Skip to content

Improvements for AP-REP validation #400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Improvements for AP-REP validation #400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
79db305
Add properties for each key to enable implementations that don't use …
CodyBatt Jul 1, 2025
f80f9e5
Try all keys to decrypt AP-REP, remove seq validation
petrsnd Jul 1, 2025
31cc965
AP-REP not AP_REP
petrsnd Jul 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion Kerberos.NET/Client/ApplicationSessionContext.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ public class ApplicationSessionContext

public KrbEncryptionKey SessionKey { get; set; }

public KrbEncryptionKey ServiceTicketSessionKey { get; set; }

public KrbEncryptionKey ClientSubSessionKey { get; set; }

public int? SequenceNumber { get; set; }

public int CuSec { get; set; }
Expand All @@ -37,11 +41,39 @@ public KrbEncryptionKey AuthenticateServiceResponse(ReadOnlyMemory<byte> apRepBy
SequenceNumber = this.SequenceNumber
};

decrypted.Decrypt(this.SessionKey.AsKey());
DecryptApRep(decrypted);

decrypted.Validate(ValidationActions.TokenWindow);

return decrypted.Response.SubSessionKey ?? this.SessionKey;
}

private void DecryptApRep(DecryptedKrbApRep decrypted)
{
foreach (var key in new[]
{
this.SessionKey,
this.ServiceTicketSessionKey,
this.ClientSubSessionKey,
})
{
if (key == null)
{
continue;
}

try
{
decrypted.Decrypt(key.AsKey());
return;
}
catch (Exception)
{
// Not this key, continue to the next one
}
}

throw new InvalidOperationException("Failed to decrypt AP-REP with any of the provided keys.");
}
}
}
2 changes: 2 additions & 0 deletions Kerberos.NET/Client/KerberosClient.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -883,6 +883,8 @@ public async Task<ApplicationSessionContext> GetServiceTicket(
out KrbAuthenticator authenticator
),
SessionKey = authenticator.Subkey ?? serviceTicketCacheEntry.SessionKey,
ClientSubSessionKey = authenticator.Subkey,
ServiceTicketSessionKey = serviceTicketCacheEntry.SessionKey,
CTime = authenticator.CTime,
CuSec = authenticator.CuSec,
SequenceNumber = authenticator.SequenceNumber
Expand Down
14 changes: 7 additions & 7 deletions Kerberos.NET/Crypto/DecryptedKrbApRep.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,13 +62,13 @@ public override void Validate(ValidationActions validation)
);
}

if (this.SequenceNumber != this.Response.SequenceNumber)
{
throw new KerberosValidationException(
$"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
nameof(this.SequenceNumber)
);
}
//if (this.SequenceNumber != this.Response.SequenceNumber)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SteveSyfuhs Would you like us to remove DecryptedKrbApRep_Validate_Sequence or try to make it work by passing in a custom validator with this implementation as the default?

//{
// throw new KerberosValidationException(
// $"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
// nameof(this.SequenceNumber)
// );
//}
}
}
}
Loading