1
require 'rubyntlm'
2

3
module Rex::Proto::Gss
4
  class ChannelBinding < Net::NTLM::ChannelBinding
5
    attr_reader :digest_algorithm
6
    def initialize(channel_data, unique_prefix: 'tls-server-end-point', digest_algorithm: 'SHA256')
7
      super(channel_data)
8
      @unique_prefix = unique_prefix
9
      @digest_algorithm = digest_algorithm
10
    end
11

12
    def channel_hash
13
      @channel_hash ||= OpenSSL::Digest.new(@digest_algorithm, channel)
14
    end
15

16
    def self.create(peer_cert)
17
      super(peer_cert.to_der)
18
    end
19

20
    def self.from_tls_cert(peer_cert)
21
      digest_algorithm = 'SHA256'
22
      if peer_cert.signature_algorithm
23
        # see: https://learn.microsoft.com/en-us/archive/blogs/openspecification/ntlm-and-channel-binding-hash-aka-extended-protection-for-authentication
24
        normalized_name = OpenSSL::Digest.new(peer_cert.signature_algorithm).name.upcase
25
        unless %[ MD5 SHA1 ].include?(normalized_name)
26
          digest_algorithm = normalized_name
27
        end
28
      end
29

30
      new(peer_cert.to_der, unique_prefix: 'tls-server-end-point', digest_algorithm: digest_algorithm)
31
    end
32
  end
33
end
34

35