Replace sequence number validation with manual

SteveSyfuhs · SteveSyfuhs · commit 76b54806783c · 2025-09-09T20:47:42.000-07:00
diff --git a/Kerberos.NET/Crypto/DecryptedKrbApRep.cs b/Kerberos.NET/Crypto/DecryptedKrbApRep.cs
@@ -61,6 +61,52 @@ public override void Validate(ValidationActions validation)
                     nameof(this.CuSec)
                 );
             }
+
+            if (validation.HasFlag(ValidationActions.SequenceNumberEquals))
+            {
+                this.ValidateSequenceNumberEquals();
+            }
+
+            if (validation.HasFlag(ValidationActions.SequenceNumberGreaterThan))
+            {
+                this.ValidateSequenceNumberGreaterThan();
+            }
+        }
+
+        private void ValidateSequenceNumberGreaterThan()
+        {
+            if (this.SequenceNumber >= this.Response.SequenceNumber)
+            {
+                throw new KerberosValidationException(
+                    $"SequenceNumber is not incrementing. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
+                    nameof(this.SequenceNumber)
+                );
+            }
+            else if (this.SequenceNumber is not null && this.Response.SequenceNumber is null)
+            {
+                throw new KerberosValidationException(
+                    $"Response SequenceNumber is null. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
+                    nameof(this.SequenceNumber)
+                );
+            }
+            else if (this.SequenceNumber is null && this.Response.SequenceNumber is null)
+            {
+                throw new KerberosValidationException(
+                    $"Both SequenceNumber and response SequenceNumber are null and not incrementing. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
+                    nameof(this.SequenceNumber)
+                );
+            }
+        }
+
+        private void ValidateSequenceNumberEquals()
+        {
+            if (this.SequenceNumber != this.Response.SequenceNumber)
+            {
+                throw new KerberosValidationException(
+                    $"SequenceNumber does not match. Sent: {this.SequenceNumber}; Received: {this.Response.SequenceNumber}",
+                    nameof(this.SequenceNumber)
+                );
+            }
         }
     }
 }
diff --git a/Kerberos.NET/ValidationAction.cs b/Kerberos.NET/ValidationAction.cs
@@ -1,4 +1,4 @@
-// -----------------------------------------------------------------------
+﻿// -----------------------------------------------------------------------
 // Licensed to The .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // -----------------------------------------------------------------------
@@ -58,9 +58,21 @@ public enum ValidationActions
         /// </summary>
         RenewTill = 1 << 7,
 
+        /// <summary>
+        /// Validates that the caller wants to check if the sequence number equals the expected value.
+        /// Incompatible with `SequenceNumberGreaterThan`.
+        /// </summary>
+        SequenceNumberEquals = 1 << 8,
+
+        /// <summary>
+        /// Validates that the caller wants to check if the sequence number is greater than the expected value.
+        /// Incompatible with `SequenceNumberEquals`.
+        /// </summary>
+        SequenceNumberGreaterThan = 1 << 9,
+
         /// <summary>
         /// Indicates all validation actions must be invoked.
         /// </summary>
         All = ClientPrincipalIdentifier | Realm | TokenWindow | StartTime | EndTime | Replay | Pac | RenewTill
     }
-}
+}
diff --git a/Tests/Tests.Kerberos.NET/KrbApReq/ValidatorTests.cs b/Tests/Tests.Kerberos.NET/KrbApReq/ValidatorTests.cs
@@ -231,7 +231,7 @@ public void DecryptedKrbApReq_Validate_NotBefore()
             decrypted.Validate(ValidationActions.All);
         }
 
-        private static DecryptedKrbApRep CreateResponseMessage(DateTimeOffset ctime, int cusec, int sequence, KerberosKey sessionKey)
+        private static DecryptedKrbApRep CreateResponseMessage(DateTimeOffset ctime, int cusec, int? sequence, KerberosKey sessionKey)
         {
             var apRepPart = new KrbEncApRepPart
             {
@@ -384,5 +384,38 @@ public void DecryptedKrbApRep_Validate_CuSec()
 
             decrypted.Validate(ValidationActions.All);
         }
+
+        [TestMethod]
+        [DataRow(ValidationActions.SequenceNumberEquals, 123, 123, true)]
+        [DataRow(ValidationActions.SequenceNumberEquals, 123, 124, false)]
+        [DataRow(ValidationActions.SequenceNumberEquals, null, 123, false)]
+        [DataRow(ValidationActions.SequenceNumberEquals, 123, null, false)]
+        [DataRow(ValidationActions.SequenceNumberEquals, null, null, true)]
+        [DataRow(ValidationActions.SequenceNumberGreaterThan, 123, 124, true)]
+        [DataRow(ValidationActions.SequenceNumberGreaterThan, 123, 123, false)]
+        [DataRow(ValidationActions.SequenceNumberGreaterThan, null, 124, true)]
+        [DataRow(ValidationActions.SequenceNumberGreaterThan, 123, null, false)]
+        [DataRow(ValidationActions.SequenceNumberGreaterThan, null, null, false)]
+        public void DecryptedKrbApRep_Validate_SequenceNumber(ValidationActions validation, int? current, int? resp, bool expectedSuccess)
+        {
+            var now = DateTimeOffset.UtcNow;
+
+            var sessionKey = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96);
+
+            var decrypted = CreateResponseMessage(now, 111, resp, sessionKey.AsKey());
+
+            decrypted.SequenceNumber = current;
+            decrypted.CTime = now;
+            decrypted.CuSec = 111;
+
+            if (!expectedSuccess)
+            {
+                Assert.ThrowsException<KerberosValidationException>(() => decrypted.Validate(ValidationActions.All | validation));
+            }
+            else
+            {
+                decrypted.Validate(ValidationActions.All | validation);
+            }
+        }
     }
 }
