Class: Rex::Proto::LDAP::AuthAdapter::RexKerberos::Encryptor

Inherits:
Object
  • Object
show all
Includes:
Gss::Asn1
Defined in:
lib/rex/proto/ldap/auth_adapter/rex_kerberos/encryptor.rb

Overview

Provide the ability to “wrap” LDAP comms in a Kerberos encryption routine The methods herein are set up with the auth_context_setup call below, and are called when reading or writing needs to occur.

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Gss::Asn1

#unwrap_pseudo_asn1, #wrap_pseudo_asn1

Constructor Details

#initialize(kerberos_authenticator) ⇒ Encryptor

Returns a new instance of Encryptor.

Parameters:



15
16
17
 
# File 'lib/rex/proto/ldap/auth_adapter/rex_kerberos/encryptor.rb', line 15

def initialize(kerberos_authenticator)
  self.kerberos_authenticator = kerberos_authenticator
end

Instance Attribute Details

#kerberos_authenticatorObject

Returns the value of attribute kerberos_authenticator.



66
67
68
 
# File 'lib/rex/proto/ldap/auth_adapter/rex_kerberos/encryptor.rb', line 66

def kerberos_authenticator
  @kerberos_authenticator
end

#kerberos_encryptorObject

Returns the value of attribute kerberos_encryptor.



65
66
67
 
# File 'lib/rex/proto/ldap/auth_adapter/rex_kerberos/encryptor.rb', line 65

def kerberos_encryptor
  @kerberos_encryptor
end

Instance Method Details

#read(ciphertext) ⇒ Object

Decrypt the provided ciphertext

Parameters:

  • ciphertext (String) 


48
49
50
51
52
53
54
55
 
# File 'lib/rex/proto/ldap/auth_adapter/rex_kerberos/encryptor.rb', line 48

def read(ciphertext)
  begin
    plaintext = self.kerberos_encryptor.decrypt_and_verify(ciphertext)
  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => exception
    raise Rex::Proto::LDAP::LdapException.new('Received invalid message (Kerberos signature verification failed)')
  end
  return plaintext
end

#setup(ldap_connection, kerberos_result, gssapi_response) ⇒ Object

Configure our encryption, and tell the LDAP connection object that we now want to intercept its calls to read and write

Parameters:

  • ldap_connection (Net::LDAP::Connection)
  • kerberos_result (Hash)
  • gssapi_response (String, nil)

    GSS token containing the AP-REP from the server if mutual auth was used, or nil otherwise



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/rex/proto/ldap/auth_adapter/rex_kerberos/encryptor.rb', line 24

def setup(ldap_connection, kerberos_result, gssapi_response)
  spnego = Rex::Proto::Gss::SpnegoNegTokenTarg.parse(gssapi_response)
  if spnego.response_token.nil?
    # No mutual auth result
    self.kerberos_encryptor = kerberos_authenticator.get_message_encryptor(
      kerberos_result[:session_key],
      kerberos_result[:client_sequence_number],
      nil,
      use_acceptor_subkey: false
    )
  else
    mutual_auth_result = self.kerberos_authenticator.parse_gss_init_response(spnego.response_token, kerberos_result[:session_key])
    self.kerberos_encryptor = kerberos_authenticator.get_message_encryptor(
      mutual_auth_result[:ap_rep_subkey],
      kerberos_result[:client_sequence_number],
      mutual_auth_result[:server_sequence_number],
      use_acceptor_subkey: true
    )
  end
  ldap_connection.wrap_read_write(self.method(:read), self.method(:write))
end

#write(data) ⇒ Object

Encrypt the provided plaintext

Parameters:

  • data (String) 


59
60
61
62
63
 
# File 'lib/rex/proto/ldap/auth_adapter/rex_kerberos/encryptor.rb', line 59

def write(data)
  emessage, header_length, pad_length = self.kerberos_encryptor.encrypt_and_increment(data)

  emessage
end