-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Extended Protection support #366
Comments
Yeah, good feature. In theory this could be built out by an application directly by filling in the |
First of all, thanks for taking the time to answer and to point me in the right direction. By your direction I made the changes to DelegationInfo.cs I started with declaring:
And then I attempted to change the Encode method like below but when i add
|
I'm just eyeballing this so I haven’t looked at the Windows side, but I believe you’re missing the MD5 hash and/or MIC to bind the data to the session.
https://www.rfc-editor.org/rfc/rfc6542.html#section-3.1
https://www.rfc-editor.org/rfc/rfc4121#section-4.1.1.2
…________________________________
From: Mika ***@***.***>
Sent: Thursday, March 14, 2024 7:00:31 AM
To: dotnet/Kerberos.NET ***@***.***>
Cc: Comment ***@***.***>; Subscribed ***@***.***>
Subject: Re: [dotnet/Kerberos.NET] Windows Extended Protection support (Issue #366)
First of all, thanks for taking the time to answer and to point me in the right direction.
I did give it a go (well, a lot of go's actually) but unfortunately I wasn't able to get it working. While this is not a support channel perhaps you can easily see where i went wrong.
By your direction I made the changes to DelegationInfo.cs
I started with declaring:
public const int ChannelBindingLength = 0x10;
public readonly byte[] cbt_zeros = new byte[] {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
public readonly byte[] tls_server_end_point = new byte[] {
0x74, 0x6c, 0x73, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2d, 0x65, 0x6e, 0x64, 0x2d, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x3a
};
And then I attempted to change the Encode method like below but when i add "Negotiate " + Convert.ToBase64String(ticket.EncodeGssApi().ToArray()) to the Authorization: header of a http request the binding fails.
public ReadOnlyMemory<byte> Encode()
{
using (var stream = new MemoryStream())
using (var writer = new BinaryWriter(stream))
{
X509Certificate cert = new X509Certificate("C:\\Temp\\cert\\test\\publicKey.cer");
using (var hasher = SHA256.Create())
{
var hash = hasher.ComputeHash(cert.GetRawCertData());
int cbtLength = cbt_zeros.Length + tls_server_end_point.Length + hash.Length + 4;
var cbt = new byte[cbtLength];
int pos = 0;
//first 16 bytes zeros
Array.Copy(cbt_zeros, 0, cbt, pos, cbt_zeros.Length);
//add 4 bytes of app data length (tls prefix + cert hash)
byte[] dataLength = new byte[] { (byte)(tls_server_end_point.Length + hash.Length), 0, 0, 0 };
pos += cbt_zeros.Length;
Array.Copy(dataLength, 0, cbt, pos, 4);
//add tls prefix
pos += 4;
Array.Copy(tls_server_end_point, 0, cbt, pos, tls_server_end_point.Length);
//add cert hash
pos += tls_server_end_point.Length;
Array.Copy(hash, 0, cbt, pos, hash.Length);
this.ChannelBinding = cbt;
}
if (this.ChannelBinding.Length == 0)
{
this.ChannelBinding = new byte[ChannelBindingLength];
}
writer.Write(this.ChannelBinding.Length);
writer.Write(this.ChannelBinding.ToArray());
if (this.DelegationTicket != null)
{
this.Flags |= GssContextEstablishmentFlag.GSS_C_DELEG_FLAG;
}
writer.Write((int)this.Flags);
if (this.DelegationTicket != null)
{
writer.Write((short)this.DelegationOption);
var deleg = this.DelegationTicket.EncodeApplication();
writer.Write((short)deleg.Length);
writer.Write(deleg.ToArray());
}
return stream.ToArray();
}
}
—
Reply to this email directly, view it on GitHub<#366 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYI5RCJVKATAFXVFBNDYYGUQBBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVE2TMNBSG4ZDGNJXURXGC3LFVFUGC427NRQWEZLMVRZXKYTKMVRXIX3UPFYGLLCJONZXKZKDN5WW2ZLOOSTHI33QNFRXHE4CUR2HS4DFVJZGK4DPONUXI33SPGSXMYLMOVS2QOBVGQ4DSMJTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGIYTQMRRGU2TMMZRQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKJVGY2DENZSGM2TPJ3UOJUWOZ3FOKTGG4TFMF2GK>.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Hi, you were absolutely right about the MD5 hash. For some reason I thought that part was only for NTLM. Thanks a ton for taking the time to help out. Hopefully this helps someone else. |
Is your feature request related to a problem? Please describe.
When using the library together the sample code provided to create a "Negotiate" header and then using that header with httpClient to make a request to a website, it fails if the receiving IIS has Windows Extended Protection set to required.
Describe the solution you'd like
It would be great if there was a way to add channel binding information when the apReq (i think) is created.
The text was updated successfully, but these errors were encountered: