public static unsafe int AcquireCredentialsHandle(
string package,
Interop.SspiCli.CredentialUse intent,
ref Interop.SspiCli.SCHANNEL_CRED authdata,
out SafeFreeCredentials outCredential)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Enter(null, package, intent, authdata);
}
int errorCode = -1;
long timeStamp;
// If there is a certificate, wrap it into an array.
// Not threadsafe.
IntPtr copiedPtr = authdata.paCred;
try
{
IntPtr certArrayPtr = new IntPtr(&copiedPtr);
if (copiedPtr != IntPtr.Zero)
{
authdata.paCred = certArrayPtr;
}
outCredential = new SafeFreeCredential_SECURITY();
errorCode = Interop.SspiCli.AcquireCredentialsHandleW(
null,
package,
(int)intent,
null,
ref authdata,
null,
null,
ref outCredential._handle,
out timeStamp);
}
finally
{
authdata.paCred = copiedPtr;
}
#if TRACE_VERBOSE
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(null, $"{nameof(Interop.SspiCli.AcquireCredentialsHandleW)} returns 0x{errorCode:x}, handle = {outCredential}");
}
#endif
if (errorCode != 0)
{
outCredential.SetHandleAsInvalid();
}
return(errorCode);
}
private static Interop.SspiCli.SCHANNEL_CRED CreateSecureCredential(
int version,
X509Certificate certificate,
Interop.SspiCli.SCHANNEL_CRED.Flags flags,
int protocols, EncryptionPolicy policy)
{
var credential = new Interop.SspiCli.SCHANNEL_CRED()
{
hRootStore = IntPtr.Zero,
aphMappers = IntPtr.Zero,
palgSupportedAlgs = IntPtr.Zero,
paCred = IntPtr.Zero,
cCreds = 0,
cMappers = 0,
cSupportedAlgs = 0,
dwSessionLifespan = 0,
reserved = 0
};
if (policy == EncryptionPolicy.RequireEncryption)
{
// Prohibit null encryption cipher.
credential.dwMinimumCipherStrength = 0;
credential.dwMaximumCipherStrength = 0;
}
else if (policy == EncryptionPolicy.AllowNoEncryption)
{
// Allow null encryption cipher in addition to other ciphers.
credential.dwMinimumCipherStrength = -1;
credential.dwMaximumCipherStrength = 0;
}
else if (policy == EncryptionPolicy.NoEncryption)
{
// Suppress all encryption and require null encryption cipher only
credential.dwMinimumCipherStrength = -1;
credential.dwMaximumCipherStrength = -1;
}
else
{
throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), nameof(policy));
}
credential.dwVersion = version;
credential.dwFlags = flags;
credential.grbitEnabledProtocols = protocols;
if (certificate != null)
{
credential.paCred = certificate.Handle;
credential.cCreds = 1;
}
return(credential);
}
public static SafeFreeCredentials AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, bool isServer)
{
int protocolFlags = GetProtocolFlagsFromSslProtocols(protocols, isServer);
Interop.SspiCli.SCHANNEL_CRED.Flags flags;
Interop.SspiCli.CredentialUse direction;
if (!isServer)
{
direction = Interop.SspiCli.CredentialUse.SECPKG_CRED_OUTBOUND;
flags =
Interop.SspiCli.SCHANNEL_CRED.Flags.SCH_CRED_MANUAL_CRED_VALIDATION |
Interop.SspiCli.SCHANNEL_CRED.Flags.SCH_CRED_NO_DEFAULT_CREDS |
Interop.SspiCli.SCHANNEL_CRED.Flags.SCH_SEND_AUX_RECORD;
// CoreFX: always opt-in SCH_USE_STRONG_CRYPTO for TLS.
if (((protocolFlags == 0) ||
(protocolFlags & ~(Interop.SChannel.SP_PROT_SSL2 | Interop.SChannel.SP_PROT_SSL3)) != 0) &&
(policy != EncryptionPolicy.AllowNoEncryption) && (policy != EncryptionPolicy.NoEncryption))
{
flags |= Interop.SspiCli.SCHANNEL_CRED.Flags.SCH_USE_STRONG_CRYPTO;
}
}
else
{
direction = Interop.SspiCli.CredentialUse.SECPKG_CRED_INBOUND;
flags = Interop.SspiCli.SCHANNEL_CRED.Flags.SCH_SEND_AUX_RECORD;
}
if (NetEventSource.IsEnabled)
{
NetEventSource.Info($"flags=({flags}), ProtocolFlags=({protocolFlags}), EncryptionPolicy={policy}");
}
Interop.SspiCli.SCHANNEL_CRED secureCredential = CreateSecureCredential(
Interop.SspiCli.SCHANNEL_CRED.CurrentVersion,
certificate,
flags,
protocolFlags,
policy);
return(AcquireCredentialsHandle(direction, secureCredential));
}
public static SafeFreeCredentials AcquireCredentialsHandle(SSPIInterface secModule, string package, Interop.SspiCli.CredentialUse intent, Interop.SspiCli.SCHANNEL_CRED scc)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Enter(null, package);
NetEventSource.Log.AcquireCredentialsHandle(package, intent, scc);
}
SafeFreeCredentials outCredential = null;
int errorCode = secModule.AcquireCredentialsHandle(
package,
intent,
ref scc,
out outCredential);
if (errorCode != 0)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Error(null, System.StringsHelper.Format(Strings.net_log_operation_failed_with_error, nameof(AcquireCredentialsHandle), $"0x{errorCode:X}"));
}
throw new Win32Exception(errorCode);
}
if (NetEventSource.IsEnabled)
{
NetEventSource.Exit(null, outCredential);
}
return(outCredential);
}
public int AcquireCredentialsHandle(string moduleName, Interop.SspiCli.CredentialUse usage, ref Interop.SspiCli.SCHANNEL_CRED authdata, out SafeFreeCredentials outCredential)
{
return(SafeFreeCredentials.AcquireCredentialsHandle(moduleName, usage, ref authdata, out outCredential));
}
//
// Security: we temporarily reset thread token to open the handle under process account.
//
private static SafeFreeCredentials AcquireCredentialsHandle(Interop.SspiCli.CredentialUse credUsage, Interop.SspiCli.SCHANNEL_CRED secureCredential)
{
// First try without impersonation, if it fails, then try the process account.
// I.E. We don't know which account the certificate context was created under.
try
{
//
// For app-compat we want to ensure the credential are accessed under >>process<< account.
//
return(WindowsIdentity.RunImpersonated <SafeFreeCredentials>(SafeAccessTokenHandle.InvalidHandle, () =>
{
return SSPIWrapper.AcquireCredentialsHandle(GlobalSSPI.SSPISecureChannel, SecurityPackage, credUsage, secureCredential);
}));
}
catch
{
return(SSPIWrapper.AcquireCredentialsHandle(GlobalSSPI.SSPISecureChannel, SecurityPackage, credUsage, secureCredential));
}
}
public static SafeFreeCredentials AcquireCredentialsHandle(SSPIInterface secModule, string package, Interop.SspiCli.CredentialUse intent, Interop.SspiCli.SCHANNEL_CRED scc)
{
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): using " + package);
}
if (SecurityEventSource.Log.IsEnabled())
{
SecurityEventSource.AcquireCredentialsHandle(package, intent, scc);
}
SafeFreeCredentials outCredential = null;
int errorCode = secModule.AcquireCredentialsHandle(
package,
intent,
ref scc,
out outCredential);
if (errorCode != 0)
{
#if TRACE_VERBOSE
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): error " + Interop.MapSecurityStatus((uint)errorCode));
}
#endif
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.PrintError(NetEventSource.ComponentType.Security, SR.Format(SR.net_log_operation_failed_with_error, "AcquireCredentialsHandle()", String.Format(CultureInfo.CurrentCulture, "0X{0:X}", errorCode)));
}
throw new Win32Exception(errorCode);
}
#if TRACE_VERBOSE
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("SSPIWrapper::AcquireCredentialsHandle#3(): cred handle = " + outCredential.ToString());
}
#endif
return(outCredential);
}
private static Interop.SspiCli.SCHANNEL_CRED CreateSecureCredential(
int version,
X509Certificate certificate,
Interop.SspiCli.SCHANNEL_CRED.Flags flags,
int protocols, EncryptionPolicy policy)
{
var credential = new Interop.SspiCli.SCHANNEL_CRED()
{
hRootStore = IntPtr.Zero,
aphMappers = IntPtr.Zero,
palgSupportedAlgs = IntPtr.Zero,
paCred = IntPtr.Zero,
cCreds = 0,
cMappers = 0,
cSupportedAlgs = 0,
dwSessionLifespan = 0,
reserved = 0
};
if (policy == EncryptionPolicy.RequireEncryption)
{
// Prohibit null encryption cipher.
credential.dwMinimumCipherStrength = 0;
credential.dwMaximumCipherStrength = 0;
}
else if (policy == EncryptionPolicy.AllowNoEncryption)
{
// Allow null encryption cipher in addition to other ciphers.
credential.dwMinimumCipherStrength = -1;
credential.dwMaximumCipherStrength = 0;
}
else if (policy == EncryptionPolicy.NoEncryption)
{
// Suppress all encryption and require null encryption cipher only
credential.dwMinimumCipherStrength = -1;
credential.dwMaximumCipherStrength = -1;
}
else
{
throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), nameof(policy));
}
credential.dwVersion = version;
credential.dwFlags = flags;
credential.grbitEnabledProtocols = protocols;
if (certificate != null)
{
credential.paCred = certificate.Handle;
credential.cCreds = 1;
}
return credential;
}
