private static void disposeToken(SecurityBufferDesciption clientToken)
{
if (clientToken.pBuffers != IntPtr.Zero)
{
if (clientToken.cBuffers == 1)
{
var thisSecBuffer = (SecurityBuffer)Marshal.PtrToStructure(clientToken.pBuffers, typeof(SecurityBuffer));
disposeSecBuffer(thisSecBuffer);
}
else
{
for (int index = 0; index < clientToken.cBuffers; index++)
{
// The bits were written out the following order:
// int cbBuffer;
// int BufferType;
// pvBuffer;
// What we need to do here is to grab a hold of the pvBuffer allocate by the individual
// SecBuffer and release it...
int currentOffset = index * Marshal.SizeOf(typeof(Buffer));
var secBufferpvBuffer = Marshal.ReadIntPtr(clientToken.pBuffers,
currentOffset + Marshal.SizeOf(typeof(int)) + Marshal.SizeOf(typeof(int)));
Marshal.FreeHGlobal(secBufferpvBuffer);
}
}
Marshal.FreeHGlobal(clientToken.pBuffers);
clientToken.pBuffers = IntPtr.Zero;
}
}
/// <summary>
/// Acquire the intial client token to send
/// </summary>
/// <param name="hostname"></param>
/// <param name="authScheme"></param>
/// <param name="data"></param>
/// <returns></returns>
internal static byte[]? AcquireInitialSecurityToken(string hostname, string authScheme, InternalDataStore data)
{
byte[]? token;
// null for initial call
var serverToken = new SecurityBufferDesciption();
var clientToken = new SecurityBufferDesciption(MaximumTokenSize);
try
{
var state = new State();
int result = AcquireCredentialsHandle(
WindowsIdentity.GetCurrent().Name,
authScheme,
SecurityCredentialsOutbound,
IntPtr.Zero,
IntPtr.Zero,
0,
IntPtr.Zero,
ref state.Credentials,
ref NewLifeTime);
if (result != SuccessfulResult)
{
return(null);
}
result = InitializeSecurityContext(ref state.Credentials,
IntPtr.Zero,
hostname,
StandardContextAttributes,
0,
SecurityNativeDataRepresentation,
ref serverToken,
0,
out state.Context,
out clientToken,
out NewContextAttributes,
out NewLifeTime);
if (result != IntermediateResult)
{
return(null);
}
state.AuthState = State.WinAuthState.INITIAL_TOKEN;
token = clientToken.GetBytes();
data.Add(authStateKey, state);
}
finally
{
clientToken.Dispose();
serverToken.Dispose();
}
return(token);
}
/// <summary>
/// Try to acquire the server challenge for this state
/// </summary>
/// <param name="message"></param>
/// <returns></returns>
public bool TryAcquireServerChallenge(ref byte[] message)
{
SecurityBufferDesciption clientToken = new SecurityBufferDesciption(message);
SecurityBufferDesciption serverToken = new SecurityBufferDesciption(Common.MaximumTokenSize);
try
{
int result;
var lifetime = new SecurityInteger(0);
result = Interop.AcquireCredentialsHandle(
null,
"NTLM",
Common.SecurityCredentialsInbound,
IntPtr.Zero,
IntPtr.Zero,
0,
IntPtr.Zero,
ref this.Credentials,
ref lifetime);
if (result != Common.SuccessfulResult)
{
// Credentials acquire operation failed.
return(false);
}
uint contextAttributes;
result = Interop.AcceptSecurityContext(
ref this.Credentials, // [in] handle to the credentials
IntPtr.Zero, // [in/out] handle of partially formed context. Always NULL the first time through
ref clientToken, // [in] pointer to the input buffers
Common.StandardContextAttributes, // [in] required context attributes
Common.SecurityNativeDataRepresentation, // [in] data representation on the target
out this.Context, // [in/out] receives the new context handle
out serverToken, // [in/out] pointer to the output buffers
out contextAttributes, // [out] receives the context attributes
out lifetime); // [out] receives the life span of the security context
if (result != Common.IntermediateResult)
{
// Client challenge issue operation failed.
return(false);
}
}
finally
{
message = serverToken.GetBytes();
clientToken.Dispose();
serverToken.Dispose();
}
return(true);
}
/// <summary>
/// Validate the client response and fill the indentity of the token
/// </summary>
/// <param name="message"></param>
/// <returns></returns>
public bool IsClientResponseValid(byte[] message)
{
SecurityBufferDesciption clientToken = new SecurityBufferDesciption(message);
SecurityBufferDesciption serverToken = new SecurityBufferDesciption(Common.MaximumTokenSize);
IntPtr securityContextHandle = IntPtr.Zero;
try
{
int result;
uint contextAttributes;
var lifetime = new SecurityInteger(0);
result = Interop.AcceptSecurityContext(
ref this.Credentials, // [in] handle to the credentials
ref this.Context, // [in/out] handle of partially formed context. Always NULL the first time through
ref clientToken, // [in] pointer to the input buffers
Common.StandardContextAttributes, // [in] required context attributes
Common.SecurityNativeDataRepresentation, // [in] data representation on the target
out this.Context, // [in/out] receives the new context handle
out serverToken, // [in/out] pointer to the output buffers
out contextAttributes, // [out] receives the context attributes
out lifetime); // [out] receives the life span of the security context
if (result != Common.SuccessfulResult)
{
return(false);
}
if (Interop.QuerySecurityContextToken(ref this.Context, ref securityContextHandle) != 0)
{
return(false);
}
var identity = new WindowsIdentity(securityContextHandle);
if (identity == null)
{
return(false);
}
this.WindowsIdentity = identity;
}
finally
{
clientToken.Dispose();
serverToken.Dispose();
Interop.CloseHandle(securityContextHandle);
this.Credentials.Reset();
this.Context.Reset();
}
return(true);
}
private static extern int InitializeSecurityContext(ref SecurityHandle phCredential, // PCredHandle
ref SecurityHandle phContext, // PCtxtHandle
string pszTargetName,
int fContextReq,
int reserved1,
int targetDataRep,
ref SecurityBufferDesciption secBufferDesc, // PSecBufferDesc SecBufferDesc
int reserved2,
out SecurityHandle phNewContext, // PCtxtHandle
out SecurityBufferDesciption pOutput, // PSecBufferDesc SecBufferDesc
out uint pfContextAttr, // managed ulong == 64 bits!!!
out SecurityInteger ptsExpiry); // PTimeStamp
/// <summary>
/// Acquire the final token to send
/// </summary>
/// <param name="hostname"></param>
/// <param name="serverChallenge"></param>
/// <param name="requestId"></param>
/// <returns></returns>
internal static byte[] AcquireFinalSecurityToken(string hostname,
byte[] serverChallenge, Guid requestId)
{
byte[] token = null;
//user server challenge
SecurityBufferDesciption serverToken
= new SecurityBufferDesciption(serverChallenge);
SecurityBufferDesciption clientToken
= new SecurityBufferDesciption(MaximumTokenSize);
try
{
int result;
var state = authStates[requestId];
state.UpdatePresence();
result = InitializeSecurityContext(ref state.Credentials,
ref state.Context,
hostname,
StandardContextAttributes,
0,
SecurityNativeDataRepresentation,
ref serverToken,
0,
out state.Context,
out clientToken,
out NewContextAttributes,
out NewLifeTime);
if (result != SuccessfulResult)
{
// Client challenge issue operation failed.
return(null);
}
authStates.Remove(requestId);
token = clientToken.GetBytes();
}
finally
{
clientToken.Dispose();
serverToken.Dispose();
}
return(token);
}
/// <summary>
/// Acquire the final token to send
/// </summary>
/// <param name="hostname"></param>
/// <param name="serverChallenge"></param>
/// <param name="data"></param>
/// <returns></returns>
internal static byte[]? AcquireFinalSecurityToken(string hostname, byte[] serverChallenge, InternalDataStore data)
{
byte[]? token;
// user server challenge
var serverToken = new SecurityBufferDesciption(serverChallenge);
var clientToken = new SecurityBufferDesciption(MaximumTokenSize);
try
{
var state = data.GetAs <State>(authStateKey);
state.UpdatePresence();
int result = InitializeSecurityContext(ref state.Credentials,
ref state.Context,
hostname,
StandardContextAttributes,
0,
SecurityNativeDataRepresentation,
ref serverToken,
0,
out state.Context,
out clientToken,
out NewContextAttributes,
out NewLifeTime);
if (result != SuccessfulResult)
{
return(null);
}
state.AuthState = State.WinAuthState.FINAL_TOKEN;
token = clientToken.GetBytes();
}
finally
{
clientToken.Dispose();
serverToken.Dispose();
}
return(token);
}
/// <summary>
/// Acquire the intial client token to send
/// </summary>
/// <param name="hostname"></param>
/// <param name="authScheme"></param>
/// <param name="requestId"></param>
/// <returns></returns>
internal static byte[] AcquireInitialSecurityToken(string hostname, string authScheme, Guid requestId)
{
byte[] token;
//null for initial call
var serverToken = new SecurityBufferDesciption();
var clientToken = new SecurityBufferDesciption(MaximumTokenSize);
try
{
int result;
var state = new State();
result = AcquireCredentialsHandle(
WindowsIdentity.GetCurrent().Name,
authScheme,
SecurityCredentialsOutbound,
IntPtr.Zero,
IntPtr.Zero,
0,
IntPtr.Zero,
ref state.Credentials,
ref NewLifeTime);
if (result != SuccessfulResult)
{
// Credentials acquire operation failed.
return(null);
}
result = InitializeSecurityContext(ref state.Credentials,
IntPtr.Zero,
hostname,
StandardContextAttributes,
0,
SecurityNativeDataRepresentation,
ref serverToken,
0,
out state.Context,
out clientToken,
out NewContextAttributes,
out NewLifeTime);
if (result != IntermediateResult)
{
// Client challenge issue operation failed.
return(null);
}
token = clientToken.GetBytes();
authStates.Add(requestId, state);
}
finally
{
clientToken.Dispose();
serverToken.Dispose();
}
return(token);
}
