private static extern Status Unwrap(
out Status minorStatus,
SafeGssContextHandle contextHandle,
byte[] inputBytes,
int offset,
int count,
ref GssBuffer outBuffer);
internal static Status InitSecContext(
out Status minorStatus,
SafeGssCredHandle initiatorCredHandle,
ref SafeGssContextHandle contextHandle,
bool isNtlmOnly,
IntPtr cbt,
int cbtSize,
SafeGssNameHandle?targetName,
uint reqFlags,
ReadOnlySpan <byte> inputBytes,
ref GssBuffer token,
out uint retFlags,
out bool isNtlmUsed)
{
return(InitSecContext(
out minorStatus,
initiatorCredHandle,
ref contextHandle,
isNtlmOnly,
cbt,
cbtSize,
targetName,
reqFlags,
ref MemoryMarshal.GetReference(inputBytes),
inputBytes.Length,
ref token,
out retFlags,
out isNtlmUsed));
}
private static unsafe partial Status Wrap(
out Status minorStatus,
SafeGssContextHandle?contextHandle,
[MarshalAs(UnmanagedType.Bool)] bool isEncrypt,
byte *inputBytes,
int count,
ref GssBuffer outBuffer);
internal static extern Status AcceptSecContext(
out Status minorStatus,
ref SafeGssContextHandle acceptContextHandle,
byte[] inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags);
private static unsafe partial Status Wrap(
out Status minorStatus,
SafeGssContextHandle?contextHandle,
bool isEncrypt,
byte *inputBytes,
int count,
ref GssBuffer outBuffer);
static Status Unwrap(
out Status minorStatus,
SafeGssContextHandle contextHandle,
byte[] inputBytes,
int offset,
int count,
ref GssBuffer outBuffer) => throw new NotSupportedException();
internal static Status AcceptSecContext(
out Status minorStatus,
ref SafeGssContextHandle acceptContextHandle,
byte[] inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags) => throw new PlatformNotSupportedException();
private static extern Status Wrap(
out Status minorStatus,
SafeGssContextHandle?contextHandle,
bool isEncrypt,
byte[] inputBytes,
int offset,
int count,
ref GssBuffer outBuffer);
internal static Status WrapBuffer(
out Status minorStatus,
SafeGssContextHandle contextHandle,
bool isEncrypt,
byte[] inputBytes,
int offset,
int count,
ref GssBuffer outBuffer) => throw new NotSupportedException();
private static partial Status AcceptSecContext(
out Status minorStatus,
SafeGssCredHandle acceptorCredHandle,
ref SafeGssContextHandle acceptContextHandle,
ref byte inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags,
[MarshalAs(UnmanagedType.Bool)] out bool isNtlmUsed);
internal static partial Status AcceptSecContext(
out Status minorStatus,
SafeGssCredHandle acceptorCredHandle,
ref SafeGssContextHandle acceptContextHandle,
byte[]?inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags,
out bool isNtlmUsed);
internal static unsafe Status GetMic(
out Status minorStatus,
SafeGssContextHandle?contextHandle,
ReadOnlySpan <byte> inputBytes,
ref GssBuffer outBuffer)
{
fixed(byte *inputBytesPtr = inputBytes)
{
return(GetMic(out minorStatus, contextHandle, inputBytesPtr, inputBytes.Length, ref outBuffer));
}
}
internal static extern Status InitSecContext(
out Status minorStatus,
SafeGssCredHandle initiatorCredHandle,
ref SafeGssContextHandle contextHandle,
bool isNtlm,
SafeGssNameHandle targetName,
uint reqFlags,
byte[] inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags);
internal static extern Status InitSecContext(
out Status minorStatus,
SafeGssCredHandle initiatorCredHandle,
ref SafeGssContextHandle contextHandle,
bool isNtlm,
SafeGssNameHandle targetName,
uint reqFlags,
byte[] inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags);
internal static unsafe Status WrapBuffer(
out Status minorStatus,
SafeGssContextHandle?contextHandle,
bool isEncrypt,
ReadOnlySpan <byte> inputBytes,
ref GssBuffer outBuffer)
{
fixed(byte *inputBytesPtr = inputBytes)
{
return(Wrap(out minorStatus, contextHandle, isEncrypt, inputBytesPtr, inputBytes.Length, ref outBuffer));
}
}
private static partial Status InitSecContext(
out Status minorStatus,
SafeGssCredHandle initiatorCredHandle,
ref SafeGssContextHandle contextHandle,
[MarshalAs(UnmanagedType.Bool)] bool isNtlmOnly,
SafeGssNameHandle?targetName,
uint reqFlags,
ref byte inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags,
[MarshalAs(UnmanagedType.Bool)] out bool isNtlmUsed);
internal static Status InitSecContext(
out Status minorStatus,
SafeGssCredHandle initiatorCredHandle,
ref SafeGssContextHandle contextHandle,
bool isNtlmOnly,
SafeGssNameHandle targetName,
uint reqFlags,
byte[] inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags,
out int isNtlmUsed) => throw new NotSupportedException();
internal static partial Status InitSecContext(
out Status minorStatus,
SafeGssCredHandle initiatorCredHandle,
ref SafeGssContextHandle contextHandle,
bool isNtlmOnly,
SafeGssNameHandle?targetName,
uint reqFlags,
byte[]?inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags,
out bool isNtlmUsed);
public GssKeytabCredential(string principal, string keytab, CredentialUsage usage, uint expiry = GSS_C_INDEFINITE)
{
// TODO: Wrap this with pinvoke
if (!string.IsNullOrEmpty(keytab))
{
// krb5_gss_register_acceptor_identity(string)
}
// allocate a gss buffer and copy the principal name to it
using (var gssNameBuffer = GssBuffer.FromString(principal))
{
uint minorStatus = 0;
uint majorStatus = 0;
// use the buffer to import the name into a gss_name
majorStatus = gss_import_name(
out minorStatus,
ref gssNameBuffer.Value,
ref GssNtPrincipalName,
out var acceptorName
);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS provider was unable to import the supplied principal name",
majorStatus, minorStatus, GssNtHostBasedService);
}
// use the name to attempt to obtain the servers credentials, this is usually from a keytab file. The
// server credentials are required to decrypt and verify incoming service tickets
var actualMechanims = default(GssOidDesc);
majorStatus = gss_acquire_cred(
out minorStatus,
acceptorName,
expiry,
ref GssSpnegoMechOidSet,
(int)usage,
ref _credentials,
ref actualMechanims,
out var actualExpiry);
// release the gss_name allocated by gss, the gss_buffer we allocated is free'd by the using block
gss_release_name(out minorStatus, ref acceptorName);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS Provider was unable aquire credentials for authentication",
majorStatus, minorStatus, GssSpnegoMechOidDesc);
}
}
}
internal static Status UnwrapBuffer(
out Status minorStatus,
SafeGssContextHandle contextHandle,
byte[] inputBytes,
int offset,
int count,
ref GssBuffer outBuffer)
{
Debug.Assert(inputBytes != null, "inputBytes must be valid value");
Debug.Assert(offset >= 0 && offset <= inputBytes.Length, "offset must be valid");
Debug.Assert(count >= 0 && count <= inputBytes.Length, "count must be valid");
return(Unwrap(out minorStatus, contextHandle, inputBytes, offset, count, ref outBuffer));
}
internal static extern Status InitSecContext(
out Status minorStatus,
SafeGssCredHandle initiatorCredHandle,
ref SafeGssContextHandle contextHandle,
bool isNtlmOnly,
IntPtr cbt,
int cbtSize,
bool isNtlmFallback,
SafeGssNameHandle targetNameKerberos,
SafeGssNameHandle targetNameNtlm,
uint reqFlags,
byte[] inputBytes,
int inputLength,
ref GssBuffer token,
out uint retFlags,
out bool isNtlmUsed);
private static string GetGssApiDisplayStatus(Status status, bool isMinor)
{
GssBuffer displayBuffer = default;
try
{
Status displayCallStatus = isMinor ?
DisplayMinorStatus(out Status minStat, status, ref displayBuffer) :
DisplayMajorStatus(out minStat, status, ref displayBuffer);
return((Status.GSS_S_COMPLETE != displayCallStatus) ? null : Marshal.PtrToStringAnsi(displayBuffer._data));
}
finally
{
displayBuffer.Dispose();
}
}
private static string?GetGssApiDisplayStatus(Status status, bool isMinor)
{
GssBuffer displayBuffer = default(GssBuffer);
try
{
Interop.NetSecurityNative.Status minStat;
Interop.NetSecurityNative.Status displayCallStatus = isMinor ?
DisplayMinorStatus(out minStat, status, ref displayBuffer):
DisplayMajorStatus(out minStat, status, ref displayBuffer);
return((Status.GSS_S_COMPLETE != displayCallStatus) ? null : Marshal.PtrToStringUTF8(displayBuffer._data));
}
finally
{
displayBuffer.Dispose();
}
}
public GssPasswordCredential(string principal, string password, CredentialUsage usage)
{
uint minorStatus = 0;
uint majorStatus = 0;
// copy the principal name to a gss_buffer
using (var gssUsernameBuffer = GssBuffer.FromString(principal))
using (var gssPasswordBuffer = GssBuffer.FromString(password))
{
// use the buffer to import the name into a gss_name
majorStatus = gss_import_name(
out minorStatus,
ref gssUsernameBuffer.Value,
ref GssNtPrincipalName,
out var gssUsername
);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS provider was unable to import the supplied principal name",
majorStatus, minorStatus, GssNtHostBasedService);
}
// attempt to obtain a TGT from the KDC using the supplied username and password
var actualMechanims = default(GssOidDesc);
majorStatus = gss_acquire_cred_with_password(
out minorStatus,
gssUsername,
ref gssPasswordBuffer.Value,
0xffffffff,
ref GssSpnegoMechOidSet,
(int)usage,
ref _credentials,
ref actualMechanims,
out var actualExpiry);
// release the gss_name allocated by gss, the gss_buffer we allocated is free'd by the using block
gss_release_name(out var _, ref gssUsername);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS Provider was unable aquire credentials for authentication",
majorStatus, minorStatus, GssSpnegoMechOidDesc);
}
}
}
internal static Status AcceptSecContext(
out Status minorStatus,
SafeGssCredHandle acceptorCredHandle,
ref SafeGssContextHandle acceptContextHandle,
ReadOnlySpan <byte> inputBytes,
ref GssBuffer token,
out uint retFlags,
out bool isNtlmUsed)
{
return(AcceptSecContext(
out minorStatus,
acceptorCredHandle,
ref acceptContextHandle,
ref MemoryMarshal.GetReference(inputBytes),
inputBytes.Length,
ref token,
out retFlags,
out isNtlmUsed));
}
public GssInitiator(GssCredential credential, string spn)
{
credentials = credential.Credentials;
using (var gssTargetNameBuffer = GssBuffer.FromString(spn))
{
// use the buffer to import the name into a gss_name
var majorStatus = gss_import_name(
out var minorStatus,
ref gssTargetNameBuffer.Value,
ref GssNtPrincipalName,
out gssTargetName
);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS provider was unable to import the supplied Target Name (SPN)",
majorStatus, minorStatus, GssNtHostBasedService);
}
}
}
public GssPasswordCredential(string principal, string password, CredentialUsage usage)
{
uint minorStatus = 0;
uint majorStatus = 0;
// copy the principal name to a gss_buffer
using (var gssUsernameBuffer = GssBuffer.FromString(principal))
using (var gssPasswordBuffer = GssBuffer.FromString(password))
{
// use the buffer to import the name into a gss_name
majorStatus = gss_import_name(
out minorStatus,
ref gssUsernameBuffer.Value,
ref GssNtPrincipalName,
out _gssUsername
);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS provider was unable to import the supplied principal name",
majorStatus, minorStatus, GssNtHostBasedService);
}
majorStatus = gss_acquire_cred_with_password(
out minorStatus,
_gssUsername,
ref gssPasswordBuffer.Value,
0,
ref GssSpnegoMechOidSet,
(int)usage,
ref _credentials,
IntPtr.Zero, // dont't mind when mechs we got
out var actualExpiry);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS Provider was unable aquire credentials for authentication",
majorStatus, minorStatus, GssSpnegoMechOidDesc);
}
}
}
public byte[] Initiate(Byte[] token)
{
// If the token is null, supply a NULL pointer as the input
var gssToken = token == null
? Disposable.From(default(GssBufferStruct))
: GssBuffer.FromBytes(token);
var majorStatus = gss_init_sec_context(
out var minorStatus,
credentials,
ref context,
gssTargetName,
ref GssSpnegoMechOidDesc,
0,
0,
IntPtr.Zero,
ref gssToken.Value,
IntPtr.Zero,
out var output,
IntPtr.Zero,
IntPtr.Zero
);
switch (majorStatus)
{
case GSS_S_COMPLETE:
IsEstablished = true;
return(MarshalOutputToken(output));
case GSS_S_CONTINUE_NEEDED:
return(MarshalOutputToken(output));
default:
throw new GssException("The GSS Provider was unable to generate the supplied authentication token",
majorStatus, minorStatus, GssSpnegoMechOidDesc);
}
}
public GssKeytabCredential(string principal, string keytab, CredentialUsage usage, uint expiry = GSS_C_INDEFINITE)
{
// allocate a gss buffer and copy the principal name to it
using (var gssNameBuffer = GssBuffer.FromString(principal))
{
uint minorStatus = 0;
uint majorStatus = 0;
// use the buffer to import the name into a gss_name
majorStatus = gss_import_name(
out minorStatus,
ref gssNameBuffer.Value,
ref GssNtPrincipalName,
out var acceptorName
);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS provider was unable to import the supplied principal name",
majorStatus, minorStatus, GssNtHostBasedService);
}
majorStatus = gss_acquire_cred(
out minorStatus,
acceptorName,
expiry,
ref GssSpnegoMechOidSet,
(int)usage,
ref _credentials,
IntPtr.Zero, // dont mind what mechs we got
out var actualExpiry);
if (majorStatus != GSS_S_COMPLETE)
{
throw new GssException("The GSS Provider was unable aquire credentials for authentication",
majorStatus, minorStatus, GssSpnegoMechOidDesc);
}
}
}
internal static Status UnwrapBuffer(
out Status minorStatus,
SafeGssContextHandle contextHandle,
byte[] inputBytes,
int offset,
int count,
ref GssBuffer outBuffer)
{
Debug.Assert(inputBytes != null, "inputBytes must be valid value");
Debug.Assert(offset >= 0 && offset <= inputBytes.Length, "offset must be valid");
Debug.Assert(count >= 0 && count <= inputBytes.Length, "count must be valid");
return Unwrap(out minorStatus, contextHandle, inputBytes, offset, count, ref outBuffer);
}
internal static partial Status DisplayMinorStatus(
out Status minorStatus,
Status statusValue,
ref GssBuffer buffer);
internal static extern Status AcceptSecContext(
out Status minorStatus,
ref SafeGssContextHandle acceptContextHandle,
byte[] inputBytes,
int inputLength,
ref GssBuffer token);
private static extern Status Wrap(
out Status minorStatus,
SafeGssContextHandle contextHandle,
bool isEncrypt,
byte[] inputBytes,
int offset,
int count,
ref GssBuffer outBuffer);
internal static extern Status DisplayMajorStatus(
out Status minorStatus,
Status statusValue,
ref GssBuffer buffer);
internal static extern Status DisplayMajorStatus(
out Status minorStatus,
Status statusValue,
ref GssBuffer buffer);
