Merge pull request #422 from thadumi/cbt-validation

Add GSS channel binding support per RFC 4121 section 4.1.1.2 for AP-REQ and TGS-REQ

Author: SteveSyfuhs

Kerberos.NET/Crypto/DecryptedKrbApReq.cs

@@ -36,6 +36,28 @@ public DecryptedKrbApReq(KrbApReq token, MessageType incomingMessageType = Messa
 
         public KrbEncKrbCredPart DelegationTicket { get; private set; }
 
+        /// <summary>
+        /// The channel binding hash (Bnd field) extracted from the authenticator checksum,
+        /// as described in RFC 4121 section 4.1.1.2. This is a 16-byte MD5 hash of the
+        /// <see cref="GssChannelBindings"/> structure. Will be null or empty if no channel
+        /// bindings were supplied by the initiator.
+        /// </summary>
+        public ReadOnlyMemory<byte> ChannelBindingHash { get; private set; }
+
+        /// <summary>
+        /// Expected channel bindings to validate against when <see cref="ValidationActions.ChannelBinding"/> is enabled.
+        /// </summary>
+        public GssChannelBindings ExpectedChannelBindings { get; set; }
+
+        /// <summary>
+        /// Accepts a raw SEC_CHANNEL_BINDINGS buffer (as returned by Windows SSPI)
+        /// and converts it to <see cref="ExpectedChannelBindings"/>.
+        /// </summary>
+        public void SetExpectedChannelBindingsFromSecChannelBindings(ReadOnlyMemory<byte> buffer)
+        {
+            this.ExpectedChannelBindings = GssChannelBindings.FromSecChannelBindings(buffer);
+        }
+
         public KerberosKey SessionKey { get; private set; }
 
         private readonly KrbApReq token;
@@ -161,6 +183,11 @@ private KrbEncKrbCredPart TryExtractDelegationTicket(KrbChecksum checksum)
 
             var delegationInfo = checksum.DecodeDelegation();
 
+            if (delegationInfo != null)
+            {
+                this.ChannelBindingHash = delegationInfo.ChannelBindingHash;
+            }
+
             var delegation = delegationInfo?.DelegationTicket;
 
             if (delegation == null)
@@ -212,6 +239,35 @@ public override void Validate(ValidationActions validation)
             {
                 this.ValidateTicketRenewal(this.Ticket.RenewTill, now, this.Skew);
             }
+
+            if (validation.HasFlag(ValidationActions.ChannelBinding))
+            {
+                this.ValidateChannelBinding();
+            }
+        }
+
+        protected virtual void ValidateChannelBinding()
+        {
+            if (this.ExpectedChannelBindings == null)
+            {
+                return;
+            }
+
+            var expectedHash = this.ExpectedChannelBindings.ComputeBindingHash();
+
+            if (this.ChannelBindingHash.Length == 0)
+            {
+                throw new KerberosValidationException(
+                    "Channel Bindings are required by the acceptor but were not supplied by the initiator."
+                );
+            }
+
+            if (!KerberosCryptoTransformer.AreEqualSlow(expectedHash.Span, this.ChannelBindingHash.Span))
+            {
+                throw new KerberosValidationException(
+                    "The Channel Bindings hash from the initiator does not match the expected channel bindings."
+                );
+            }
         }
 
         public override string ToString()

Kerberos.NET/Entities/GssApi/GssChannelBindings.cs

@@ -0,0 +1,119 @@
+// -----------------------------------------------------------------------
+// Licensed to The .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// -----------------------------------------------------------------------
+
+using System;
+using System.Buffers.Binary;
+using System.IO;
+using System.Security.Cryptography;
+
+namespace Kerberos.NET.Entities
+{
+    /// <summary>
+    /// Represents gss_channel_bindings_struct per RFC 4121 section 4.1.1.2.
+    /// </summary>
+    public class GssChannelBindings
+    {
+        private const int SecChannelBindingsHeaderSize = 32;
+
+        public int InitiatorAddrType { get; set; }
+
+        public ReadOnlyMemory<byte> InitiatorAddress { get; set; }
+
+        public int AcceptorAddrType { get; set; }
+
+        public ReadOnlyMemory<byte> AcceptorAddress { get; set; }
+
+        /// <summary>
+        /// Protocol-specific channel binding data
+        /// e.g. tls-server-end-point or tls-unique as per RFC 5929
+        /// </summary>
+        public ReadOnlyMemory<byte> ApplicationData { get; set; }
+
+        /// <summary>
+        /// Computes the 16-byte MD5 binding hash (Bnd field) per RFC 4121 section 4.1.1.2.
+        /// </summary>
+        public ReadOnlyMemory<byte> ComputeBindingHash()
+        {
+            using var stream = new MemoryStream();
+            using var writer = new BinaryWriter(stream);
+
+            writer.Write(this.InitiatorAddrType);
+            writer.Write(this.InitiatorAddress.Length);
+
+            if (this.InitiatorAddress.Length > 0)
+            {
+                writer.Write(this.InitiatorAddress.ToArray());
+            }
+
+            writer.Write(this.AcceptorAddrType);
+            writer.Write(this.AcceptorAddress.Length);
+
+            if (this.AcceptorAddress.Length > 0)
+            {
+                writer.Write(this.AcceptorAddress.ToArray());
+            }
+
+            writer.Write(this.ApplicationData.Length);
+
+            if (this.ApplicationData.Length > 0)
+            {
+                writer.Write(this.ApplicationData.ToArray());
+            }
+
+            var data = stream.ToArray();
+
+            using var md5 = MD5.Create();
+            return md5.ComputeHash(data);
+        }
+
+        /// <summary>
+        /// Parses a raw SEC_CHANNEL_BINDINGS flat buffer (as returned by Windows SSPI) into a <see cref="GssChannelBindings"/>.
+        /// </summary>
+        public static GssChannelBindings FromSecChannelBindings(ReadOnlyMemory<byte> rawBuffer)
+        {
+            if (rawBuffer.Length < SecChannelBindingsHeaderSize)
+            {
+                throw new ArgumentException(
+                    $"Buffer is too small to contain a SEC_CHANNEL_BINDINGS header. Expected at least {SecChannelBindingsHeaderSize} bytes.",
+                    nameof(rawBuffer));
+            }
+
+            var span = rawBuffer.Span;
+
+            var bindings = new GssChannelBindings
+            {
+                InitiatorAddrType = BinaryPrimitives.ReadInt32LittleEndian(span.Slice(0)),
+            };
+
+            int initiatorLength = BinaryPrimitives.ReadInt32LittleEndian(span.Slice(4));
+            int initiatorOffset = BinaryPrimitives.ReadInt32LittleEndian(span.Slice(8));
+
+            bindings.AcceptorAddrType = BinaryPrimitives.ReadInt32LittleEndian(span.Slice(12));
+
+            int acceptorLength = BinaryPrimitives.ReadInt32LittleEndian(span.Slice(16));
+            int acceptorOffset = BinaryPrimitives.ReadInt32LittleEndian(span.Slice(20));
+
+            int applicationDataLength = BinaryPrimitives.ReadInt32LittleEndian(span.Slice(24));
+            int applicationDataOffset = BinaryPrimitives.ReadInt32LittleEndian(span.Slice(28));
+
+            if (initiatorLength > 0)
+            {
+                bindings.InitiatorAddress = rawBuffer.Slice(initiatorOffset, initiatorLength);
+            }
+
+            if (acceptorLength > 0)
+            {
+                bindings.AcceptorAddress = rawBuffer.Slice(acceptorOffset, acceptorLength);
+            }
+
+            if (applicationDataLength > 0)
+            {
+                bindings.ApplicationData = rawBuffer.Slice(applicationDataOffset, applicationDataLength);
+            }
+
+            return bindings;
+        }
+    }
+}

Kerberos.NET/Entities/Krb/DelegationInfo.cs

@@ -42,20 +42,25 @@ public DelegationInfo()
         public DelegationInfo(RequestServiceTicket rst)
         {
             this.Flags = rst.GssContextFlags;
+
+            if (rst.ChannelBindings != null)
+            {
+                this.ChannelBindingHash = rst.ChannelBindings.ComputeBindingHash();
+            }
         }
 
         public ReadOnlyMemory<byte> Encode()
         {
             using (var stream = new MemoryStream())
             using (var writer = new BinaryWriter(stream))
             {
-                if (this.ChannelBinding.Length == 0)
+                if (this.ChannelBindingHash.Length == 0)
                 {
-                    this.ChannelBinding = new byte[ChannelBindingLength];
+                    this.ChannelBindingHash = new byte[ChannelBindingLength];
                 }
 
-                writer.Write(this.ChannelBinding.Length);
-                writer.Write(this.ChannelBinding.ToArray());
+                writer.Write(this.ChannelBindingHash.Length);
+                writer.Write(this.ChannelBindingHash.ToArray());
 
                 if (this.DelegationTicket != null)
                 {
@@ -85,7 +90,7 @@ public DelegationInfo Decode(ReadOnlyMemory<byte> value)
             {
                 this.Length = reader.ReadInt32();
 
-                this.ChannelBinding = reader.ReadBytes(this.Length);
+                this.ChannelBindingHash = reader.ReadBytes(this.Length);
 
                 this.Flags = (GssContextEstablishmentFlag)reader.ReadBytes(4).AsLong(littleEndian: true);
 
@@ -124,7 +129,7 @@ public DelegationInfo Decode(ReadOnlyMemory<byte> value)
 
         public int Length { get; set; }
 
-        public ReadOnlyMemory<byte> ChannelBinding { get; set; }
+        public ReadOnlyMemory<byte> ChannelBindingHash { get; set; }
 
         public GssContextEstablishmentFlag Flags { get; set; }
 
@@ -134,4 +139,4 @@ public DelegationInfo Decode(ReadOnlyMemory<byte> value)
 
         public ReadOnlyMemory<byte> Extensions { get; set; }
     }
-}
+}

Kerberos.NET/Entities/Krb/KrbTgsReq.cs

@@ -113,7 +113,7 @@ out KrbEncryptionKey sessionKey
                 KeyUsage.PaTgsReqChecksum
             );
 
-            var tgtApReq = CreateApReq(kdcRep, tgtSessionKey, bodyChecksum, out sessionKey);
+            var tgtApReq = CreateApReq(kdcRep, tgtSessionKey, bodyChecksum, rst.ChannelBindings, out sessionKey);
 
             var pacOptions = new KrbPaPacOptions
             {
@@ -200,7 +200,7 @@ private static ReadOnlyMemory<byte> EncodeS4URequest(string s4u, X509Certificate
             return paX509.Encode();
         }
 
-        private static KrbApReq CreateApReq(KrbKdcRep kdcRep, KrbEncryptionKey tgtSessionKey, KrbChecksum checksum, out KrbEncryptionKey sessionKey)
+        private static KrbApReq CreateApReq(KrbKdcRep kdcRep, KrbEncryptionKey tgtSessionKey, KrbChecksum checksum, GssChannelBindings channelBindings, out KrbEncryptionKey sessionKey)
         {
             var tgt = kdcRep.Ticket;
 
@@ -212,6 +212,13 @@ private static KrbApReq CreateApReq(KrbKdcRep kdcRep, KrbEncryptionKey tgtSessio
                 Checksum = checksum
             };
 
+            if (channelBindings != null)
+            {
+                var delegInfo = new DelegationInfo();
+                delegInfo.ChannelBindingHash = channelBindings.ComputeBindingHash();
+                authenticator.Checksum = KrbChecksum.EncodeDelegationChecksum(delegInfo);
+            }
+
             sessionKey = KrbEncryptionKey.Generate(tgtSessionKey.EType);
 
             sessionKey.Usage = KeyUsage.EncTgsRepPartSubSessionKey;

Kerberos.NET/Entities/RequestServiceTicket.cs

@@ -65,6 +65,11 @@ public struct RequestServiceTicket : IEquatable<RequestServiceTicket>
         /// </summary>
         public GssContextEstablishmentFlag GssContextFlags { get; set; }
 
+        /// <summary>
+        /// Optional GSS channel bindings to include in the authenticator checksum.
+        /// </summary>
+        public GssChannelBindings ChannelBindings { get; set; }
+
         /// <summary>
         /// Includes additional configuration details for the request.
         /// </summary>

Kerberos.NET/KerberosValidator.cs

@@ -5,6 +5,7 @@
 
 using System;
 using System.Globalization;
+using System.Runtime.Versioning;
 using System.Security;
 using System.Text;
 using System.Threading.Tasks;
@@ -46,6 +47,20 @@ public KerberosValidator(KeyTable keytab, ILoggerFactory logger = null, ITicketR
 
         public ValidationActions ValidateAfterDecrypt { get; set; }
 
+        /// <summary>
+        /// Expected channel bindings to validate during decryption.
+        /// </summary>
+        public GssChannelBindings ExpectedChannelBindings { get; set; }
+
+        /// <summary>
+        /// Accepts a raw SEC_CHANNEL_BINDINGS buffer (as returned by Windows SSPI)
+        /// and converts it to <see cref="ExpectedChannelBindings"/>.
+        /// </summary>
+        public void SetExpectedChannelBindingsFromSecChannelBindings(ReadOnlyMemory<byte> buffer)
+        {
+            this.ExpectedChannelBindings = GssChannelBindings.FromSecChannelBindings(buffer);
+        }
+
         private Func<DateTimeOffset> nowFunc;
 
         public Func<DateTimeOffset> Now
@@ -83,6 +98,7 @@ public async Task<DecryptedKrbApReq> Validate(ReadOnlyMemory<byte> requestBytes)
             this.logger.LogTrace("Kerberos request decrypted {SName}", decryptedToken.SName.FullyQualifiedName);
 
             decryptedToken.Now = this.Now;
+            decryptedToken.ExpectedChannelBindings = this.ExpectedChannelBindings;
 
             if (this.ValidateAfterDecrypt > 0)
             {

Kerberos.NET/Server/PaDataTgsTicketHandler.cs

@@ -17,7 +17,7 @@ public PaDataTgsTicketHandler(IRealmService service)
         {
         }
 
-        public ValidationActions Validation { get; set; } = ValidationActions.All & ~ValidationActions.Replay;
+        public ValidationActions Validation { get; set; } = ValidationActions.All & ~ValidationActions.Replay & ~ValidationActions.ChannelBinding;
 
         /// <summary>
         /// Executes before the validation stage and can be used for initial decoding of the message.

Kerberos.NET/ValidationAction.cs

@@ -70,6 +70,11 @@ public enum ValidationActions
         /// </summary>
         SequenceNumberGreaterThan = 1 << 9,
 
+        /// <summary>
+        /// Validates channel bindings in the authenticator checksum.
+        /// </summary>
+        ChannelBinding = 1 << 10,
+
         /// <summary>
         /// Indicates all validation actions must be invoked.
         /// </summary>