internal unsafe static extern int AcquireCredentialsHandleW(
[In] string principal,
[In] string moduleName,
[In] int usage,
[In] void *logonID,
[In] ref SecureCredential authData,
[In] void *keyCallback,
[In] void *keyArgument,
ref SSPIHandle handlePtr,
[Out] out long timeStamp
);
internal unsafe static extern int AcceptSecurityContext(
ref SSPIHandle credentialHandle,
[In] void *inContextPtr,
[In] SecurityBufferDescriptor inputBuffer,
[In] ContextFlags inFlags,
[In] Endianness endianness,
ref SSPIHandle outContextPtr,
[In, Out] SecurityBufferDescriptor outputBuffer,
[In, Out] ref ContextFlags attributes,
out long timeStamp
);
internal static unsafe ProtocolIds FindNegotiatedProtocol(SSPIHandle context)
{
ContextApplicationProtocol protoInfo;
InteropSspi.QueryContextAttributesW(ref context, ContextAttribute.ApplicationProtocol, out protoInfo);
if (protoInfo.ProtoNegoStatus != ApplicationProtocolNegotiationStatus.Success)
{
throw new InvalidOperationException("Could not negotiate a mutal application protocol");
}
return(GetNegotiatedProtocol(protoInfo.ProtocolId, protoInfo.ProtocolIdSize));
}
internal unsafe static extern int InitializeSecurityContextW(
ref SSPIHandle credentialHandle,
[In] void *inContextPtr,
[In] byte *targetName,
[In] ContextFlags inFlags,
[In] int reservedI,
[In] Endianness endianness,
[In] SecurityBufferDescriptor inputBuffer,
[In] int reservedII,
ref SSPIHandle outContextPtr,
[In, Out] SecurityBufferDescriptor outputBuffer,
[In, Out] ref ContextFlags attributes,
out long timeStamp
);
internal static extern int QuerySecurityContextToken(
ref SSPIHandle phContext,
[Out] out SecurityContextTokenHandle handle);
internal static extern int FreeCredentialsHandle(
ref SSPIHandle handlePtr
);
internal static extern int EncryptMessage(
ref SSPIHandle contextHandle,
[In] uint qualityOfProtection,
[In, Out] SecurityBufferDescriptor inputOutput,
[In] uint sequenceNumber
);
internal static unsafe extern int DecryptMessage(
[In] ref SSPIHandle contextHandle,
[In, Out] SecurityBufferDescriptor inputOutput,
[In] uint sequenceNumber,
uint *qualityOfProtection
);
internal unsafe static extern int InitializeSecurityContextW(
ref SSPIHandle credentialHandle,
[In] void* inContextPtr,
[In] byte* targetName,
[In] ContextFlags inFlags,
[In] int reservedI,
[In] Endianness endianness,
[In] SecurityBufferDescriptor inputBuffer,
[In] int reservedII,
ref SSPIHandle outContextPtr,
[In, Out] SecurityBufferDescriptor outputBuffer,
[In, Out] ref ContextFlags attributes,
out long timeStamp
);
internal static extern int ApplyControlToken(ref SSPIHandle contextHandle, [In][Out] SecurityBufferDescriptor outputBuffer);
public byte[] ProcessContextMessage(ReadableBuffer messageBuffer)
{
if (messageBuffer.Length == 0)
{
return(null);
}
SecurityBufferDescriptor input = new SecurityBufferDescriptor(3);
SecurityBuffer * inputBuff = stackalloc SecurityBuffer[3];
void *arrayPointer;
if (messageBuffer.IsSingleSpan)
{
messageBuffer.First.TryGetPointer(out arrayPointer);
}
else
{
if (messageBuffer.Length > SecurityContext.MaxStackAllocSize)
{
throw new OverflowException($"We need to create a buffer on the stack of size {messageBuffer.Length} but the max is {SecurityContext.MaxStackAllocSize}");
}
byte *tempBytes = stackalloc byte[messageBuffer.Length];
messageBuffer.CopyTo(new Span <byte>(tempBytes, messageBuffer.Length));
arrayPointer = tempBytes;
}
inputBuff[0] = new SecurityBuffer()
{
tokenPointer = arrayPointer,
type = SecurityBufferType.Token,
size = messageBuffer.Length
};
inputBuff[1] = new SecurityBuffer()
{
size = 0,
tokenPointer = null,
type = SecurityBufferType.Empty
};
if (_securityContext.LengthOfSupportedProtocols > 0)
{
inputBuff[2].size = _securityContext.LengthOfSupportedProtocols;
inputBuff[2].tokenPointer = (void *)_securityContext.AlpnSupportedProtocols;
inputBuff[2].type = SecurityBufferType.ApplicationProtocols;
}
else
{
inputBuff[2].size = 0;
inputBuff[2].tokenPointer = null;
inputBuff[2].type = SecurityBufferType.Empty;
}
input.UnmanagedPointer = inputBuff;
SecurityBufferDescriptor output = new SecurityBufferDescriptor(3);
SecurityBuffer * outputBuff = stackalloc SecurityBuffer[3];
outputBuff[0].size = 0;
outputBuff[0].tokenPointer = null;
outputBuff[0].type = SecurityBufferType.Token;
outputBuff[1].size = 0;
outputBuff[1].tokenPointer = null;
outputBuff[1].type = SecurityBufferType.Alert;
outputBuff[2].size = 0;
outputBuff[2].tokenPointer = null;
outputBuff[2].type = SecurityBufferType.Empty;
output.UnmanagedPointer = outputBuff;
ContextFlags flags = default(ContextFlags);
long timestamp;
var handle = _securityContext.CredentialsHandle;
void * contextptr;
var localPointer = _contextPointer;
if (_contextPointer.handleHi == IntPtr.Zero && _contextPointer.handleLo == IntPtr.Zero)
{
contextptr = null;
}
else
{
contextptr = &localPointer;
}
var errorCode = (SecurityStatus)InteropSspi.AcceptSecurityContext(ref handle, contextptr, input, SecurityContext.ServerRequiredFlags, Endianness.Native, ref _contextPointer, output, ref flags, out timestamp);
_contextPointer = localPointer;
if (errorCode == SecurityStatus.ContinueNeeded || errorCode == SecurityStatus.OK)
{
byte[] outArray = null;
if (outputBuff[0].size > 0)
{
outArray = new byte[outputBuff[0].size];
Marshal.Copy((IntPtr)outputBuff[0].tokenPointer, outArray, 0, outputBuff[0].size);
InteropSspi.FreeContextBuffer((IntPtr)outputBuff[0].tokenPointer);
}
if (errorCode == SecurityStatus.OK)
{
ContextStreamSizes ss;
//We have a valid context so lets query it for info
InteropSspi.QueryContextAttributesW(ref _contextPointer, ContextAttribute.StreamSizes, out ss);
_headerSize = ss.header;
_trailerSize = ss.trailer;
if (_securityContext.LengthOfSupportedProtocols > 0)
{
_negotiatedProtocol = ApplicationProtocols.FindNegotiatedProtocol(_contextPointer);
}
_readyToSend = true;
}
return(outArray);
}
throw new InvalidOperationException($"We failed to build a server context {errorCode}");
}
internal static extern int EncryptMessage(
ref SSPIHandle contextHandle,
[In] uint qualityOfProtection,
[In, Out] SecurityBufferDescriptor inputOutput,
[In] uint sequenceNumber
);
internal unsafe static extern int AcceptSecurityContext(
ref SSPIHandle credentialHandle,
[In] void* inContextPtr,
[In] SecurityBufferDescriptor inputBuffer,
[In] ContextFlags inFlags,
[In] Endianness endianness,
ref SSPIHandle outContextPtr,
[In, Out] SecurityBufferDescriptor outputBuffer,
[In, Out] ref ContextFlags attributes,
out long timeStamp
);
internal unsafe static extern int QueryContextAttributesW(
ref SSPIHandle contextHandle,
[In] ContextAttribute attribute,
[In] void *buffer);
internal static extern int DeleteSecurityContext(
ref SSPIHandle handlePtr
);
internal static extern int FreeCredentialsHandle(
ref SSPIHandle handlePtr
);
internal static extern int QuerySecurityContextToken(
ref SSPIHandle phContext,
[Out] out SecurityContextTokenHandle handle);
internal static extern int DeleteSecurityContext(
ref SSPIHandle handlePtr
);
private static unsafe SecurityStatus DecryptMessage(void *buffer, ref int offset, ref int count, SSPIHandle context)
{
var securityBuff = stackalloc SecurityBuffer[4];
SecurityBufferDescriptor sdcInOut = new SecurityBufferDescriptor(4);
securityBuff[0].size = count;
securityBuff[0].tokenPointer = buffer;
securityBuff[0].type = SecurityBufferType.Data;
securityBuff[1].size = 0;
securityBuff[1].tokenPointer = null;
securityBuff[1].type = SecurityBufferType.Empty;
securityBuff[2].size = 0;
securityBuff[2].tokenPointer = null;
securityBuff[2].type = SecurityBufferType.Empty;
securityBuff[3].size = 0;
securityBuff[3].tokenPointer = null;
securityBuff[3].type = SecurityBufferType.Empty;
sdcInOut.UnmanagedPointer = securityBuff;
var errorCode = (SecurityStatus)InteropSspi.DecryptMessage(ref context, sdcInOut, 0, null);
if (errorCode == 0)
{
for (int i = 0; i < 4; i++)
{
if (securityBuff[i].type == SecurityBufferType.Data)
{
//we have found the data lets find the offset
offset = (int)((byte *)securityBuff[i].tokenPointer - (byte *)buffer);
if (offset > (count - 1))
{
throw new OverflowException();
}
count = securityBuff[i].size;
return(errorCode);
}
}
}
throw new InvalidOperationException($"There was an error ncrypting the data {errorCode}");
}
internal unsafe static extern int QueryContextAttributesW(
ref SSPIHandle contextHandle,
[In] ContextAttribute attribute,
[In] void* buffer);
internal static extern int ApplyControlToken(ref SSPIHandle contextHandle, [In] [Out] SecurityBufferDescriptor outputBuffer);
internal unsafe static extern int SetContextAttributesW(
ref SSPIHandle contextHandle,
[In] ContextAttribute attribute,
[In] byte[] buffer,
[In] int bufferSize);
internal unsafe static extern int SetContextAttributesW(
ref SSPIHandle contextHandle,
[In] ContextAttribute attribute,
[In] byte[] buffer,
[In] int bufferSize);
internal unsafe static extern int AcquireCredentialsHandleW(
[In] string principal,
[In] string moduleName,
[In] int usage,
[In] void* logonID,
[In] ref SecureCredential authData,
[In] void* keyCallback,
[In] void* keyArgument,
ref SSPIHandle handlePtr,
[Out] out long timeStamp
);
public byte[] ProcessContextMessage(ReadableBuffer messageBuffer)
{
GCHandle handleForAllocation = default(GCHandle);
try
{
SecurityBufferDescriptor output = new SecurityBufferDescriptor(2);
SecurityBuffer * outputBuff = stackalloc SecurityBuffer[2];
outputBuff[0].size = 0;
outputBuff[0].tokenPointer = null;
outputBuff[0].type = SecurityBufferType.Token;
outputBuff[1].type = SecurityBufferType.Alert;
outputBuff[1].size = 0;
outputBuff[1].tokenPointer = null;
output.UnmanagedPointer = outputBuff;
var handle = _securityContext.CredentialsHandle;
SSPIHandle localhandle = _contextPointer;
void * contextptr;
void * newContextptr;
if (_contextPointer.handleHi == IntPtr.Zero && _contextPointer.handleLo == IntPtr.Zero)
{
contextptr = null;
newContextptr = &localhandle;
}
else
{
contextptr = &localhandle;
newContextptr = null;
}
ContextFlags unusedAttributes = default(ContextFlags);
SecurityBufferDescriptor *pointerToDescriptor = null;
if (messageBuffer.Length > 0)
{
SecurityBufferDescriptor input = new SecurityBufferDescriptor(2);
SecurityBuffer * inputBuff = stackalloc SecurityBuffer[2];
inputBuff[0].size = messageBuffer.Length;
inputBuff[0].type = SecurityBufferType.Token;
if (messageBuffer.IsSingleSpan)
{
void *arrayPointer;
messageBuffer.First.TryGetPointer(out arrayPointer);
inputBuff[0].tokenPointer = arrayPointer;
}
else
{
if (messageBuffer.Length <= SecurityContext.MaxStackAllocSize)
{
byte * tempBuffer = stackalloc byte[messageBuffer.Length];
Span <byte> tmpSpan = new Span <byte>(tempBuffer, messageBuffer.Length);
messageBuffer.CopyTo(tmpSpan);
inputBuff[0].tokenPointer = tempBuffer;
}
else
{
//We have to allocate... sorry
byte[] tempBuffer = new byte[messageBuffer.Length];
Span <byte> tmpSpan = new Span <byte>(tempBuffer);
messageBuffer.CopyTo(tmpSpan);
handleForAllocation = GCHandle.Alloc(tempBuffer, GCHandleType.Pinned);
inputBuff[0].tokenPointer = (void *)handleForAllocation.AddrOfPinnedObject();
}
}
outputBuff[1].type = SecurityBufferType.Empty;
outputBuff[1].size = 0;
outputBuff[1].tokenPointer = null;
input.UnmanagedPointer = inputBuff;
pointerToDescriptor = &input;
}
else
{
if (_securityContext.LengthOfSupportedProtocols > 0)
{
SecurityBufferDescriptor input = new SecurityBufferDescriptor(1);
SecurityBuffer * inputBuff = stackalloc SecurityBuffer[1];
inputBuff[0].size = _securityContext.LengthOfSupportedProtocols;
inputBuff[0].tokenPointer = (void *)_securityContext.AlpnSupportedProtocols;
inputBuff[0].type = SecurityBufferType.ApplicationProtocols;
input.UnmanagedPointer = inputBuff;
pointerToDescriptor = &input;
}
}
long timestamp = 0;
SecurityStatus errorCode = (SecurityStatus)InteropSspi.InitializeSecurityContextW(ref handle, contextptr, _securityContext.HostName, SecurityContext.RequiredFlags | ContextFlags.InitManualCredValidation, 0, Endianness.Native, pointerToDescriptor, 0, newContextptr, output, ref unusedAttributes, out timestamp);
_contextPointer = localhandle;
if (errorCode == SecurityStatus.ContinueNeeded || errorCode == SecurityStatus.OK)
{
byte[] outArray = null;
if (outputBuff[0].size > 0)
{
outArray = new byte[outputBuff[0].size];
Marshal.Copy((IntPtr)outputBuff[0].tokenPointer, outArray, 0, outputBuff[0].size);
InteropSspi.FreeContextBuffer((IntPtr)outputBuff[0].tokenPointer);
}
if (errorCode == SecurityStatus.OK)
{
ContextStreamSizes ss;
//We have a valid context so lets query it for info
InteropSspi.QueryContextAttributesW(ref _contextPointer, ContextAttribute.StreamSizes, out ss);
_headerSize = ss.header;
_trailerSize = ss.trailer;
if (_securityContext.LengthOfSupportedProtocols > 0)
{
_negotiatedProtocol = ApplicationProtocols.FindNegotiatedProtocol(_contextPointer);
}
_readyToSend = true;
}
return(outArray);
}
throw new InvalidOperationException($"An error occured trying to negoiate a session {errorCode}");
}
finally
{
if (handleForAllocation.IsAllocated)
{
handleForAllocation.Free();
}
}
}
