/// <summary> /// create sasl bind response packet. /// </summary> /// <param name="context"> /// an AdtsLdapContext object that indicates the context of LDAP. /// </param> /// <param name="securityContext"> /// a ServerSecurityContext object that specifies the security provider. /// </param> /// <param name="enableMessageSecurity"> /// a bool value that indicates whether enable message security. /// </param> /// <returns> /// a BindResponsePacket object that responses the SASL bind request. /// </returns> /// <exception cref="ArgumentNullException"> /// thrown when context is null. /// </exception> /// <exception cref="ArgumentNullException"> /// thrown when securityContext is null. /// </exception> public AdtsBindResponsePacket CreateSaslBindResponse( AdtsLdapContext context, ServerSecurityContext securityContext, bool enableMessageSecurity) { if (context == null) { throw new ArgumentNullException("context"); } if (securityContext == null) { throw new ArgumentNullException("securityContext"); } if (context.Security == null) { context.Security = new AdtsLdapSaslSecurityLayer(securityContext); context.UsingMessageSecurity = enableMessageSecurity; } ResultCode resultCode = ResultCode.Success; if (securityContext.NeedContinueProcessing) { resultCode = ResultCode.SaslBindInProgress; } return(this.CreateBindResponse( context, resultCode, string.Empty, string.Empty, null, securityContext.Token)); }
/// <summary> /// Constructor /// </summary> /// <param name="connection">The SMB connection associated with this session.</param> /// <param name="sessionId">Session Id of the Session</param> /// <param name="securityContext">The security context of the user that established the session, as obtained /// from the authentication subsystem after successful authentication.</param> /// <param name="creationTime">The time that the session was established.</param> /// <param name="idleTime">The time that the session processed its most recent request.</param> /// <param name="userName">The name of the user who established the session.</param> /// <param name="sessionGlobalId">A numeric 32-bit value obtained by registration with the Server Service Remote /// Protocol.</param> public CifsServerPerSession( IFileServiceServerConnection connection, long sessionId, ServerSecurityContext securityContext, DateTime creationTime, DateTime idleTime, string userName, int sessionGlobalId) { this.connection = connection; this.sessionId = sessionId; this.securityContext = securityContext; this.creationTime = creationTime; this.idleTime = idleTime; this.userName = userName; this.sessionGlobalId = sessionGlobalId; this.treeConnectTable = new Dictionary <ushort, IFileServiceServerTreeConnect>(); }
/// <summary> /// create sicily bind response packet. /// </summary> /// <param name="context"> /// an AdtsLdapContext object that indicates the context of LDAP. /// </param> /// <param name="securityContext"> /// a ServerSecurityContext object that specifies the security provider. /// </param> /// <param name="enableMessageSecurity"> /// a bool value that indicates whether enable message security. /// </param> /// <returns> /// a SicilyBindResponsePacket object that responses the Sicily bind request. /// </returns> /// <exception cref="ArgumentNullException"> /// thrown when context is null. /// </exception> /// <exception cref="ArgumentNullException"> /// thrown when securityContext is null. /// </exception> public AdtsSicilyBindResponsePacket CreateSicilyBindResponse( AdtsLdapContext context, ServerSecurityContext securityContext, bool enableMessageSecurity) { if (context == null) { throw new ArgumentNullException("context"); } if (securityContext == null) { throw new ArgumentNullException("securityContext"); } if (context.Security == null) { context.Security = new AdtsLdapSaslSecurityLayer(securityContext); context.UsingMessageSecurity = enableMessageSecurity; } return(this.CreateSicilyBindResponse( context, ResultCode.Success, securityContext.Token, string.Empty)); }
/// <summary> /// AcquireCredentialsHandle /// </summary> /// <param name="accountCredential"></param> protected void AcquireCredentialsHandle <T>(T accountCredential) { switch (packageType) { case SecurityPackageType.Ntlm: { if (accountCredential is AccountCredential) { var credential = accountCredential as AccountCredential; this.Context = new NlmpServerSecurityContext( NegotiateTypes.NTLM_NEGOTIATE_OEM | NegotiateTypes.NTLMSSP_NEGOTIATE_NTLM, new NlmpClientCredential(string.Empty, credential.DomainName, credential.AccountName, credential.Password), !string.IsNullOrEmpty(credential.DomainName), credential.DomainName, this.serverPrincipalName ); } else { throw new NotSupportedException("NTLM only support AccountCredential, Please provide an AccountCredential and try again."); } return; } //case SecurityPackageType.Kerberos: // throw new NotImplementedException(); //case SecurityPackageType.Negotiate: // throw new NotImplementedException(); //case SecurityPackageType.Schannel: // throw new NotImplementedException(); //case SecurityPackageType.CredSsp: // throw new NotImplementedException(); //default: // throw new NotImplementedException(); } this.UseNativeSSP(accountCredential); }
/// <summary> /// Use Native SSP to do auth /// </summary> /// <typeparam name="T"></typeparam> /// <param name="accountCredential"></param> private void UseNativeSSP <T>(T accountCredential) { if (accountCredential is AccountCredential) { this.Context = new Sspi.SspiServerSecurityContext( packageType, accountCredential as AccountCredential, this.ServerPrincipalName, securityContextAttributes, targetDataRepresentaion ); } else if (accountCredential is CertificateCredential) { this.Context = new Sspi.SspiServerSecurityContext( packageType, accountCredential as CertificateCredential, this.ServerPrincipalName, securityContextAttributes, targetDataRepresentaion ); } }
/// <summary> /// Decrypt stub and validate auth_token. /// </summary> public override bool ValidateAuthenticationToken() { FieldInfo fieldInfo = this.GetType().GetField("auth_verifier"); if (fieldInfo == null) { // PDU has no auth_verifier field, do nothing. return(true); } auth_verifier_co_t?authVerifier = (auth_verifier_co_t?)fieldInfo.GetValue(this); if (authVerifier == null) { // PDU has no auth_verifier, do nothing. return(true); } if (authVerifier.Value.auth_type != (byte)context.AuthenticationType || authVerifier.Value.auth_level != (byte)context.AuthenticationLevel || authVerifier.Value.auth_context_id != context.AuthenticationContextId) { //SecurityProvider in context is not the right SSPI to decrypt and validate the PDU. return(false); } bool result = true; if (PTYPE == RpcePacketType.Bind || PTYPE == RpcePacketType.AlterContext || PTYPE == RpcePacketType.Auth3) { ServerSecurityContext serverSspi = context.SecurityContext as ServerSecurityContext; if (serverSspi != null) { // Accept or Initialize should throw exception when token is incorrect. serverSspi.Accept(authVerifier.Value.auth_value); securityContextNeedContinueProcessing = serverSspi.NeedContinueProcessing; } } else if (PTYPE == RpcePacketType.BindAck || PTYPE == RpcePacketType.AlterContextResp) { ClientSecurityContext clientSspi = context.SecurityContext as ClientSecurityContext; if (clientSspi != null) { //BindAck only received on client. clientSspi.Initialize(authVerifier.Value.auth_value); securityContextNeedContinueProcessing = clientSspi.NeedContinueProcessing; } } else if (context.AuthenticationLevel != RpceAuthenticationLevel.RPC_C_AUTHN_LEVEL_DEFAULT && context.AuthenticationLevel != RpceAuthenticationLevel.RPC_C_AUTHN_LEVEL_CONNECT) { auth_verifier_co_t newAuthVerifier = authVerifier.Value; result = DecryptAndVerify(ref newAuthVerifier); authVerifier = newAuthVerifier; } return(result); }
/// <summary> /// Dispose Server Security Context /// </summary> public void Dispose() { this.Context = null; GC.SuppressFinalize(this); }