Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2
# frozen_string_literal: true
3

4
require 'rex/proto/kerberos/crypto/rc4_hmac'
5
require 'rex/proto/kerberos/crypto/rsa_md5'
6

7
module Rex
8
  module Proto
9
    module Kerberos
10
      module Crypto
11
        # https://datatracker.ietf.org/doc/html/rfc4120#section-7.5.1 - A unique number used as part of encryption to make certain types of
12
        # cryptographic attacks harder
13
        module KeyUsage
14
          AS_REQ_PA_ENC_TIMESTAMP                        = 1
15
          KDC_REP_TICKET                                 = 2
16
          AS_REP_ENCPART                                 = 3
17
          TGS_REQ_KDC_REQ_BODY_AUTHDATA_SESSION_KEY      = 4
18
          TGS_REQ_KDC_REQ_BODY_AUTHDATA_SUB_KEY          = 5
19
          TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR_CHKSUM = 6
20
          TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR        = 7
21
          TGS_REP_ENCPART_SESSION_KEY                    = 8
22
          TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY          = 9
23
          AP_REQ_AUTHENTICATOR_CHKSUM                    = 10
24
          AP_REQ_AUTHENTICATOR                           = 11
25
          AP_REP_ENCPART                                 = 12
26
          KRB_PRIV_ENCPART                               = 13
27
          KRB_CRED_ENCPART                               = 14
28
          KRB_SAFE_CHKSUM                                = 15
29
          KERB_NON_KERB_SALT                             = 16
30
          KERB_NON_KERB_CKSUM_SALT                       = 17
31
          GSS_ACCEPTOR_SEAL                              = 22
32
          GSS_ACCEPTOR_SIGN                              = 23
33
          GSS_INITIATOR_SEAL                             = 24
34
          GSS_INITIATOR_SIGN                             = 25
35
        end
36

37
        module Checksum
38
          RSA_MD5 = 7
39
          MD5_DES = 8
40
          SHA1_DES3 = 12
41
          SHA1_AES128 = 15
42
          SHA1_AES256 = 16
43
          HMAC_MD5 = -138
44

45
          def self.from_checksum_type(ctype)
46
            checksummers = {
47
              RSA_MD5     => Rex::Proto::Kerberos::Crypto::RsaMd5,
48
              MD5_DES     => Rex::Proto::Kerberos::Crypto::DesCbcMd5,
49
              SHA1_DES3   => Rex::Proto::Kerberos::Crypto::Des3CbcSha1,
50
              SHA1_AES128 => Rex::Proto::Kerberos::Crypto::Aes128CtsSha1,
51
              SHA1_AES256 => Rex::Proto::Kerberos::Crypto::Aes256CtsSha1,
52
              HMAC_MD5    => Rex::Proto::Kerberos::Crypto::Rc4Hmac,
53
              0xffffff76  => Rex::Proto::Kerberos::Crypto::Rc4Hmac, # Negative 138 two's complement
54
            }
55
            result = checksummers[ctype]
56
            raise ::NotImplementedError, 'Checksum type is not supported' if result == nil
57

58
            result.new
59
          end
60

61
        end
62

63
        # https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
64
        module Encryption
65
          DES_CBC_CRC = 1
66
          DES_CBC_MD4 = 2
67
          DES_CBC_MD5 = 3
68
          DES3_CBC_SHA1 = 16
69
          AES128 = 17
70
          AES256 = 18
71
          RC4_HMAC = 23
72

73
          # Mapping of encryption type numbers to the human readable text description by IANA
74
          # https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
75
          IANA_NAMES = {
76
            DES_CBC_CRC => 'des-cbc-crc',
77
            DES_CBC_MD4 => 'des-cbc-md4',
78
            DES_CBC_MD5 => 'des-cbc-md5',
79
            DES3_CBC_SHA1 => 'des3-cbc-sha1-kd',
80
            AES128 => 'aes128-cts-hmac-sha1-96',
81
            AES256 => 'aes256-cts-hmac-sha1-96',
82
            RC4_HMAC => 'rc4-hmac'
83
          }
84

85
          # The default etypes to offer to the Kerberos server when none is provided
86
          DefaultOfferedEtypes = [AES256, AES128, RC4_HMAC, DES_CBC_MD5, DES3_CBC_SHA1]
87
          PkinitEtypes = [AES256, AES128]
88

89
          # The individual etype used by an encryptor when none is provided
90
          DefaultEncryptionType = RC4_HMAC
91

92
          ENCRYPTORS = {
93
            DES_CBC_MD5 =>   Rex::Proto::Kerberos::Crypto::DesCbcMd5,
94
            DES3_CBC_SHA1 => Rex::Proto::Kerberos::Crypto::Des3CbcSha1,
95
            RC4_HMAC =>      Rex::Proto::Kerberos::Crypto::Rc4Hmac,
96
            AES128 =>        Rex::Proto::Kerberos::Crypto::Aes128CtsSha1,
97
            AES256 =>        Rex::Proto::Kerberos::Crypto::Aes256CtsSha1,
98
          }
99
          private_constant :ENCRYPTORS
100

101
          SUPPORTED_ENCRYPTIONS = ENCRYPTORS.keys
102

103
          #
104
          # Return a string representation of the constant for a number
105
          #
106
          # @param [Integer] code
107
          def self.const_name(code)
108
            (self.constants - [:DefaultEncryptionType]).each do |c|
109
              return c.to_s if self.const_get(c) == code
110
            end
111
            return nil
112
          end
113

114
          # Return a integer value for the given encryption const name
115
          #
116
          # @param [String] const_name
117
          def self.value_for(const_name)
118
            self.const_get(const_name)
119
          end
120

121
          # @param [Integer] etype
122
          # @return [Rex::Proto::Kerberos::Crypto::BlockCipherBase]
123
          def self.from_etype(etype)
124
            result = ENCRYPTORS[etype]
125
            raise ::NotImplementedError, "EncryptedData schema #{etype.inspect} is not supported" if result == nil
126

127
            result.new
128
          end
129
        end
130
      end
131
    end
132
  end
133
end
134

135