public virtual bool DeleteSecurityContext(ref GSSContext context)
{
if (context != null)
{
IGSSMechanism mechanism = context.Mechanism;
return(mechanism.DeleteSecurityContext(ref context.MechanismContext));
}
return(false);
}
public virtual object GetContextAttribute(GSSContext context, GSSAttributeName attributeName)
{
if (context == null)
{
return(null);
}
IGSSMechanism mechanism = context.Mechanism;
return(mechanism.GetContextAttribute(context.MechanismContext, attributeName));
}
/// <summary>
/// Helper method for legacy implementation.
/// </summary>
public virtual NTStatus NTLMAuthenticate(GSSContext context, AuthenticateMessage authenticateMessage)
{
if (context != null && ByteUtils.AreByteArraysEqual(context.Mechanism.Identifier, NTLMSSPIdentifier))
{
IGSSMechanism mechanism = context.Mechanism;
byte[] outputToken;
NTStatus result = mechanism.AcceptSecurityContext(ref context.MechanismContext, authenticateMessage.GetBytes(), out outputToken);
return(result);
}
else
{
return(NTStatus.SEC_E_SECPKG_NOT_FOUND);
}
}
/// <summary>
/// Helper method for legacy implementation.
/// </summary>
public virtual NTStatus GetNTLMChallengeMessage(out GSSContext context, NegotiateMessage negotiateMessage, out ChallengeMessage challengeMessage)
{
IGSSMechanism ntlmAuthenticationProvider = FindMechanism(NTLMSSPIdentifier);
if (ntlmAuthenticationProvider != null)
{
context = new GSSContext(ntlmAuthenticationProvider, null);
byte[] outputToken;
NTStatus result = ntlmAuthenticationProvider.AcceptSecurityContext(ref context.MechanismContext, negotiateMessage.GetBytes(), out outputToken);
challengeMessage = new ChallengeMessage(outputToken);
return(result);
}
else
{
context = null;
challengeMessage = null;
return(NTStatus.SEC_E_SECPKG_NOT_FOUND);
}
}
public virtual NTStatus AcceptSecurityContext(ref GSSContext context, byte[] inputToken, out byte[] outputToken)
{
outputToken = null;
SimpleProtectedNegotiationToken spnegoToken = null;
try
{
spnegoToken = SimpleProtectedNegotiationToken.ReadToken(inputToken, 0);
}
catch
{
}
if (spnegoToken != null)
{
if (spnegoToken is SimpleProtectedNegotiationTokenInit)
{
SimpleProtectedNegotiationTokenInit tokenInit = (SimpleProtectedNegotiationTokenInit)spnegoToken;
if (tokenInit.MechanismTypeList.Count == 0)
{
return(NTStatus.SEC_E_INVALID_TOKEN);
}
// RFC 4178: Note that in order to avoid an extra round trip, the first context establishment token
// of the initiator's preferred mechanism SHOULD be embedded in the initial negotiation message.
byte[] preferredMechanism = tokenInit.MechanismTypeList[0];
IGSSMechanism mechanism = FindMechanism(preferredMechanism);
bool isPreferredMechanism = (mechanism != null);
if (!isPreferredMechanism)
{
mechanism = FindMechanism(tokenInit.MechanismTypeList);
}
if (mechanism != null)
{
NTStatus status;
context = new GSSContext(mechanism, null);
if (isPreferredMechanism)
{
byte[] mechanismOutput;
status = mechanism.AcceptSecurityContext(ref context.MechanismContext, tokenInit.MechanismToken, out mechanismOutput);
outputToken = GetSPNEGOTokenResponseBytes(mechanismOutput, status, mechanism.Identifier);
}
else
{
status = NTStatus.SEC_I_CONTINUE_NEEDED;
outputToken = GetSPNEGOTokenResponseBytes(null, status, mechanism.Identifier);
}
return(status);
}
return(NTStatus.SEC_E_SECPKG_NOT_FOUND);
}
else // SimpleProtectedNegotiationTokenResponse
{
if (context == null)
{
return(NTStatus.SEC_E_INVALID_TOKEN);
}
IGSSMechanism mechanism = context.Mechanism;
SimpleProtectedNegotiationTokenResponse tokenResponse = (SimpleProtectedNegotiationTokenResponse)spnegoToken;
byte[] mechanismOutput;
NTStatus status = mechanism.AcceptSecurityContext(ref context.MechanismContext, tokenResponse.ResponseToken, out mechanismOutput);
outputToken = GetSPNEGOTokenResponseBytes(mechanismOutput, status, null);
return(status);
}
}
else
{
// [MS-SMB] The Windows GSS implementation supports raw Kerberos / NTLM messages in the SecurityBlob.
// [MS-SMB2] Windows [..] will also accept raw Kerberos messages and implicit NTLM messages as part of GSS authentication.
if (AuthenticationMessageUtils.IsSignatureValid(inputToken))
{
MessageTypeName messageType = AuthenticationMessageUtils.GetMessageType(inputToken);
IGSSMechanism ntlmAuthenticationProvider = FindMechanism(NTLMSSPIdentifier);
if (ntlmAuthenticationProvider != null)
{
if (messageType == MessageTypeName.Negotiate)
{
context = new GSSContext(ntlmAuthenticationProvider, null);
}
if (context == null)
{
return(NTStatus.SEC_E_INVALID_TOKEN);
}
NTStatus status = ntlmAuthenticationProvider.AcceptSecurityContext(ref context.MechanismContext, inputToken, out outputToken);
return(status);
}
else
{
return(NTStatus.SEC_E_SECPKG_NOT_FOUND);
}
}
}
return(NTStatus.SEC_E_INVALID_TOKEN);
}