fix(sspi): Kerberos server MIC token generation and validation (#464)

Author: TheBestTvarynka

src/kerberos/client/mod.rs

@@ -27,7 +27,7 @@ use self::extractors::{
 use self::generators::{
     generate_ap_rep, generate_ap_req, generate_as_req_kdc_body, generate_authenticator, generate_neg_ap_req,
     generate_neg_token_init, generate_tgs_req, get_client_principal_name_type, get_client_principal_realm,
-    ChecksumOptions, ChecksumValues, EncKey, GenerateAsPaDataOptions, GenerateAsReqOptions,
+    get_mech_list, ChecksumOptions, ChecksumValues, EncKey, GenerateAsPaDataOptions, GenerateAsReqOptions,
     GenerateAuthenticatorOptions, GenerateTgsReqOptions, GssFlags,
 };
 use crate::channel_bindings::ChannelBindings;
@@ -42,6 +42,9 @@ use crate::{
     InitializeSecurityContextResult, Kerberos, KerberosState, Result, SecurityBuffer, SecurityStatus, SspiImpl,
 };
 
+/// Indicated that the MIC token `SentByAcceptor` flag must be enabled in the incoming MIC token.
+const SENT_BY_ACCEPTOR: u8 = 1;
+
 /// Performs one authentication step.
 ///
 /// The user should call this function until it returns `SecurityStatus::Ok`.
@@ -401,7 +404,12 @@ pub async fn initialize_security_context<'a>(
                 client.encryption_params.sub_session_key = Some(sub_session_key);
 
                 if let Some(ref token) = neg_token_targ.0.mech_list_mic.0 {
-                    validate_mic_token(&token.0 .0, ACCEPTOR_SIGN, &client.encryption_params)?;
+                    validate_mic_token::<SENT_BY_ACCEPTOR>(
+                        &token.0 .0,
+                        ACCEPTOR_SIGN,
+                        &client.encryption_params,
+                        &get_mech_list(),
+                    )?;
                 }
 
                 client.next_seq_number();

src/kerberos/server/generators.rs

@@ -91,7 +91,7 @@ pub fn generate_final_neg_token_targ(mech_id: ObjectIdentifier, ap_rep: ApRep, m
 }
 
 pub fn generate_mic_token(seq_number: u64, mut payload: Vec<u8>, session_key: &[u8]) -> Result<Vec<u8>> {
-    let mut mic_token = MicToken::with_initiator_flags().with_seq_number(seq_number);
+    let mut mic_token = MicToken::with_acceptor_flags().with_seq_number(seq_number);
 
     payload.extend_from_slice(&mic_token.header());
 

src/kerberos/server/mod.rs

@@ -36,6 +36,9 @@ use crate::{
     SecurityBuffer, SecurityStatus, ServerRequestFlags, ServerResponseFlags, SspiImpl, Username,
 };
 
+/// Indicated that the MIC token `SentByAcceptor` flag must not be enabled in the incoming MIC token.
+const SENT_BY_INITIATOR: u8 = 0;
+
 /// Additional properties that are needed only for server-side Kerberos.
 #[derive(Debug, Clone)]
 pub struct ServerProperties {
@@ -350,7 +353,7 @@ pub async fn accept_security_context(
                         .mech_types,
                 )?;
                 let mic = generate_mic_token(
-                    u64::from(server.seq_number + 1),
+                    u64::from(server.next_seq_number()),
                     mic_payload,
                     server
                         .encryption_params
@@ -377,8 +380,20 @@ pub async fn accept_security_context(
             SecurityStatus::ContinueNeeded
         }
         KerberosState::ApExchange => {
+            let server_props = server.server.as_mut().ok_or_else(|| {
+                Error::new(
+                    ErrorKind::InvalidHandle,
+                    "Kerberos server properties are not initialized",
+                )
+            })?;
+
             let client_mic = extract_client_mic_token(&input_token.buffer)?;
-            validate_mic_token(&client_mic, INITIATOR_SIGN, &server.encryption_params)?;
+            validate_mic_token::<SENT_BY_INITIATOR>(
+                &client_mic,
+                INITIATOR_SIGN,
+                &server.encryption_params,
+                &server_props.mech_types,
+            )?;
 
             server.state = KerberosState::PubKeyAuth;
 

src/kerberos/utils.rs

@@ -2,10 +2,9 @@ use std::io::Write;
 
 use picky_krb::constants::key_usages::INITIATOR_SIGN;
 use picky_krb::crypto::aes::{checksum_sha_aes, AesSize};
-use picky_krb::gss_api::MicToken;
+use picky_krb::gss_api::{MechTypeList, MicToken};
 use serde::Serialize;
 
-use crate::kerberos::client::generators::get_mech_list;
 use crate::kerberos::encryption_params::EncryptionParams;
 use crate::{Error, ErrorKind, Result};
 
@@ -22,10 +21,42 @@ pub fn serialize_message<T: ?Sized + Serialize>(v: &T) -> Result<Vec<u8>> {
     Ok(data)
 }
 
-pub fn validate_mic_token(raw_token: &[u8], key_usage: i32, params: &EncryptionParams) -> Result<()> {
+pub fn validate_mic_token<const IS_SENT_BY_ACCEPTOR: u8>(
+    raw_token: &[u8],
+    key_usage: i32,
+    params: &EncryptionParams,
+    mech_types: &MechTypeList,
+) -> Result<()> {
     let token = MicToken::decode(raw_token)?;
+    let token_flags = token.flags;
+
+    // [Flags Field](https://datatracker.ietf.org/doc/html/rfc4121#section-4.2.2):
+    //
+    // The meanings of bits in this field (the least significant bit is bit
+    // 0) are as follows:
+    //        Bit    Name             Description
+    //       --------------------------------------------------------------
+    //        0   SentByAcceptor   When set, this flag indicates the sender
+    //                             is the context acceptor.  When not set,
+    //                             it indicates the sender is the context
+    //                             initiator.
+    if token_flags & 0b01 != IS_SENT_BY_ACCEPTOR {
+        return Err(Error::new(
+            ErrorKind::InvalidToken,
+            "invalid MIC token SentByAcceptor flag",
+        ));
+    }
+    //        1   Sealed           When set in Wrap tokens, this flag
+    //                             indicates confidentiality is provided
+    //                             for.  It SHALL NOT be set in MIC tokens.
+    if token_flags & 0b10 == 0b10 {
+        return Err(Error::new(
+            ErrorKind::InvalidToken,
+            "the Sealed flag has not to be set in the MIC token",
+        ));
+    }
 
-    let mut payload = picky_asn1_der::to_vec(&get_mech_list())?;
+    let mut payload = picky_asn1_der::to_vec(mech_types)?;
     payload.extend_from_slice(&token.header());
 
     // The sub-session key is always preferred over the session key.