Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] change token for validation in .net8 #549

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[BUG] change token for validation in .net8 #549

wants to merge 1 commit into from

Conversation

korovindenis
Copy link

Description:

This PR addresses an issue related to the validation of the spnegoNegTokenRespKRBAcceptCompleted value. Specifically, the current value causes problems in .NET8 validation as described in dotnet/runtime#105574.

Changes Made:

  • Updated the constant spnegoNegTokenRespKRBAcceptCompleted.
    The new value was obtained from RFC 4559.

Verification:

  • The changes have been tested in an environment running .NET8 and .NET6, and the validation issue has been resolved.

Attachments:

example-net.zip
The archive contains two utilities compiled for .NET6 and .NET8
These utilities can be used to verify changes across environments with .NET 6 and .NET 8 to ensure that the validation issue has been resolved.
The source code for these utilities is available at dotnet/runtime#105574.

net.exe http://example.com/api

Thank you for considering this fix. Please let me know if any other information is required or if there are any additional changes needed.

@filipnavara
Copy link

I'm not sure this is the right fix. In fact, the values in RFC 4559 all seem odd, they are hex-encoded instead of base64-encoded and they are not valid ASN.1 payload (online decoder at https://asn1js.eu/).

The value oRQwEqADCgEAoQsGCSqGSIb3EgECAg== is syntactically valid payload:

[1] @0+20 (constructed): (1 elem)
  SEQUENCE @2+18 (constructed): (2 elem)
    [0] @4+3 (constructed): (1 elem)
      ENUMERATED @6+1: 0
    [1] @9+11 (constructed): (1 elem)
      OBJECT_IDENTIFIER @11+9: 1.2.840.113554.1.2.2

It says that the state is 0 (Accept Completed) and that the negotiated protocol is Kerberos (OID 1.2.840.113554.1.2.2).

That doesn't necessarily mean it's semantically valid though. There's more than one Kerberos OID and depending on what the client sends and the server accepts it has to be properly mirrored. Also, newer versions of SPNEGO require the message integrity check as part of the message in some cases to block downgrade attacks (modifying the first packet to offer different set of negotiated protocols and thus downgrading the security).

@filipnavara filipnavara mentioned this pull request Jul 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@korovindenis @filipnavara