Merge pull request #397 from dotnet/bugfix/ref-realm

[WIP] Flow client and target names and realms separately

Author: SteveSyfuhs

Kerberos.NET/Configuration/Krb5RealmConfig.cs

@@ -350,7 +350,7 @@ public class Krb5RealmConfig : Krb5ConfigObject
         /// Compatibility shims should be enforced by the KDC.
         /// </summary>
         [EnumAsInteger]
-        [DefaultValue(KerberosCompatibilityFlags.None)]
+        [DefaultValue(KerberosCompatibilityFlags.IsolateRealmsConsistently)]
         [DisplayName("compatibility_flags")]
         public KerberosCompatibilityFlags CompatibilityFlags { get; set; }
     }

Kerberos.NET/Crypto/DecryptedKrbApReq.cs

@@ -186,7 +186,7 @@ public override void Validate(ValidationActions validation)
 
             if (validation.HasFlag(ValidationActions.Realm))
             {
-                this.ValidateRealm(this.Ticket.CRealm, this.Authenticator.Realm);
+                this.ValidateRealm(this.Ticket.CRealm, this.Authenticator.CRealm);
             }
 
             var now = this.Now();

Kerberos.NET/Crypto/DecryptedKrbMessage.cs

@@ -5,6 +5,7 @@
 
 using System;
 using Kerberos.NET.Entities;
+using Kerberos.NET.Server;
 using static Kerberos.NET.Entities.KerberosConstants;
 
 namespace Kerberos.NET.Crypto
@@ -20,6 +21,8 @@ public Func<DateTimeOffset> Now
             set { this.nowFunc = value; }
         }
 
+        public KerberosCompatibilityFlags CompatibilityFlags { get; set; }
+
         public abstract void Validate(ValidationActions validation);
 
         public virtual void Decrypt(KeyTable keytab)

Kerberos.NET/Entities/Krb/KrbApReq.cs

@@ -56,7 +56,7 @@ out KrbAuthenticator authenticator
             authenticator = new KrbAuthenticator
             {
                 CName = tgsRep.CName,
-                Realm = tgsRep.CRealm
+                CRealm = tgsRep.CRealm
             };
 
             if (rst.AuthenticatorChecksum != null)

Kerberos.NET/Entities/Krb/KrbAsRep.cs

@@ -44,6 +44,11 @@ IRealmService realmService
                 rst.RealmName = realmService.Name;
             }
 
+            if (string.IsNullOrWhiteSpace(rst.ClientRealmName))
+            {
+                rst.ClientRealmName = realmService.Name;
+            }
+
             KrbPrincipalName krbtgtName = KrbPrincipalName.WellKnown.Krbtgt(rst.RealmName);
 
             if (rst.ServicePrincipal == null)

Kerberos.NET/Entities/Krb/KrbAuthenticator.cs

@@ -1,8 +1,10 @@
-// -----------------------------------------------------------------------
+// -----------------------------------------------------------------------
 // Licensed to The .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 // -----------------------------------------------------------------------
 
+using System;
+
 namespace Kerberos.NET.Entities
 {
     public partial class KrbAuthenticator
@@ -11,5 +13,8 @@ public KrbAuthenticator()
         {
             this.AuthenticatorVersionNumber = 5;
         }
+
+        [Obsolete("Use to property named to match the spec `CRealm`.")]
+        public string Realm { get => this.CRealm; set => this.CRealm = value; }
     }
-}
+}

Kerberos.NET/Entities/Krb/KrbAuthenticator.generated.cs

@@ -33,7 +33,7 @@ public partial class KrbAuthenticator
 
         public int AuthenticatorVersionNumber { get; set; }
 
-        public string Realm { get; set; }
+        public string CRealm { get; set; }
 
         public KrbPrincipalName CName { get; set; }
 
@@ -63,7 +63,7 @@ internal void Encode(AsnWriter writer, Asn1Tag tag)
             writer.WriteInteger(AuthenticatorVersionNumber);
             writer.PopSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
             writer.PushSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
-            writer.WriteCharacterString(UniversalTagNumber.GeneralString, Realm);
+            writer.WriteCharacterString(UniversalTagNumber.GeneralString, CRealm);
             writer.PopSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
             writer.PushSequence(new Asn1Tag(TagClass.ContextSpecific, 2));
             CName?.Encode(writer);
@@ -223,7 +223,7 @@ internal static void Decode<T>(AsnReader reader, Asn1Tag expectedTag, out T deco
             explicitReader.ThrowIfNotEmpty();
 
             explicitReader = sequenceReader.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 1));
-            decoded.Realm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
+            decoded.CRealm = explicitReader.ReadCharacterString(UniversalTagNumber.GeneralString);
 
             explicitReader.ThrowIfNotEmpty();
 

Kerberos.NET/Entities/Krb/KrbAuthenticator.xml

@@ -18,7 +18,7 @@
           }-->
 
   <asn:Integer name="AuthenticatorVersionNumber" explicitTag="0" backingType="int" />
-  <asn:GeneralString name="Realm" explicitTag="1" />
+  <asn:GeneralString name="CRealm" explicitTag="1" />
   <asn:AsnType name="CName" typeName="KrbPrincipalName" explicitTag="2" />
   <asn:AsnType name="Checksum" typeName="KrbChecksum" explicitTag="3" optional="true" />
   <asn:Integer name="CuSec" explicitTag="4" backingType="int" />

Kerberos.NET/Entities/Krb/KrbKdcRep.cs

@@ -26,7 +26,7 @@ public static KrbCred GenerateWrappedServiceTicket(
             ServiceTicketRequest request,
             KrbEncryptionKey sessionKey = null,
             IEnumerable<KrbAuthorizationData> authz = null
-            )
+        )
         {
             GenerateServiceTicket<KrbTgsRep>(
                 request,
@@ -46,8 +46,7 @@ public static T GenerateServiceTicket<T>(
             ServiceTicketRequest request,
             KrbEncryptionKey encryptionKey = null,
             IEnumerable<KrbAuthorizationData> authz = null
-            )
-            where T : KrbKdcRep, new()
+        ) where T : KrbKdcRep, new()
         {
             if (request.EncryptedPartKey == null)
             {
@@ -67,8 +66,14 @@ out MessageType messageType
 
             var rep = new T
             {
-                CName = encTicketPart.CName,
-                CRealm = request.RealmName,
+                CName = request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ?
+                            KrbPrincipalName.FromPrincipal(request.Principal) ?? encTicketPart.CName :
+                            encTicketPart.CName,
+
+                CRealm = request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ?
+                            request.ClientRealmName :
+                            request.RealmName,
+
                 MessageType = messageType,
                 Ticket = ticket,
                 EncPart = KrbEncryptedData.Encrypt(
@@ -91,8 +96,7 @@ private static ServiceTicketRequest GenerateServiceTicket<T>(
             out KrbEncKdcRepPart encKdcRepPart,
             out KeyUsage keyUsage,
             out MessageType messageType
-        )
-            where T : KrbKdcRep, new()
+        ) where T : KrbKdcRep, new()
         {
             if (request.Principal == null)
             {
@@ -112,17 +116,12 @@ out MessageType messageType
             if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.NormalizeRealmsUppercase))
             {
                 request.RealmName = request.RealmName?.ToUpperInvariant();
+                request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name");
             }
 
-            if (authz == null)
-            {
-                authz = GenerateAuthorizationData(request);
-            }
+            authz ??= GenerateAuthorizationData(request);
 
-            if (sessionKey == null)
-            {
-                sessionKey = KrbEncryptionKey.Generate(request.PreferredClientEType ?? request.ServicePrincipalKey.EncryptionType);
-            }
+            sessionKey ??= KrbEncryptionKey.Generate(request.PreferredClientEType ?? request.ServicePrincipalKey.EncryptionType);
 
             encTicketPart = CreateEncTicketPart(request, authz.ToArray(), sessionKey);
             bool appendRealm = false;
@@ -146,6 +145,7 @@ out MessageType messageType
                     KeyUsage.Ticket
                 )
             };
+
             if (typeof(T) == typeof(KrbAsRep))
             {
                 encKdcRepPart = new KrbEncAsRepPart();
@@ -186,13 +186,15 @@ out MessageType messageType
                     }
                 }
             };
+
             return request;
         }
 
         private static KrbEncTicketPart CreateEncTicketPart(
             ServiceTicketRequest request,
             KrbAuthorizationData[] authorizationDatas,
-            KrbEncryptionKey sessionKey)
+            KrbEncryptionKey sessionKey
+        )
         {
             var cname = CreateCNameForTicket(request);
 
@@ -205,19 +207,16 @@ private static KrbEncTicketPart CreateEncTicketPart(
 
             var addresses = request.Addresses;
 
-            if (addresses == null)
-            {
-                addresses = Array.Empty<KrbHostAddress>();
-            }
+            addresses ??= Array.Empty<KrbHostAddress>();
 
             var encTicketPart = new KrbEncTicketPart()
             {
                 CName = cname,
+                CRealm = request.ClientRealmName,
                 Key = sessionKey,
                 AuthTime = request.Now,
                 StartTime = request.StartTime,
                 EndTime = request.EndTime,
-                CRealm = request.RealmName,
                 Flags = flags,
                 AuthorizationData = authorizationDatas,
                 CAddr = addresses.ToArray(),
@@ -238,7 +237,12 @@ private static KrbPrincipalName CreateCNameForTicket(ServiceTicketRequest reques
         {
             if (string.IsNullOrEmpty(request.SamAccountName))
             {
-                return KrbPrincipalName.FromPrincipal(request.Principal, realm: request.RealmName);
+                return KrbPrincipalName.FromPrincipal(
+                    request.Principal,
+                    realm: request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ?
+                        request.ClientRealmName :
+                        request.RealmName
+                );
             }
 
             return new KrbPrincipalName

Kerberos.NET/Entities/Krb/KrbTgsReq.cs

@@ -207,7 +207,7 @@ private static KrbApReq CreateApReq(KrbKdcRep kdcRep, KrbEncryptionKey tgtSessio
             var authenticator = new KrbAuthenticator
             {
                 CName = kdcRep.CName,
-                Realm = kdcRep.CRealm,
+                CRealm = kdcRep.CRealm,
                 SequenceNumber = GetNonce(),
                 Checksum = checksum
             };