
140 lines (111 loc) · 3.78 KB
/
v1_secure_channel.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
//go:generate go run ./gen/main.go -o v1_secure_channel_wrappers.zz.go
package logon
import (
"bytes"
"context"
"crypto/rand"
"fmt"
"time"
"github.com/oiweiwei/go-msrpc/dcerpc"
"github.com/oiweiwei/go-msrpc/ssp/gssapi"
"github.com/oiweiwei/go-msrpc/ssp/netlogon"
)
type LogonSecureChannelClient interface {
LogonClient
Encrypt(context.Context, []byte) ([]byte, error)
}
type xxx_SecureChannelClient struct {
LogonClient
sCred *netlogon.SecureCredential
}
var SecureChannel_T = &xxx_SecureChannelClient{}
func NewSecureChannelClient(ctx context.Context, cc dcerpc.Conn, opts ...dcerpc.Option) (LogonSecureChannelClient, error) {
cli, err := NewLogonClient(ctx, cc, opts...)
if err != nil {
return nil, err
}
creds, ok := gssapi.GetCredential(ctx, "", nil, gssapi.InitiateAndAccept).Value().(netlogon.Credential)
if !ok || creds == nil {
return nil, fmt.Errorf("secure_channel: credentials missing")
}
cfg := &netlogon.Config{
Capabilities: netlogon.CapAES_SHA2 | netlogon.CapStrongKey | netlogon.CapSecureRPC | netlogon.CapRC4,
Credential: creds,
ClientChallenge: make([]byte, 8),
}
if _, err := rand.Read(cfg.ClientChallenge); err != nil {
return nil, fmt.Errorf("secure_channel: %v", err)
}
wksta := creds.Workstation()
if wksta == "" {
wksta = "GO-MSRPC"
}
dc, err := cli.GetDCName(ctx, &GetDCNameRequest{
ComputerName: creds.Workstation(),
Flags: 1<<30 /* locate dns names */ | 1<<9, /* locate ips */
})
if err != nil {
return nil, fmt.Errorf("secure_channel: dc_name: %v", err)
}
chal, err := cli.RequestChallenge(ctx, &RequestChallengeRequest{
PrimaryName: dc.DomainControllerInfo.DomainControllerName,
ComputerName: wksta,
ClientChallenge: &Credential{Data: cfg.ClientChallenge},
})
if err != nil {
return nil, fmt.Errorf("secure_channel: request_challenge: %v", err)
}
cfg.ServerChallenge = chal.ServerChallenge.Data
sCred, err := netlogon.NewSecureCredential(ctx, cfg)
if err != nil {
return nil, fmt.Errorf("secure_channel: %v", err)
}
clientCred, err := sCred.Encrypt(ctx, cfg.ClientChallenge)
if err != nil {
return nil, fmt.Errorf("secure_channel: client_credentials: %v", err)
}
auth3, err := cli.Authenticate3(ctx, &Authenticate3Request{
PrimaryName: dc.DomainControllerInfo.DomainControllerName,
AccountName: creds.UserName(),
SecureChannelType: SecureChannelTypeWorkstationSecureChannel,
ComputerName: creds.Workstation(),
ClientCredential: &Credential{Data: clientCred},
NegotiateFlags: uint32(cfg.Capabilities),
})
if err != nil {
return nil, fmt.Errorf("secure_channel: auth3: %v", err)
}
expServerCred, err := sCred.Encrypt(ctx, cfg.ServerChallenge)
if err != nil {
return nil, fmt.Errorf("secure_channel: auth3: server_credentials: %v", err)
}
if !bytes.Equal(expServerCred, auth3.ServerCredential.Data) {
return nil, fmt.Errorf("secure_channel: auth3: invalid server credentials")
}
// upgrade to secure channel.
if err := cli.AlterContext(ctx, append(opts, dcerpc.WithSecurityConfig(cfg))...); err != nil {
return nil, fmt.Errorf("secure_channel: %v", err)
}
return &xxx_SecureChannelClient{
LogonClient: cli,
sCred: sCred,
}, nil
}
func (o *xxx_SecureChannelClient) Encrypt(ctx context.Context, b []byte) ([]byte, error) {
return o.sCred.Encrypt(ctx, b)
}
func (o *xxx_SecureChannelClient) VerifyAuthenticator(ctx context.Context, ra *Authenticator) error {
return o.sCred.Verify(ctx, 1, ra.Credential.Data)
}
func (o *xxx_SecureChannelClient) SetAuthenticators(ctx context.Context, a, ra **Authenticator) error {
var err error
*a = &Authenticator{
Timestamp: uint32(time.Now().Unix()),
Credential: &Credential{},
}
if (*a).Credential.Data, err = o.sCred.Next(ctx, (*a).Timestamp); err != nil {
return err
}
*ra = &Authenticator{}
return nil
}