public static EncryptPassword ( string password, string sharedSecret, byte requestAuthenticator ) : byte[] | ||
password | string | User's password. |
sharedSecret | string | Shared secret key. |
requestAuthenticator | byte | Request authenticator byte array. |
return | byte[] |
public static byte[] EncryptPassword(string password, string sharedSecret, byte[] requestAuthenticator)
{
// Avoiding Null Dereferences
if (string.IsNullOrEmpty(sharedSecret))
throw new ArgumentException("Shared secret cannot be null or empty.");
if (string.IsNullOrEmpty(password))
throw new ArgumentException("Password cannot be null or empty.");
if ((object)requestAuthenticator == null)
throw new ArgumentException("Request authenticator cannot be null.");
// Max length of the password can be 130 according to RFC 2865. Since 128 is the closest multiple
// of 16 (password segment length), we allow the password to be no longer than 128 characters.
if (password.Length <= 128)
{
byte[] result;
byte[] xorBytes = null;
byte[] passwordBytes = Encoding.GetBytes(password);
byte[] sharedSecretBytes = Encoding.GetBytes(sharedSecret);
byte[] md5HashInputBytes = new byte[sharedSecretBytes.Length + 16];
MD5CryptoServiceProvider md5Provider = new MD5CryptoServiceProvider();
if (passwordBytes.Length % 16 == 0)
{
// Length of password is a multiple of 16.
result = new byte[passwordBytes.Length];
}
else
{
// Length of password is not a multiple of 16, so we'll take the multiple of 16 that's next
// closest to the password's length and leave the empty space at the end as padding.
result = new byte[((passwordBytes.Length / 16) * 16) + 16];
}
// Copy the password to the result buffer where it'll be XORed.
Buffer.BlockCopy(passwordBytes, 0, result, 0, passwordBytes.Length);
// For the first 16-byte segment of the password, password characters are to be XORed with the
// MD5 hash value that's computed as follows:
// MD5(Shared secret key + Request authenticator)
Buffer.BlockCopy(sharedSecretBytes, 0, md5HashInputBytes, 0, sharedSecretBytes.Length);
Buffer.BlockCopy(requestAuthenticator, 0, md5HashInputBytes, sharedSecretBytes.Length, requestAuthenticator.Length);
for (int i = 0; i <= result.Length - 1; i += 16)
{
// Perform XOR-based encryption of the password in 16-byte segments.
if (i > 0)
{
// For passwords that are more than 16 characters in length, each consecutive 16-byte
// segment of the password is XORed with MD5 hash value that's computed as follows:
// MD5(Shared secret key + XOR bytes used in the previous segment)
// ReSharper disable once PossibleNullReferenceException
Buffer.BlockCopy(xorBytes, 0, md5HashInputBytes, sharedSecretBytes.Length, xorBytes.Length);
}
xorBytes = md5Provider.ComputeHash(md5HashInputBytes);
// XOR the password bytes in the current segment with the XOR bytes.
for (int j = i; j <= (i + 16) - 1; j++)
{
result[j] = (byte)(result[j] ^ xorBytes[j]);
}
}
return result;
}
throw new ArgumentException("Password can be a maximum of 128 characters in length.");
}
/// <summary> /// Authenticates the username and password against the RADIUS server. /// </summary> /// <param name="username">Username to be authenticated.</param> /// <param name="password">Password to be authenticated.</param> /// <param name="state">State value from a previous challenge response.</param> /// <returns>Response packet received from the server for the authentication request.</returns> /// <remarks> /// <para> /// The type of response packet (if any) will be one of the following: /// <list> /// <item>AccessAccept: If the authentication is successful.</item> /// <item>AccessReject: If the authentication is not successful.</item> /// <item>AccessChallenge: If the server need more information from the user.</item> /// </list> /// </para> /// <para> /// When an AccessChallenge response packet is received from the server, it contains a State attribute /// that must be included in the AccessRequest packet that is being sent in response to the AccessChallenge /// response. So if this method returns an AccessChallenge packet, then this method is to be called again /// with the requested information (from ReplyMessage attribute) in the password field and the value State /// attribute. /// </para> /// </remarks> public RadiusPacket Authenticate(string username, string password, byte[] state) { CheckDisposed(); if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password)) { throw new ArgumentException("Username and Password cannot be null."); } RadiusPacket request = new RadiusPacket(PacketType.AccessRequest); byte[] authenticator = RadiusPacket.CreateRequestAuthenticator(m_sharedSecret); request.Authenticator = authenticator; request.Attributes.Add(new RadiusPacketAttribute(AttributeType.UserName, username)); request.Attributes.Add(new RadiusPacketAttribute(AttributeType.UserPassword, RadiusPacket.EncryptPassword(password, m_sharedSecret, authenticator))); // State attribute is used when responding to a AccessChallenge response. if ((object)state != null) { request.Attributes.Add(new RadiusPacketAttribute(AttributeType.State, state)); } return(ProcessRequest(request)); }