diff --git a/samples/TestImplementation.ReadCookie/Controllers/SecurityController.cs b/samples/TestImplementation.ReadCookie/Controllers/SecurityController.cs index 49ac8d5..831cf0c 100644 --- a/samples/TestImplementation.ReadCookie/Controllers/SecurityController.cs +++ b/samples/TestImplementation.ReadCookie/Controllers/SecurityController.cs @@ -2,6 +2,8 @@ using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; +using Microsoft.Extensions.Options; +using Synercoding.FormsAuthentication; using System.Threading.Tasks; namespace TestImplementation.ReadCookie.Controllers @@ -9,8 +11,19 @@ namespace TestImplementation.ReadCookie.Controllers [Authorize] public class SecurityController : Controller { + private readonly FormsAuthenticationOptions _formsAuthenticationOptions; + + public SecurityController(IOptions options) + { + _formsAuthenticationOptions = options.Value; + } + public IActionResult Index() { + var authCryptor = new FormsAuthenticationCryptor(_formsAuthenticationOptions); + var ticket = authCryptor.Unprotect(Request.Cookies["TestCookie"]); + ViewData["TestCookie-UserData"] = ticket.UserData; + return View(); } diff --git a/samples/TestImplementation.ReadCookie/Startup.cs b/samples/TestImplementation.ReadCookie/Startup.cs index 77a7b33..88309fb 100644 --- a/samples/TestImplementation.ReadCookie/Startup.cs +++ b/samples/TestImplementation.ReadCookie/Startup.cs @@ -31,6 +31,9 @@ public void ConfigureServices(IServiceCollection services) ValidationMethod = section.GetValue("ValidationMethod"), }; + // Enables injection of IOptions + services.Configure(section); + services.AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; diff --git a/samples/TestImplementation.ReadCookie/Views/Security/Index.cshtml b/samples/TestImplementation.ReadCookie/Views/Security/Index.cshtml index c08ef80..49d2f2a 100644 --- a/samples/TestImplementation.ReadCookie/Views/Security/Index.cshtml +++ b/samples/TestImplementation.ReadCookie/Views/Security/Index.cshtml @@ -54,4 +54,7 @@ } - \ No newline at end of file + + +

Ticket User Data

+
@ViewData["TestCookie-UserData"]
diff --git a/samples/TestImplementation.SetCookie/Controllers/LoginController.cs b/samples/TestImplementation.SetCookie/Controllers/LoginController.cs index 76267b2..453c05c 100644 --- a/samples/TestImplementation.SetCookie/Controllers/LoginController.cs +++ b/samples/TestImplementation.SetCookie/Controllers/LoginController.cs @@ -1,4 +1,6 @@ -using System.Web.Mvc; +using System; +using System.Web; +using System.Web.Mvc; using TestImplementation.SetCookie.Models; namespace TestImplementation.SetCookie.Controllers @@ -19,6 +21,10 @@ public ActionResult Index(LoginVM model) { if (ModelState.IsValid) { + var ticket = new System.Web.Security.FormsAuthenticationTicket(1, "TestTicket", DateTime.Now, DateTime.Now.AddDays(1), true, "The answer is '42'."); + var encryptedTicket = System.Web.Security.FormsAuthentication.Encrypt(ticket); + Response.Cookies.Add(new HttpCookie("TestCookie", encryptedTicket)); + System.Web.Security.FormsAuthentication.SetAuthCookie(model.UserName, true); return Redirect(model.ReturnUrl); } diff --git a/src/Synercoding.FormsAuthentication/FormsAuthenticationCryptor.cs b/src/Synercoding.FormsAuthentication/FormsAuthenticationCryptor.cs index bd9298d..53a9b75 100644 --- a/src/Synercoding.FormsAuthentication/FormsAuthenticationCryptor.cs +++ b/src/Synercoding.FormsAuthentication/FormsAuthenticationCryptor.cs @@ -33,6 +33,20 @@ public string Protect(FormsAuthenticationCookie cookie) return CryptoUtil.BinaryToHex(protectedData); } + public string Protect(FormsAuthenticationTicket ticket) + { + if (ticket == null) + throw new ArgumentNullException(nameof(ticket)); + + var unprotectedData = FormsAuthenticationTicketSerializer.Serialize(ticket); + + var cryptoProvider = AspNetCryptoServiceProvider.GetCryptoServiceProvider(_options); + var cryptoService = cryptoProvider.GetCryptoService(); + byte[] protectedData = cryptoService.Protect(unprotectedData); + + return CryptoUtil.BinaryToHex(protectedData); + } + public FormsAuthenticationCookie Unprotect(string protectedText) { if (protectedText == null) @@ -99,7 +113,7 @@ private FormsAuthenticationCookie ConvertToAuthenticationTicket(byte[] data) byte footer = ticketReader.ReadByte(); if (footer != 0xFF) throw new ArgumentException("The data is not in the correct format, footer byte must be 0xFF.", nameof(data)); - + //create ticket return new FormsAuthenticationCookie() { diff --git a/src/Synercoding.FormsAuthentication/FormsAuthenticationTicket.cs b/src/Synercoding.FormsAuthentication/FormsAuthenticationTicket.cs new file mode 100644 index 0000000..848b9f3 --- /dev/null +++ b/src/Synercoding.FormsAuthentication/FormsAuthenticationTicket.cs @@ -0,0 +1,251 @@ +//------------------------------------------------------------------------------ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// +//------------------------------------------------------------------------------ + +/* + * FormsAuthenticationTicket class + * + * Copyright (c) 1999 Microsoft Corporation + */ + +namespace Synercoding.FormsAuthentication +{ + using System.Security.Principal; + using System.Security.Permissions; + //using System.Web.Configuration; + using System.Runtime.Serialization; + using System; + + + /// + /// This class encapsulates the information represented in + /// an authentication cookie as used by FormsAuthenticationModule. + /// + [Serializable] + public sealed class FormsAuthenticationTicket + { + + /// + /// A one byte version number for future + /// use. + /// + public int Version { get { return _Version; } } + + /// + /// The user name associated with the + /// authentication cookie. Note that, at most, 32 bytes are stored in the + /// cookie. + /// + public String Name { get { return _Name; } } + + /// + /// The date/time at which the cookie + /// expires. + /// + public DateTime Expiration { get { return _Expiration; } } + + /// + /// The time at which the cookie was originally + /// issued. This can be used for custom expiration schemes. + /// + public DateTime IssueDate { get { return _IssueDate; } } + + /// + /// True if a durable cookie was issued. + /// Otherwise, the authentication cookie is scoped to the browser lifetime. + /// + public bool IsPersistent { get { return _IsPersistent; } } + + /// + /// [To be supplied.] + /// + public bool Expired + { + get + { + /* + * Two DateTime instances can only be compared if they are of the same DateTimeKind. + * Therefore we normalize everything to UTC to do the comparison. See comments on + * the ExpirationUtc property for more information + */ + return (ExpirationUtc < DateTime.UtcNow); + } + } + + /// + /// [To be supplied.] + /// + public String UserData { get { return _UserData; } } + + + /// + /// [To be supplied.] + /// + public String CookiePath { get { return _CookiePath; } } + + /* + * We always prefer UTC expiration dates to work around issues like a daylight + * saving time changes between the time the ticket was issued and the time the + * ticket was checked. If we have a firm UTC expiration date, just use it + * directly. + * + * If we don't have a firm UTC expiration date, try converting the developer- + * provided date to UTC before doing the comparison. There are three types of + * DateTime, and the .NET Framework converts as so: + * + * - The DateTime is already UTC, in which case it is returned unmodified. + * - The DateTime is local, in which case the .NET Framework converts it to + * UTC. There is also a hidden bit in the DateTime struct which essentially + * states whether daylight saving time was active when this DateTime was + * generated, i.e. whether this was 2:02 AM PDT or 2:02 AM PST. The .NET + * framework handles round-tripping Local <-> UTC correctly, but comparisons + * can still fail as described in detail below. + * - The DateTime is of an undefined type, in which case it is implicitly + * treated as local in a manner consistent with .NET 1.1. + * + * However, this alone is insufficient to work around DST issues when comparing + * local dates. For example, assume that a ticket is issued on Nov 6, 2011 at + * 1:30 AM PDT (UTC -0700) with a timeout period of 20 minutes. The expiration + * date is thus calculated to be Nov 6, 2011 at 1:50 AM PDT (UTC -0700). Now + * say a request comes in 25 minutes after expiration; the time is currently + * 1:15 AM PST (UTC -0800). [A DST boundary has been crossed.] Since this + * request came in *after* the ticket expiration date, the ticket should be + * rejected. And if we were doing all of our comparisons in UTC, this would + * indeed be the case. However, since the DateTime struct doesn't have UTC + * offset information embedded in it, comparisons of their dates are taken at + * face value as simple wall time comparisons. Thus the current time is + * interpreted just as "1:15 AM" and the expiration time is intepreted just as + * "1:50 AM", and from this simple comparison the token is considered unexpired + * and is accepted by the system. + * + * To see this incorrect behavior in action, run the following on a machine + * in the Pacific Time Zone. Contrast the behavior of the DateTimeOffset type + * (which is designed to handle UTC offsets correctly) with the DateTime type, in + * which the FromFileTime method implicitly does a local time conversion. + * + * long ft1 = 129650430000000000; // Nov 6, 2011 1:50 AM PDT (UTC -0700) + * long ft2 = 129650445000000000; // Nov 6, 2011 1:15 AM PST (UTC -0800) + * DateTimeOffset.FromFileTime(ft1) < DateTimeOffset.FromFileTime(ft2) = true + * DateTime.FromFileTime(ft1) < DateTime.FromFileTime(ft2) = false (INCORRECT!) + * + * To be absolutely safe, we must perform comparisons *only* on DateTime instances + * we know to have correct UTC information, or we must use an offset-aware type + * like DateTimeOffset which just does the right thing automatically. + * + * More info: http://msdn.microsoft.com/en-us/library/bb546099.aspx + */ + internal DateTime ExpirationUtc + { + get { return (_ExpirationUtcHasValue) ? _ExpirationUtc : Expiration.ToUniversalTime(); } + } + + internal DateTime IssueDateUtc + { + get { return (_IssueDateUtcHasValue) ? _IssueDateUtc : IssueDate.ToUniversalTime(); } + } + + private int _Version; + private String _Name; + private DateTime _Expiration; + private DateTime _IssueDate; + private bool _IsPersistent; + private String _UserData; + private String _CookiePath; + +#pragma warning disable 0169 // unused field + // These fields were added in .NET 4 but weren't actually used anywhere. + // We can't remove them since they're part of the serialization contract. + [OptionalField(VersionAdded = 2)] + private int _InternalVersion; + [OptionalField(VersionAdded = 2)] + private Byte[] _InternalData; +#pragma warning restore 0169 + + // Issue and expiration times as UTC. + // We can't use nullable types since they didn't exist in v1.1, and this assists backporting fixes downlevel. + [NonSerialized] + private bool _ExpirationUtcHasValue; + [NonSerialized] + private DateTime _ExpirationUtc; + [NonSerialized] + private bool _IssueDateUtcHasValue; + [NonSerialized] + private DateTime _IssueDateUtc; + + + ///// + ///// This constructor creates a + ///// FormsAuthenticationTicket instance with explicit values. + ///// + //public FormsAuthenticationTicket(int version, + // String name, + // DateTime issueDate, + // DateTime expiration, + // bool isPersistent, + // String userData) + //{ + // _Version = version; + // _Name = name; + // _Expiration = expiration; + // _IssueDate = issueDate; + // _IsPersistent = isPersistent; + // _UserData = userData; + // _CookiePath = FormsAuthentication.FormsCookiePath; + //} + + + public FormsAuthenticationTicket(int version, + String name, + DateTime issueDate, + DateTime expiration, + bool isPersistent, + String userData, + String cookiePath) + { + _Version = version; + _Name = name; + _Expiration = expiration; + _IssueDate = issueDate; + _IsPersistent = isPersistent; + _UserData = userData; + _CookiePath = cookiePath; + } + + + + ///// + ///// This constructor creates + ///// a FormsAuthenticationTicket instance with the specified name and cookie durability, + ///// and default values for the other settings. + ///// + //public FormsAuthenticationTicket(String name, bool isPersistent, Int32 timeout) + //{ + // _Version = 2; + // _Name = name; + // _IssueDateUtcHasValue = true; + // _IssueDateUtc = DateTime.UtcNow; + // _IssueDate = DateTime.Now; + // _IsPersistent = isPersistent; + // _UserData = ""; + // _ExpirationUtcHasValue = true; + // _ExpirationUtc = _IssueDateUtc.AddMinutes(timeout); + // _Expiration = _IssueDate.AddMinutes(timeout); + // _CookiePath = FormsAuthentication.FormsCookiePath; + //} + + internal static FormsAuthenticationTicket FromUtc(int version, String name, DateTime issueDateUtc, DateTime expirationUtc, bool isPersistent, String userData, String cookiePath) + { + FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(version, name, issueDateUtc.ToLocalTime(), expirationUtc.ToLocalTime(), isPersistent, userData, cookiePath); + + ticket._IssueDateUtcHasValue = true; + ticket._IssueDateUtc = issueDateUtc; + ticket._ExpirationUtcHasValue = true; + ticket._ExpirationUtc = expirationUtc; + + return ticket; + } + + } +} diff --git a/src/Synercoding.FormsAuthentication/FormsAuthenticationTicketSerializer.cs b/src/Synercoding.FormsAuthentication/FormsAuthenticationTicketSerializer.cs new file mode 100644 index 0000000..ce6d6b0 --- /dev/null +++ b/src/Synercoding.FormsAuthentication/FormsAuthenticationTicketSerializer.cs @@ -0,0 +1,305 @@ +//------------------------------------------------------------------------------ +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// +//------------------------------------------------------------------------------ + +namespace Synercoding.FormsAuthentication +{ + using System; + using System.Diagnostics; + using System.IO; + using System.Security.Cryptography; + using System.Text; + //using System.Web.Util; + + // A helper class which can serialize / deserialize FormsAuthenticationTicket instances. + // + // MSRC 11838 / DevDiv #292994 (http://vstfdevdiv:8080/DevDiv2/web/wi.aspx?id=292994): + // We need to fix the format of the serialized FormsAuthenticationTicket to account for + // the fact that the string payloads can contain any arbitrary characters, including + // embedded nulls. In particular, because of that vulnerability, we must assume that *any* + // FormsAuthenticationTicket generated by a pre-patch system is potentially the result + // of a malicious action. This new serialized format was chosen because it guarantees + // a compatibility break between either old format and the new format: pre-patch systems + // will reject post-patch tickets as having an invalid format, and post-patch systems + // will also reject pre-patch tickets as having an invalid format. + + /* Current (v1) ticket format + * ========================== + * + * Serialized ticket format version number: 1 byte + * FormsAuthenticationTicket.Version: 1 byte + * FormsAuthenticationTicket.IssueDateUtc: 8 bytes + * {spacer}: 1 byte + * FormsAuthenticationTicket.ExpirationUtc: 8 bytes + * FormsAuthenticationTicket.IsPersistent: 1 byte + * FormsAuthenticationTicket.Name: 1+ bytes (1+ length prefix, 0+ payload) + * FormsAuthenticationTicket.UserData: 1+ bytes (1+ length prefix, 0+ payload) + * FormsAuthenticationTicket.CookiePath: 1+ bytes (1+ length prefix, 0+ payload) + * {footer}: 1 byte + */ + + internal static class FormsAuthenticationTicketSerializer + { + + private const byte CURRENT_TICKET_SERIALIZED_VERSION = 0x01; + + // Resurrects a FormsAuthenticationTicket from its serialized blob representation. + // The input blob must be unsigned and unencrypted. This function returns null if + // the serialized ticket format is invalid. The caller must also verify that the + // ticket is still valid, as this method doesn't check expiration. + public static FormsAuthenticationTicket Deserialize(byte[] serializedTicket, int serializedTicketLength) + { + try + { + using (MemoryStream ticketBlobStream = new MemoryStream(serializedTicket)) + { + using (SerializingBinaryReader ticketReader = new SerializingBinaryReader(ticketBlobStream)) + { + + // Step 1: Read the serialized format version number from the stream. + // Currently the only supported format is 0x01. + // LENGTH: 1 byte + byte serializedFormatVersion = ticketReader.ReadByte(); + if (serializedFormatVersion != CURRENT_TICKET_SERIALIZED_VERSION) + { + return null; // unexpected value + } + + // Step 2: Read the ticket version number from the stream. + // LENGTH: 1 byte + int ticketVersion = ticketReader.ReadByte(); + + // Step 3: Read the ticket issue date from the stream. + // LENGTH: 8 bytes + long ticketIssueDateUtcTicks = ticketReader.ReadInt64(); + DateTime ticketIssueDateUtc = new DateTime(ticketIssueDateUtcTicks, DateTimeKind.Utc); + DateTime ticketIssueDateLocal = ticketIssueDateUtc.ToLocalTime(); + + // Step 4: Read the spacer from the stream. + // LENGTH: 1 byte + byte spacer = ticketReader.ReadByte(); + if (spacer != 0xfe) + { + return null; // unexpected value + } + + // Step 5: Read the ticket expiration date from the stream. + // LENGTH: 8 bytes + long ticketExpirationDateUtcTicks = ticketReader.ReadInt64(); + DateTime ticketExpirationDateUtc = new DateTime(ticketExpirationDateUtcTicks, DateTimeKind.Utc); + DateTime ticketExpirationDateLocal = ticketExpirationDateUtc.ToLocalTime(); + + // Step 6: Read the ticket persistence field from the stream. + // LENGTH: 1 byte + byte ticketPersistenceFieldValue = ticketReader.ReadByte(); + bool ticketIsPersistent; + switch (ticketPersistenceFieldValue) + { + case 0: + ticketIsPersistent = false; + break; + case 1: + ticketIsPersistent = true; + break; + default: + return null; // unexpected value + } + + // Step 7: Read the ticket username from the stream. + // LENGTH: 1+ bytes (7-bit encoded integer char count + UTF-16LE payload) + string ticketName = ticketReader.ReadBinaryString(); + + // Step 8: Read the ticket custom data from the stream. + // LENGTH: 1+ bytes (7-bit encoded integer char count + UTF-16LE payload) + string ticketUserData = ticketReader.ReadBinaryString(); + + // Step 9: Read the ticket cookie path from the stream. + // LENGTH: 1+ bytes (7-bit encoded integer char count + UTF-16LE payload) + string ticketCookiePath = ticketReader.ReadBinaryString(); + + // Step 10: Read the footer from the stream. + // LENGTH: 1 byte + byte footer = ticketReader.ReadByte(); + if (footer != 0xff) + { + return null; // unexpected value + } + + // Step 11: Verify that we have consumed the entire payload. + // We don't expect there to be any more information after the footer. + // The caller is responsible for telling us when the actual payload + // is finished, as he may have handed us a byte array that contains + // the payload plus signature as an optimization, and we don't want + // to misinterpet the signature as a continuation of the payload. + if (ticketBlobStream.Position != serializedTicketLength) + { + return null; + } + + // Success. + return FormsAuthenticationTicket.FromUtc( + ticketVersion /* version */, + ticketName /* name */, + ticketIssueDateUtc /* issueDateUtc */, + ticketExpirationDateUtc /* expirationUtc */, + ticketIsPersistent /* isPersistent */, + ticketUserData /* userData */, + ticketCookiePath /* cookiePath */); + } + } + } + catch + { + // If anything goes wrong while parsing the token, just treat the token as invalid. + return null; + } + } + + // Turns a FormsAuthenticationTicket into a serialized blob. + // The resulting blob is not encrypted or signed. + public static byte[] Serialize(FormsAuthenticationTicket ticket) + { + using (MemoryStream ticketBlobStream = new MemoryStream()) + { + using (SerializingBinaryWriter ticketWriter = new SerializingBinaryWriter(ticketBlobStream)) + { + + // SECURITY NOTE: + // Earlier versions of the serializer (Framework20 / Framework40) wrote out a + // random 8-byte header as the first part of the payload. This random header + // was used as an IV when the ticket was encrypted, since the early encryption + // routines didn't automatically append an IV when encrypting data. However, + // the MSRC 10405 (Pythia) patch causes all of our crypto routines to use an + // IV automatically, so there's no need for us to include a random IV in the + // serialized stream any longer. We can just write out only the data, and the + // crypto routines will do the right thing. + + // Step 1: Write the ticket serialized format version number (currently 0x01) to the stream. + // LENGTH: 1 byte + ticketWriter.Write(CURRENT_TICKET_SERIALIZED_VERSION); + + // Step 2: Write the ticket version number to the stream. + // This is the developer-specified FormsAuthenticationTicket.Version property, + // which is just ticket metadata. Technically it should be stored as a 32-bit + // integer instead of just a byte, but we have historically been storing it + // as just a single byte forever and nobody has complained. + // LENGTH: 1 byte + ticketWriter.Write((byte)ticket.Version); + + // Step 3: Write the ticket issue date to the stream. + // We store this value as UTC ticks. We can't use DateTime.ToBinary() since it + // isn't compatible with .NET v1.1. + // LENGTH: 8 bytes (64-bit little-endian in payload) + ticketWriter.Write(ticket.IssueDateUtc.Ticks); + + // Step 4: Write a one-byte spacer (0xfe) to the stream. + // One of the old ticket formats (Framework40) expects the unencrypted payload + // to contain 0x000000 (3 null bytes) beginning at position 9 in the stream. + // Since we're currently at offset 10 in the serialized stream, we can take + // this opportunity to purposely inject a non-null byte at this offset, which + // intentionally breaks compatibility with Framework40 mode. + // LENGTH: 1 byte + Debug.Assert(ticketBlobStream.Position == 10, "Critical that we be at position 10 in the stream at this point."); + ticketWriter.Write((byte)0xfe); + + // Step 5: Write the ticket expiration date to the stream. + // We store this value as UTC ticks. + // LENGTH: 8 bytes (64-bit little endian in payload) + ticketWriter.Write(ticket.ExpirationUtc.Ticks); + + // Step 6: Write the ticket persistence field to the stream. + // LENGTH: 1 byte + ticketWriter.Write(ticket.IsPersistent); + + // Step 7: Write the ticket username to the stream. + // LENGTH: 1+ bytes (7-bit encoded integer char count + UTF-16LE payload) + ticketWriter.WriteBinaryString(ticket.Name); + + // Step 8: Write the ticket custom data to the stream. + // LENGTH: 1+ bytes (7-bit encoded integer char count + UTF-16LE payload) + ticketWriter.WriteBinaryString(ticket.UserData); + + // Step 9: Write the ticket cookie path to the stream. + // LENGTH: 1+ bytes (7-bit encoded integer char count + UTF-16LE payload) + ticketWriter.WriteBinaryString(ticket.CookiePath); + + // Step 10: Write a one-byte footer (0xff) to the stream. + // One of the old FormsAuthenticationTicket formats (Framework20) requires + // that the payload end in 0x0000 (U+0000). By making the very last byte + // of this format non-null, we can guarantee a compatiblity break between + // this format and Framework20. + // LENGTH: 1 byte + ticketWriter.Write((byte)0xff); + + // Finished. + return ticketBlobStream.ToArray(); + } + } + } + + // see comments on SerializingBinaryWriter + private sealed class SerializingBinaryReader : BinaryReader + { + public SerializingBinaryReader(Stream input) + : base(input) + { + } + + public string ReadBinaryString() + { + int charCount = Read7BitEncodedInt(); + byte[] bytes = ReadBytes(charCount * 2); + + char[] chars = new char[charCount]; + for (int i = 0; i < chars.Length; i++) + { + chars[i] = (char)(bytes[2 * i] | (bytes[2 * i + 1] << 8)); + } + + return new String(chars); + } + + public override string ReadString() + { + // should never call this method since it will produce wrong results + throw new NotImplementedException(); + } + } + + // This is a special BinaryWriter which serializes strings in a way that is + // entirely round-trippable. For example, the string "\ud800" is a valid .NET + // Framework string, but since U+D800 is an unpaired Unicode surrogate the + // built-in Encoding types will not round-trip it. Strings are serialized as a + // 7-bit character count (not byte count!) followed by a UTF-16LE payload. + private sealed class SerializingBinaryWriter : BinaryWriter + { + public SerializingBinaryWriter(Stream output) + : base(output) + { + } + + public override void Write(string value) + { + // should never call this method since it will produce wrong results + throw new NotImplementedException(); + } + + public void WriteBinaryString(string value) + { + byte[] bytes = new byte[value.Length * 2]; + for (int i = 0; i < value.Length; i++) + { + char c = value[i]; + bytes[2 * i] = (byte)c; + bytes[2 * i + 1] = (byte)(c >> 8); + } + + Write7BitEncodedInt(value.Length); + Write(bytes); + } + } + + } +}