public void NegotiateStream_StreamToStream_NtlmAuthentication_NtlmUser_InvalidCredentials_Fail(NetworkCredential credential)
{
if (!_isNtlmAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_NtlmAuthentication_NtlmUser_InvalidCredentials_Fail");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated, "client.IsAuthenticated");
Assert.ThrowsAsync <AuthenticationException>(() => server.AuthenticateAsServerAsync());
Assert.ThrowsAsync <AuthenticationException>(() => client.AuthenticateAsClientAsync(credential, _testTarget, ProtectionLevel.None, TokenImpersonationLevel.Identification));
}
}
public async Task SslStream_ServerLocalCertificateSelectionCallbackReturnsNull_Throw()
{
VirtualNetwork network = new VirtualNetwork();
var selectionCallback = new LocalCertificateSelectionCallback((object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] issuers) =>
{
return(null);
});
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new SslStream(clientStream, false, AllowAnyServerCertificate))
using (var server = new SslStream(serverStream, false, null, selectionCallback))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
await Assert.ThrowsAsync <NotSupportedException>(async() =>
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(client.AuthenticateAsClientAsync(certificate.GetNameInfo(X509NameType.SimpleName, false)), server.AuthenticateAsServerAsync(certificate))
);
}
}
public void NegotiateStream_StreamToStream_KerberosAuthDefaultCredentialsNoSeed_Failure()
{
if (!_isKrbAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_KerberosAuthDefaultCredentialsNoSeed_Failure");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var client = new NegotiateStream(clientStream))
{
Assert.False(client.IsAuthenticated, "client is not authenticated before AuthenticateAsClient call");
string user = string.Format("{0}@{1}", TestConfiguration.KerberosUser, TestConfiguration.Realm);
string target = string.Format("{0}@{1}", TestConfiguration.HostTarget, TestConfiguration.Realm);
Assert.ThrowsAsync <AuthenticationException>(() => client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, target));
}
}
public async Task NegotiateStream_SPNRequirmentNotMeet_Throws()
{
var network = new VirtualNetwork();
var snc = new List <string>
{
"serviceName"
};
// PolicyEnforcement.Always will force clientSpn check.
var policy = new ExtendedProtectionPolicy(PolicyEnforcement.Always, ProtectionScenario.TransportSelected, new ServiceNameCollection(snc));
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
Assert.ThrowsAsync <AuthenticationException>(() => client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, string.Empty)),
Assert.ThrowsAsync <AuthenticationException>(() => server.AuthenticateAsServerAsync(policy)));
}
}
public void NegotiateStream_StreamToStream_NtlmAuthentication_ValidCredentials_Success(NetworkCredential credential)
{
if (!_isNtlmAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_NtlmAuthentication_ValidCredentials_Success");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated, "client.IsAuthenticated");
Assert.False(server.IsAuthenticated, "server.IsAuthenticated");
Task[] auth = new Task[] {
client.AuthenticateAsClientAsync(credential, _testTarget, ProtectionLevel.None, TokenImpersonationLevel.Identification),
server.AuthenticateAsServerAsync()
};
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
// Expected Client property values:
Assert.True(client.IsAuthenticated, "client.IsAuthenticated");
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.False(client.IsEncrypted, "client.IsEncrypted");
Assert.False(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated");
Assert.False(client.IsServer, "client.IsServer");
Assert.False(client.IsSigned, "client.IsSigned");
Assert.False(client.LeaveInnerStreamOpen, "client.LeaveInnerStreamOpen");
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.True(serverIdentity.IsAuthenticated, "serverIdentity.IsAuthenticated");
IdentityValidator.AssertHasName(serverIdentity, _testTarget);
}
}
public void NegotiateStream_EchoServer_ClientWriteRead_Successive_Sync_Success()
{
if (!_isKrbAvailable)
{
_output.WriteLine("skipping NegotiateStream_EchoServer_ClientWriteRead_Successive_Sync_Success");
return;
}
VirtualNetwork network = new VirtualNetwork();
byte[] firstRecvBuffer = new byte[_firstMessage.Length];
byte[] secondRecvBuffer = new byte[_secondMessage.Length];
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated, "client is not authenticated before AuthenticateAsClient call");
Task[] auth = new Task[2];
string user = string.Format("{0}@{1}", TestConfiguration.KerberosUser, TestConfiguration.Realm);
string target = string.Format("{0}@{1}", TestConfiguration.HostTarget, TestConfiguration.Realm);
NetworkCredential credential = new NetworkCredential(user, _fixture.password);
auth[0] = client.AuthenticateAsClientAsync(credential, target);
auth[1] = server.AuthenticateAsServerAsync();
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
Task svrMsgTask = server.PollMessageAsync(2);
client.Write(_firstMessage, 0, _firstMessage.Length);
client.Write(_secondMessage, 0, _secondMessage.Length);
client.Read(firstRecvBuffer, 0, firstRecvBuffer.Length);
client.Read(secondRecvBuffer, 0, secondRecvBuffer.Length);
Assert.True(_firstMessage.SequenceEqual(firstRecvBuffer), "first message received is as expected");
Assert.True(_secondMessage.SequenceEqual(secondRecvBuffer), "second message received is as expected");
finished = svrMsgTask.Wait(TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Message roundtrip completed in the allotted time");
}
}
public async Task NegotiateStream_StreamToStream_NtlmAuthentication_KerberosCreds_Success()
{
if (!_isNtlmAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_NtlmAuthentication_KerberosCreds_Success");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new UnixGssFakeNegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated, "client.IsAuthenticated");
Assert.False(server.IsAuthenticated, "server.IsAuthenticated");
string user = string.Format("{0}@{1}", TestConfiguration.KerberosUser, TestConfiguration.Realm);
NetworkCredential credential = new NetworkCredential(user, _fixture.password);
Task[] auth = new Task[] {
client.AuthenticateAsClientAsync(credential, TestConfiguration.HttpTarget, ProtectionLevel.None, TokenImpersonationLevel.Identification),
server.AuthenticateAsServerAsync()
};
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
// Expected Client property values:
Assert.True(client.IsAuthenticated, "client.IsAuthenticated");
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.False(client.IsEncrypted, "client.IsEncrypted");
Assert.False(client.IsMutuallyAuthenticated, "client.IsMutuallyAuthenticated");
Assert.False(client.IsServer, "client.IsServer");
Assert.False(client.IsSigned, "client.IsSigned");
Assert.False(client.LeaveInnerStreamOpen, "client.LeaveInnerStreamOpen");
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.True(serverIdentity.IsAuthenticated, "server identity is authenticated");
IdentityValidator.AssertHasName(serverIdentity, TestConfiguration.HttpTarget);
}
}
public async Task NegotiateStream_SecurityRequirmentNotMeet_Throws()
{
var network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
// ProtectionLevel not match.
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
Assert.ThrowsAsync <AuthenticationException>(() =>
client.AuthenticateAsClientAsync((NetworkCredential)CredentialCache.DefaultCredentials,
TargetName, ProtectionLevel.None, TokenImpersonationLevel.Identification)),
Assert.ThrowsAsync <AuthenticationException>(() =>
server.AuthenticateAsServerAsync((NetworkCredential)CredentialCache.DefaultCredentials,
ProtectionLevel.Sign, TokenImpersonationLevel.Identification)));
Assert.Throws <AuthenticationException>(() => client.Write(s_sampleMsg, 0, s_sampleMsg.Length));
}
}
public void SslStream_StreamToStream_Authentication_IncorrectServerName_Fail()
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new SslStream(clientStream))
using (var server = new SslStream(serverStream))
{
Task[] auth = new Task[2];
auth[0] = client.AuthenticateAsClientAsync("incorrectServer");
auth[1] = server.AuthenticateAsServerAsync(TestConfiguration.GetServerCertificate());
Assert.Throws <AuthenticationException>(() =>
{
auth[0].GetAwaiter().GetResult();
});
auth[1].GetAwaiter().GetResult();
}
}
public async Task SslStream_StreamToStream_Write_ReadByte_Success()
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var clientSslStream = new SslStream(clientStream, false, AllowAnyServerCertificate))
using (var serverSslStream = new SslStream(serverStream))
{
await DoHandshake(clientSslStream, serverSslStream);
for (int i = 0; i < 3; i++)
{
clientSslStream.Write(_sampleMsg);
foreach (byte b in _sampleMsg)
{
Assert.Equal(b, serverSslStream.ReadByte());
}
}
}
}
public async Task NegotiateStream_StreamToStream_KerberosAuthInvalidTarget_Failure()
{
if (!_isKrbAvailable)
{
_output.WriteLine("skipping NegotiateStream_StreamToStream_KerberosAuthInvalidTarget_Failure");
return;
}
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var client = new NegotiateStream(clientStream))
{
Assert.False(client.IsAuthenticated, "client stream is not authenticated by default");
string user = string.Format("{0}@{1}", TestConfiguration.KerberosUser, TestConfiguration.Realm);
string target = string.Format("{0}@{1}", TestConfiguration.HostTarget, TestConfiguration.Realm);
NetworkCredential credential = new NetworkCredential(user, _fixture.password);
await Assert.ThrowsAsync <AuthenticationException>(() => client.AuthenticateAsClientAsync(credential, target.Substring(1)));
}
}
public async Task NegotiateStream_StreamToStream_Successive_ClientWrite_Async_Success()
{
byte[] recvBuf = new byte[s_sampleMsg.Length];
VirtualNetwork network = new VirtualNetwork();
int bytesRead = 0;
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, string.Empty);
auth[1] = AuthenticateAsServerAsync(server);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
auth[0] = client.WriteAsync(s_sampleMsg, 0, s_sampleMsg.Length);
auth[1] = server.ReadAsync(recvBuf, 0, s_sampleMsg.Length);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
Assert.True(s_sampleMsg.SequenceEqual(recvBuf));
await client.WriteAsync(s_sampleMsg, 0, s_sampleMsg.Length);
// Test partial async read.
bytesRead = await server.ReadAsync(recvBuf, 0, PartialBytesToRead);
Assert.Equal(PartialBytesToRead, bytesRead);
bytesRead = await server.ReadAsync(recvBuf, PartialBytesToRead, s_sampleMsg.Length - PartialBytesToRead);
Assert.Equal(s_sampleMsg.Length - PartialBytesToRead, bytesRead);
Assert.True(s_sampleMsg.SequenceEqual(recvBuf));
}
}
public async Task SslStream_SameCertUsedForClientAndServer_Ok()
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new SslStream(clientStream, true, AllowAnyCertificate))
using (var server = new SslStream(serverStream, true, AllowAnyCertificate))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
// Using the same certificate for server and client auth.
X509Certificate2Collection clientCertificateCollection =
new X509Certificate2Collection(certificate);
var tasks = new Task[2];
tasks[0] = server.AuthenticateAsServerAsync(certificate, true, false);
tasks[1] = client.AuthenticateAsClientAsync(
certificate.GetNameInfo(X509NameType.SimpleName, false),
clientCertificateCollection, false);
await Task.WhenAll(tasks).TimeoutAfter(15 * 1000);
if (!PlatformDetection.IsWindows7 ||
Capability.IsTrustedRootCertificateInstalled())
{
// https://technet.microsoft.com/en-us/library/hh831771.aspx#BKMK_Changes2012R2
// Starting with Windows 8, the "Management of trusted issuers for client authentication" has changed:
// The behavior to send the Trusted Issuers List by default is off.
//
// In Windows 7 the Trusted Issuers List is sent within the Server Hello TLS record. This list is built
// by the server using certificates from the Trusted Root Authorities certificate store.
// The client side will use the Trusted Issuers List, if not empty, to filter proposed certificates.
Assert.True(client.IsMutuallyAuthenticated);
Assert.True(server.IsMutuallyAuthenticated);
}
}
}
public async Task SslStream_StreamToStream_Successive_ClientWrite_Async_Success()
{
byte[] recvBuf = new byte[_sampleMsg.Length];
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var clientSslStream = new SslStream(clientStream, false, AllowAnyServerCertificate))
using (var serverSslStream = new SslStream(serverStream))
{
bool result = DoHandshake(clientSslStream, serverSslStream);
Assert.True(result, "Handshake completed.");
await clientSslStream.WriteAsync(_sampleMsg, 0, _sampleMsg.Length)
.TimeoutAfter(TestConfiguration.PassingTestTimeoutMilliseconds);
int bytesRead = 0;
while (bytesRead < _sampleMsg.Length)
{
bytesRead += await serverSslStream.ReadAsync(recvBuf, bytesRead, _sampleMsg.Length - bytesRead)
.TimeoutAfter(TestConfiguration.PassingTestTimeoutMilliseconds);
}
Assert.True(VerifyOutput(recvBuf, _sampleMsg), "verify first read data is as expected.");
await clientSslStream.WriteAsync(_sampleMsg, 0, _sampleMsg.Length)
.TimeoutAfter(TestConfiguration.PassingTestTimeoutMilliseconds);
bytesRead = 0;
while (bytesRead < _sampleMsg.Length)
{
bytesRead += await serverSslStream.ReadAsync(recvBuf, bytesRead, _sampleMsg.Length - bytesRead)
.TimeoutAfter(TestConfiguration.PassingTestTimeoutMilliseconds);
}
Assert.True(VerifyOutput(recvBuf, _sampleMsg), "verify second read data is as expected.");
}
}
public async Task SslStream_ServerCallbackNotSet_UsesLocalCertificateSelection(string hostName)
{
X509Certificate serverCert = Configuration.Certificates.GetSelfSignedServerCertificate();
int timesCallbackCalled = 0;
var selectionCallback = new LocalCertificateSelectionCallback((object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] issuers) =>
{
Assert.Equal(string.Empty, targetHost);
Assert.True(localCertificates.Contains(serverCert));
timesCallbackCalled++;
return(serverCert);
});
var validationCallback = new RemoteCertificateValidationCallback((object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>
{
Assert.Equal(serverCert, certificate);
return(true);
});
VirtualNetwork vn = new VirtualNetwork();
using (VirtualNetworkStream serverStream = new VirtualNetworkStream(vn, isServer: true),
clientStream = new VirtualNetworkStream(vn, isServer: false))
using (SslStream server = new SslStream(serverStream, false, null, selectionCallback),
client = new SslStream(clientStream, leaveInnerStreamOpen: false, validationCallback))
{
Task clientJob = Task.Run(() => {
client.AuthenticateAsClient(hostName);
});
SslServerAuthenticationOptions options = DefaultServerOptions();
options.ServerCertificate = serverCert;
await TaskTimeoutExtensions.WhenAllOrAnyFailed(new[] { clientJob, server.AuthenticateAsServerAsync(options, CancellationToken.None) });
Assert.Equal(1, timesCallbackCalled);
}
}
public void SslStream_StreamToStream_Successive_ClientWrite_WithZeroBytes_Success()
{
byte[] recvBuf = new byte[_sampleMsg.Length];
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var clientSslStream = new SslStream(clientStream, false, AllowAnyServerCertificate))
using (var serverSslStream = new SslStream(serverStream))
{
bool result = DoHandshake(clientSslStream, serverSslStream);
Assert.True(result, "Handshake completed.");
clientSslStream.Write(Array.Empty <byte>());
clientSslStream.WriteAsync(Array.Empty <byte>(), 0, 0).Wait();
clientSslStream.Write(_sampleMsg);
int bytesRead = 0;
while (bytesRead < _sampleMsg.Length)
{
bytesRead += serverSslStream.Read(recvBuf, bytesRead, _sampleMsg.Length - bytesRead);
}
Assert.True(VerifyOutput(recvBuf, _sampleMsg), "verify first read data is as expected.");
clientSslStream.Write(_sampleMsg);
clientSslStream.WriteAsync(Array.Empty <byte>(), 0, 0).Wait();
clientSslStream.Write(Array.Empty <byte>());
bytesRead = 0;
while (bytesRead < _sampleMsg.Length)
{
bytesRead += serverSslStream.Read(recvBuf, bytesRead, _sampleMsg.Length - bytesRead);
}
Assert.True(VerifyOutput(recvBuf, _sampleMsg), "verify second read data is as expected.");
}
}
public async Task SslStream_StreamToStream_WriteAsync_ReadByte_Success()
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var clientSslStream = new SslStream(clientStream, false, AllowAnyServerCertificate))
using (var serverSslStream = new SslStream(serverStream))
{
bool result = DoHandshake(clientSslStream, serverSslStream);
Assert.True(result, "Handshake completed.");
for (int i = 0; i < 3; i++)
{
await clientSslStream.WriteAsync(_sampleMsg, 0, _sampleMsg.Length).ConfigureAwait(false);
foreach (byte b in _sampleMsg)
{
Assert.Equal(b, serverSslStream.ReadByte());
}
}
}
}
public async Task NegotiateStream_ConcurrentAsyncReadOrWrite_ThrowsNotSupportedException()
{
byte[] recvBuf = new byte[s_sampleMsg.Length];
var network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, string.Empty),
server.AuthenticateAsServerAsync());
// Custom EndWrite/Read will not reset the variable which monitors concurrent write/read.
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
Task.Factory.FromAsync(client.BeginWrite, (ar) => { Assert.NotNull(ar); }, s_sampleMsg, 0, s_sampleMsg.Length, client),
Task.Factory.FromAsync(server.BeginRead, (ar) => { Assert.NotNull(ar); }, recvBuf, 0, s_sampleMsg.Length, server));
Assert.Throws <NotSupportedException>(() => client.BeginWrite(s_sampleMsg, 0, s_sampleMsg.Length, (ar) => { Assert.Null(ar); }, null));
Assert.Throws <NotSupportedException>(() => server.BeginRead(recvBuf, 0, s_sampleMsg.Length, (ar) => { Assert.Null(ar); }, null));
}
}
public async Task NegotiateStream_EndReadEndWriteInvalidParameter_Throws()
{
byte[] recvBuf = new byte[s_sampleMsg.Length];
var network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(CredentialCache.DefaultNetworkCredentials, string.Empty),
server.AuthenticateAsServerAsync());
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
Task.Factory.FromAsync(client.BeginWrite,
(asyncResult) =>
{
NegotiateStream authStream = (NegotiateStream)asyncResult.AsyncState;
AssertExtensions.Throws <ArgumentNullException>(nameof(asyncResult), () => authStream.EndWrite(null));
IAsyncResult result = new MyAsyncResult();
AssertExtensions.Throws <ArgumentException>(nameof(asyncResult), () => authStream.EndWrite(result));
},
s_sampleMsg, 0, s_sampleMsg.Length, client),
Task.Factory.FromAsync(server.BeginRead,
(asyncResult) =>
{
NegotiateStream authStream = (NegotiateStream)asyncResult.AsyncState;
AssertExtensions.Throws <ArgumentNullException>(nameof(asyncResult), () => authStream.EndRead(null));
IAsyncResult result = new MyAsyncResult();
AssertExtensions.Throws <ArgumentException>(nameof(asyncResult), () => authStream.EndRead(result));
},
recvBuf, 0, s_sampleMsg.Length, server));
}
}
public async Task NegotiateStream_StreamToStream_Successive_ClientWrite_Sync_Success()
{
byte[] recvBuf = new byte[s_sampleMsg.Length];
VirtualNetwork network = new VirtualNetwork();
int bytesRead = 0;
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = client.AuthenticateAsClientAsync(EnterpriseTestConfiguration.ValidNetworkCredentials, TargetName);
auth[1] = server.AuthenticateAsServerAsync();
await WhenAllOrAnyFailedWithTimeout(auth);
client.Write(s_sampleMsg, 0, s_sampleMsg.Length);
server.Read(recvBuf, 0, s_sampleMsg.Length);
Assert.True(s_sampleMsg.SequenceEqual(recvBuf));
client.Write(s_sampleMsg, 0, s_sampleMsg.Length);
// Test partial sync read.
bytesRead = server.Read(recvBuf, 0, PartialBytesToRead);
Assert.Equal(PartialBytesToRead, bytesRead);
bytesRead = server.Read(recvBuf, PartialBytesToRead, s_sampleMsg.Length - PartialBytesToRead);
Assert.Equal(s_sampleMsg.Length - PartialBytesToRead, bytesRead);
Assert.True(s_sampleMsg.SequenceEqual(recvBuf));
}
}
public async Task StreamToStream_ValidAuthentication_Success(NetworkCredential creds, string target)
{
var network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = client.AuthenticateAsClientAsync(creds, target);
auth[1] = server.AuthenticateAsServerAsync();
await WhenAllOrAnyFailedWithTimeout(auth);
VerifyStreamProperties(client, isServer: false, target);
string remoteName = creds.UserName + "@" + EnterpriseTestConfiguration.Realm;
VerifyStreamProperties(server, isServer: true, remoteName);
}
}
public async Task NegotiateStream_StreamToStream_Authentication_EmptyCredentials_Fails()
{
string targetName = "testTargetName";
// Ensure there is no confusion between DefaultCredentials / DefaultNetworkCredentials and a
// NetworkCredential object with empty user, password and domain.
NetworkCredential emptyNetworkCredential = new NetworkCredential("", "", "");
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultCredentials);
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultNetworkCredentials);
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, emptyNetworkCredential, targetName);
auth[1] = AuthenticateAsServerAsync(server);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(auth);
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(true, client.IsEncrypted);
Assert.Equal(false, client.IsMutuallyAuthenticated);
Assert.Equal(false, client.IsServer);
Assert.Equal(true, client.IsSigned);
Assert.Equal(false, client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.Equal(true, serverIdentity.IsAuthenticated);
Assert.Equal(targetName, serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(true, server.IsEncrypted);
Assert.Equal(false, server.IsMutuallyAuthenticated);
Assert.Equal(true, server.IsServer);
Assert.Equal(true, server.IsSigned);
Assert.Equal(false, server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
// TODO #5241: Behavior difference:
Assert.Equal(false, clientIdentity.IsAuthenticated);
// On .NET Desktop: Assert.Equal(true, clientIdentity.IsAuthenticated);
IdentityValidator.AssertHasName(clientIdentity, new SecurityIdentifier(WellKnownSidType.AnonymousSid, null).Translate(typeof(NTAccount)).Value);
}
}
public async Task SslStream_StreamToStream_EOFDuringFrameRead_ThrowsIOException()
{
var network = new VirtualNetwork();
using (var clientNetworkStream = new VirtualNetworkStream(network, isServer: false))
using (var serverNetworkStream = new VirtualNetworkStream(network, isServer: true))
{
int readMode = 0;
var serverWrappedNetworkStream = new DelegateStream(
canWriteFunc: () => true,
canReadFunc: () => true,
writeFunc: (buffer, offset, count) => serverNetworkStream.Write(buffer, offset, count),
writeAsyncFunc: (buffer, offset, count, token) => serverNetworkStream.WriteAsync(buffer, offset, count, token),
readFunc: (buffer, offset, count) =>
{
// Do normal reads as requested until the read mode is set
// to 1. Then do a single read of only 10 bytes to read only
// part of the message, and subsequently return EOF.
if (readMode == 0)
{
return(serverNetworkStream.Read(buffer, offset, count));
}
else if (readMode == 1)
{
readMode = 2;
return(serverNetworkStream.Read(buffer, offset, 10)); // read at least header but less than full frame
}
else
{
return(0);
}
},
readAsyncFunc: (buffer, offset, count, token) =>
{
// Do normal reads as requested until the read mode is set
// to 1. Then do a single read of only 10 bytes to read only
// part of the message, and subsequently return EOF.
if (readMode == 0)
{
return(serverNetworkStream.ReadAsync(buffer, offset, count));
}
else if (readMode == 1)
{
readMode = 2;
return(serverNetworkStream.ReadAsync(buffer, offset, 10)); // read at least header but less than full frame
}
else
{
return(Task.FromResult(0));
}
});
using (var clientSslStream = new SslStream(clientNetworkStream, false, AllowAnyServerCertificate))
using (var serverSslStream = new SslStream(serverWrappedNetworkStream))
{
await DoHandshake(clientSslStream, serverSslStream);
await WriteAsync(clientSslStream, new byte[20], 0, 20);
readMode = 1;
await Assert.ThrowsAsync <IOException>(() => ReadAsync(serverSslStream, new byte[1], 0, 1));
}
}
}
public void NegotiateStream_StreamToStream_Authentication_EmptyCredentials_Fails()
{
string targetName = "testTargetName";
// Ensure there is no confusion between DefaultCredentials / DefaultNetworkCredentials and a
// NetworkCredential object with empty user, password and domain.
NetworkCredential emptyNetworkCredential = new NetworkCredential("", "", "");
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultCredentials);
Assert.NotEqual(emptyNetworkCredential, CredentialCache.DefaultNetworkCredentials);
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = client.AuthenticateAsClientAsync(emptyNetworkCredential, targetName);
auth[1] = server.AuthenticateAsServerAsync();
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(true, client.IsEncrypted);
Assert.Equal(false, client.IsMutuallyAuthenticated);
Assert.Equal(false, client.IsServer);
Assert.Equal(true, client.IsSigned);
Assert.Equal(false, client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.Equal(true, serverIdentity.IsAuthenticated);
Assert.Equal(targetName, serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(true, server.IsEncrypted);
Assert.Equal(false, server.IsMutuallyAuthenticated);
Assert.Equal(true, server.IsServer);
Assert.Equal(true, server.IsSigned);
Assert.Equal(false, server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
// TODO #5241: Behavior difference:
Assert.Equal(false, clientIdentity.IsAuthenticated);
// On .Net Desktop: Assert.Equal(true, clientIdentity.IsAuthenticated);
IdentityValidator.AssertHasName(clientIdentity, @"NT AUTHORITY\ANONYMOUS LOGON");
}
}
public void NegotiateStream_StreamToStream_Authentication_TargetName_Success()
{
string targetName = "testTargetName";
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new NegotiateStream(clientStream))
using (var server = new NegotiateStream(serverStream))
{
Assert.False(client.IsAuthenticated);
Assert.False(server.IsAuthenticated);
Task[] auth = new Task[2];
auth[0] = AuthenticateAsClientAsync(client, CredentialCache.DefaultNetworkCredentials, targetName);
auth[1] = AuthenticateAsServerAsync(server);
bool finished = Task.WaitAll(auth, TestConfiguration.PassingTestTimeoutMilliseconds);
Assert.True(finished, "Handshake completed in the allotted time");
// Expected Client property values:
Assert.True(client.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, client.ImpersonationLevel);
Assert.Equal(true, client.IsEncrypted);
Assert.Equal(false, client.IsMutuallyAuthenticated);
Assert.Equal(false, client.IsServer);
Assert.Equal(true, client.IsSigned);
Assert.Equal(false, client.LeaveInnerStreamOpen);
IIdentity serverIdentity = client.RemoteIdentity;
Assert.Equal("NTLM", serverIdentity.AuthenticationType);
Assert.Equal(true, serverIdentity.IsAuthenticated);
Assert.Equal(targetName, serverIdentity.Name);
// Expected Server property values:
Assert.True(server.IsAuthenticated);
Assert.Equal(TokenImpersonationLevel.Identification, server.ImpersonationLevel);
Assert.Equal(true, server.IsEncrypted);
Assert.Equal(false, server.IsMutuallyAuthenticated);
Assert.Equal(true, server.IsServer);
Assert.Equal(true, server.IsSigned);
Assert.Equal(false, server.LeaveInnerStreamOpen);
IIdentity clientIdentity = server.RemoteIdentity;
Assert.Equal("NTLM", clientIdentity.AuthenticationType);
if (PlatformDetection.IsUap)
{
// TODO #21282: UWP issue - clientIdentity.IsAuthenticated == false.
Assert.Equal(false, clientIdentity.IsAuthenticated);
}
else
{
Assert.Equal(true, clientIdentity.IsAuthenticated);
}
IdentityValidator.AssertIsCurrentIdentity(clientIdentity);
}
}
