internal SslCredKey(byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
this._CertThumbPrint = (thumbPrint == null) ? s_EmptyArray : thumbPrint;
this._HashCode = 0;
if (thumbPrint != null)
{
this._HashCode ^= this._CertThumbPrint[0];
if (1 < this._CertThumbPrint.Length)
{
this._HashCode ^= this._CertThumbPrint[1] << 8;
}
if (2 < this._CertThumbPrint.Length)
{
this._HashCode ^= this._CertThumbPrint[2] << 0x10;
}
if (3 < this._CertThumbPrint.Length)
{
this._HashCode ^= this._CertThumbPrint[3] << 0x18;
}
}
this._HashCode ^= allowedProtocols;
this._HashCode ^= encryptionPolicy;
this._AllowedProtocols = allowedProtocols;
this._EncryptionPolicy = encryptionPolicy;
}
internal SecureChannel(string hostname, bool serverMode, SchProtocols protocolFlags, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, bool remoteCertRequired, bool checkCertName, bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy, LocalCertSelectionCallback certSelectionDelegate)
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, ".ctor", string.Concat(new object[] { "hostname=", hostname, ", #clientCertificates=", (clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo), ", encryptionPolicy=", encryptionPolicy }));
}
SSPIWrapper.GetVerifyPackageInfo(GlobalSSPI.SSPISecureChannel, "Microsoft Unified Security Protocol Provider", true);
if (ComNetOS.IsWin9x && (clientCertificates.Count > 0))
{
this.m_Destination = hostname + "+" + clientCertificates.GetHashCode();
}
else
{
this.m_Destination = hostname;
}
this.m_HostName = hostname;
this.m_ServerMode = serverMode;
if (serverMode)
{
this.m_ProtocolFlags = protocolFlags & SchProtocols.ServerMask;
}
else
{
this.m_ProtocolFlags = protocolFlags & SchProtocols.ClientMask;
}
this.m_ServerCertificate = serverCertificate;
this.m_ClientCertificates = clientCertificates;
this.m_RemoteCertRequired = remoteCertRequired;
this.m_SecurityContext = null;
this.m_CheckCertRevocation = checkCertRevocationStatus;
this.m_CheckCertName = checkCertName;
this.m_CertSelectionDelegate = certSelectionDelegate;
this.m_RefreshCredentialNeeded = true;
this.m_EncryptionPolicy = encryptionPolicy;
}
public SecureCredential(int version, X509Certificate certificate, Flags flags, SchProtocols protocols, EncryptionPolicy policy)
{
this.rootStore = this.phMappers = this.palgSupportedAlgs = this.certContextArray = IntPtr.Zero;
this.cCreds = this.cMappers = this.cSupportedAlgs = 0;
if (policy == EncryptionPolicy.RequireEncryption)
{
this.dwMinimumCipherStrength = 0;
this.dwMaximumCipherStrength = 0;
}
else if (policy == EncryptionPolicy.AllowNoEncryption)
{
this.dwMinimumCipherStrength = -1;
this.dwMaximumCipherStrength = 0;
}
else
{
if (policy != EncryptionPolicy.NoEncryption)
{
throw new ArgumentException(SR.GetString("net_invalid_enum", new object[] { "EncryptionPolicy" }), "policy");
}
this.dwMinimumCipherStrength = -1;
this.dwMaximumCipherStrength = -1;
}
this.dwSessionLifespan = this.reserved = 0;
this.version = version;
this.dwFlags = flags;
this.grbitEnabledProtocols = protocols;
if (certificate != null)
{
this.certContextArray = certificate.Handle;
this.cCreds = 1;
}
}
/// <summary>
/// Client side ctor
/// </summary>
public TlsSspiNegotiation(
string destination,
SchProtocols protocolFlags,
X509Certificate2 clientCertificate) :
this(destination, false, protocolFlags, null, clientCertificate, false)
{
}
internal SslCredKey(byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
this._CertThumbPrint = (thumbPrint == null) ? s_EmptyArray : thumbPrint;
this._HashCode = 0;
if (thumbPrint != null)
{
this._HashCode ^= this._CertThumbPrint[0];
if (1 < this._CertThumbPrint.Length)
{
this._HashCode ^= this._CertThumbPrint[1] << 8;
}
if (2 < this._CertThumbPrint.Length)
{
this._HashCode ^= this._CertThumbPrint[2] << 0x10;
}
if (3 < this._CertThumbPrint.Length)
{
this._HashCode ^= this._CertThumbPrint[3] << 0x18;
}
}
this._HashCode ^= allowedProtocols;
this._HashCode ^= encryptionPolicy;
this._AllowedProtocols = allowedProtocols;
this._EncryptionPolicy = encryptionPolicy;
}
internal SecureChannel(string hostname, bool serverMode, SchProtocols protocolFlags, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, bool remoteCertRequired, bool checkCertName,
bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy, LocalCertSelectionCallback certSelectionDelegate)
{
GlobalLog.Enter("SecureChannel#" + ValidationHelper.HashString(this) + "::.ctor", "hostname:" + hostname + " #clientCertificates=" + ((clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo)));
if (Logging.On) Logging.PrintInfo(Logging.Web, this, ".ctor", "hostname=" + hostname + ", #clientCertificates=" + ((clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo)) + ", encryptionPolicy=" + encryptionPolicy);
SSPIWrapper.GetVerifyPackageInfo(GlobalSSPI.SSPISecureChannel, SecurityPackage, true);
m_Destination = hostname;
GlobalLog.Assert(hostname != null, "SecureChannel#{0}::.ctor()|hostname == null", ValidationHelper.HashString(this));
m_HostName = hostname;
m_ServerMode = serverMode;
if (serverMode)
m_ProtocolFlags = (protocolFlags & SchProtocols.ServerMask);
else
m_ProtocolFlags = (protocolFlags & SchProtocols.ClientMask);
m_ServerCertificate = serverCertificate;
m_ClientCertificates = clientCertificates;
m_RemoteCertRequired = remoteCertRequired;
m_SecurityContext = null;
m_CheckCertRevocation = checkCertRevocationStatus;
m_CheckCertName = checkCertName;
m_CertSelectionDelegate = certSelectionDelegate;
m_RefreshCredentialNeeded = true;
m_EncryptionPolicy = encryptionPolicy;
GlobalLog.Leave("SecureChannel#" + ValidationHelper.HashString(this) + "::.ctor");
}
internal SecureChannel(string hostname, bool serverMode, SchProtocols protocolFlags, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, bool remoteCertRequired, bool checkCertName, bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy, LocalCertSelectionCallback certSelectionDelegate)
{
if (Logging.On)
{
Logging.PrintInfo(Logging.Web, this, ".ctor", string.Concat(new object[] { "hostname=", hostname, ", #clientCertificates=", (clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo), ", encryptionPolicy=", encryptionPolicy }));
}
SSPIWrapper.GetVerifyPackageInfo(GlobalSSPI.SSPISecureChannel, "Microsoft Unified Security Protocol Provider", true);
if (ComNetOS.IsWin9x && (clientCertificates.Count > 0))
{
this.m_Destination = hostname + "+" + clientCertificates.GetHashCode();
}
else
{
this.m_Destination = hostname;
}
this.m_HostName = hostname;
this.m_ServerMode = serverMode;
if (serverMode)
{
this.m_ProtocolFlags = protocolFlags & SchProtocols.ServerMask;
}
else
{
this.m_ProtocolFlags = protocolFlags & SchProtocols.ClientMask;
}
this.m_ServerCertificate = serverCertificate;
this.m_ClientCertificates = clientCertificates;
this.m_RemoteCertRequired = remoteCertRequired;
this.m_SecurityContext = null;
this.m_CheckCertRevocation = checkCertRevocationStatus;
this.m_CheckCertName = checkCertName;
this.m_CertSelectionDelegate = certSelectionDelegate;
this.m_RefreshCredentialNeeded = true;
this.m_EncryptionPolicy = encryptionPolicy;
}
public SecureCredential(int version, X509Certificate2 certificate, SecureCredential.Flags flags, SchProtocols protocols, EncryptionPolicy policy)
{
this.version = version;
this.certificate = certificate;
this.protocols = protocols;
this.policy = policy;
}
public SecureCredential(int version, X509Certificate certificate, Flags flags, SchProtocols protocols, EncryptionPolicy policy)
{
this.rootStore = this.phMappers = this.palgSupportedAlgs = this.certContextArray = IntPtr.Zero;
this.cCreds = this.cMappers = this.cSupportedAlgs = 0;
if (policy == EncryptionPolicy.RequireEncryption)
{
this.dwMinimumCipherStrength = 0;
this.dwMaximumCipherStrength = 0;
}
else if (policy == EncryptionPolicy.AllowNoEncryption)
{
this.dwMinimumCipherStrength = -1;
this.dwMaximumCipherStrength = 0;
}
else
{
if (policy != EncryptionPolicy.NoEncryption)
{
throw new ArgumentException(SR.GetString("net_invalid_enum", new object[] { "EncryptionPolicy" }), "policy");
}
this.dwMinimumCipherStrength = -1;
this.dwMaximumCipherStrength = -1;
}
this.dwSessionLifespan = this.reserved = 0;
this.version = version;
this.dwFlags = flags;
this.grbitEnabledProtocols = protocols;
if (certificate != null)
{
this.certContextArray = certificate.Handle;
this.cCreds = 1;
}
}
//
// SECURITY: X509Certificate.GetCertHash() is virtual hence before going here
// the caller of this ctor has to ensure that a user cert object was inspected and
// optionally cloned.
//
internal SslCredKey(byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
_CertThumbPrint = thumbPrint == null? s_EmptyArray: thumbPrint;
_HashCode = 0;
if (thumbPrint != null)
{
_HashCode ^= _CertThumbPrint[0];
if (1 < _CertThumbPrint.Length)
{
_HashCode ^= (_CertThumbPrint[1] << 8);
}
if (2 < _CertThumbPrint.Length)
{
_HashCode ^= (_CertThumbPrint[2] << 16);
}
if (3 < _CertThumbPrint.Length)
{
_HashCode ^= (_CertThumbPrint[3] << 24);
}
}
_HashCode ^= (int)allowedProtocols;
_HashCode ^= (int)encryptionPolicy;
_AllowedProtocols = allowedProtocols;
_EncryptionPolicy = encryptionPolicy;
}
/// <summary>
/// Server side ctor
/// </summary>
public TlsSspiNegotiation(
SchProtocols protocolFlags,
X509Certificate2 serverCertificate,
bool clientCertRequired) :
this(null, true, protocolFlags, serverCertificate, null, clientCertRequired)
{
}
internal static SSPIInterface Create (string hostname, bool serverMode, SchProtocols protocolFlags, X509Certificate serverCertificate, X509CertificateCollection clientCertificates,
bool remoteCertRequired, bool checkCertName, bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy,
LocalCertSelectionCallback certSelectionDelegate, RemoteCertValidationCallback remoteValidationCallback, SSPIConfiguration userConfig)
{
if (userConfig.Settings != null && remoteValidationCallback != null)
throw new InvalidOperationException ();
var context = userConfig.Provider.CreateTlsContext (
hostname, serverMode, (TlsProtocols)protocolFlags, serverCertificate, clientCertificates,
remoteCertRequired, checkCertName, checkCertRevocationStatus,
(MonoEncryptionPolicy)encryptionPolicy, userConfig.Settings);
return new SSPIInterface (context, userConfig.EventSink);
}
internal static SafeFreeCredentials TryCachedCredential(byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
if (s_CachedCreds.Count != 0)
{
object obj2 = new SslCredKey(thumbPrint, allowedProtocols, encryptionPolicy);
SafeCredentialReference reference = s_CachedCreds[obj2] as SafeCredentialReference;
if (((reference != null) && !reference.IsClosed) && !reference._Target.IsInvalid)
{
return(reference._Target);
}
}
return(null);
}
internal static SafeFreeCredentials TryCachedCredential(byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
if (s_CachedCreds.Count != 0)
{
object obj2 = new SslCredKey(thumbPrint, allowedProtocols, encryptionPolicy);
SafeCredentialReference reference = s_CachedCreds[obj2] as SafeCredentialReference;
if (((reference != null) && !reference.IsClosed) && !reference._Target.IsInvalid)
{
return reference._Target;
}
}
return null;
}
private TlsSspiNegotiation(
string destination,
bool isServer,
SchProtocols protocolFlags,
X509Certificate2 serverCertificate,
X509Certificate2 clientCertificate,
bool clientCertRequired)
{
SspiWrapper.GetVerifyPackageInfo(SecurityPackage);
this.destination = destination;
this.isServer = isServer;
this.protocolFlags = protocolFlags;
this.serverCertificate = serverCertificate;
this.clientCertificate = clientCertificate;
this.clientCertRequired = clientCertRequired;
this.securityContext = null;
if (isServer)
{
ValidateServerCertificate();
}
else
{
ValidateClientCertificate();
}
if (this.isServer)
{
// This retry is to address intermittent failure when accessing private key (MB56153)
try
{
AcquireServerCredentials();
}
catch (Win32Exception ex)
{
if (ex.NativeErrorCode != (int)SecurityStatus.UnknownCredential)
{
throw;
}
DiagnosticUtility.TraceHandledException(ex, TraceEventType.Information);
// Yield
Thread.Sleep(0);
AcquireServerCredentials();
}
}
else
{
// delay client credentials presenting till they are asked for
AcquireDummyCredentials();
}
}
private TlsSspiNegotiation(
string destination,
bool isServer,
SchProtocols protocolFlags,
X509Certificate2 serverCertificate,
X509Certificate2 clientCertificate,
bool clientCertRequired)
{
SspiWrapper.GetVerifyPackageInfo(SecurityPackage);
this.destination = destination;
this.isServer = isServer;
this.protocolFlags = protocolFlags;
this.serverCertificate = serverCertificate;
this.clientCertificate = clientCertificate;
this.clientCertRequired = clientCertRequired;
this.securityContext = null;
if (isServer)
{
ValidateServerCertificate();
}
else
{
ValidateClientCertificate();
}
if (this.isServer)
{
// This retry is to address intermittent failure when accessing private key (MB56153)
try
{
AcquireServerCredentials();
}
catch (Win32Exception ex)
{
if (ex.NativeErrorCode != (int)SecurityStatus.UnknownCredential)
{
throw;
}
DiagnosticUtility.TraceHandledException(ex, TraceEventType.Information);
// Yield
Thread.Sleep(0);
AcquireServerCredentials();
}
}
else
{
// delay client credentials presenting till they are asked for
AcquireDummyCredentials();
}
}
public SecureCredential(int version, X509Certificate2 certificate, Flags flags, SchProtocols protocols)
{
this.rootStore = this.phMappers = this.palgSupportedAlgs = this.certContextArray = IntPtr.Zero;
this.cCreds = this.cMappers = this.cSupportedAlgs = 0;
this.dwMinimumCipherStrength = this.dwMaximumCipherStrength = 0;
this.dwSessionLifespan = this.reserved = 0;
this.version = version;
this.dwFlags = flags;
this.grbitEnabledProtocols = protocols;
if (certificate != null)
{
this.certContextArray = certificate.Handle;
this.cCreds = 1;
}
}
internal static SSPIInterface Create(string hostname, bool serverMode, SchProtocols protocolFlags, X509Certificate serverCertificate, XX509CertificateCollection clientCertificates,
bool remoteCertRequired, bool checkCertName, bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy,
LocalCertSelectionCallback certSelectionDelegate, RemoteCertValidationCallback remoteValidationCallback, SSPIConfiguration userConfig)
{
if (userConfig.Settings != null && remoteValidationCallback != null)
{
throw new InvalidOperationException();
}
var context = userConfig.Provider.CreateTlsContext(
hostname, serverMode, (TlsProtocols)protocolFlags, serverCertificate, clientCertificates,
remoteCertRequired, checkCertName, checkCertRevocationStatus,
(MonoEncryptionPolicy)encryptionPolicy, userConfig.Settings);
return(new SSPIInterface(context, userConfig.EventSink));
}
public SecureCredential(int version, X509Certificate2 certificate, Flags flags, SchProtocols protocols)
{
this.rootStore = this.phMappers = this.palgSupportedAlgs = this.certContextArray = IntPtr.Zero;
this.cCreds = this.cMappers = this.cSupportedAlgs = 0;
this.dwMinimumCipherStrength = this.dwMaximumCipherStrength = 0;
this.dwSessionLifespan = this.reserved = 0;
this.version = version;
this.dwFlags = flags;
this.grbitEnabledProtocols = protocols;
if (certificate != null)
{
this.certContextArray = certificate.Handle;
this.cCreds = 1;
}
}
public SchannelCred(int version1, X509Certificate certificate, SchannelCred.Flags flags, SchProtocols protocols)
{
this.paCreds1 = IntPtr.Zero;
this.rootStore = (this.phMappers = (this.palgSupportedAlgs = IntPtr.Zero));
this.cCreds = (this.cMappers = (this.cSupportedAlgs = 0));
this.dwMinimumCipherStrength = (this.dwMaximumCipherStrength = 0);
this.dwSessionLifespan = (this.reserved = 0);
this.version = version1;
this.dwFlags = flags;
this.grbitEnabledProtocols = protocols;
if (certificate != null)
{
this.paCreds1 = certificate.Handle;
this.cCreds = 1;
}
}
public SchannelCred(int version1, X509Certificate certificate, Flags flags, SchProtocols protocols)
{
paCreds1 = IntPtr.Zero;
rootStore = phMappers = palgSupportedAlgs = IntPtr.Zero;
cCreds = cMappers = cSupportedAlgs = 0;
dwMinimumCipherStrength = dwMaximumCipherStrength = 0;
dwSessionLifespan = reserved = 0;
version = version1;
dwFlags = flags;
grbitEnabledProtocols = protocols;
if (certificate != null)
{
paCreds1 = certificate.Handle;
cCreds = 1;
}
}
//
// SECURITY: X509Certificate.GetCertHash() is virtual hence before going here
// the caller of this ctor has to ensure that a user cert object was inspected and
// optionally cloned.
//
internal SslCredKey(byte[] thumbPrint, SchProtocols allowedProtocols)
{
_CertThumbPrint = thumbPrint == null? s_EmptyArray: thumbPrint;
_HashCode = 0;
if (thumbPrint != null)
{
_HashCode ^= _CertThumbPrint[0];
if (1 < _CertThumbPrint.Length)
_HashCode ^= (_CertThumbPrint[1] << 8);
if (2 < _CertThumbPrint.Length)
_HashCode ^= (_CertThumbPrint[2] << 16);
if (3 < _CertThumbPrint.Length)
_HashCode ^= (_CertThumbPrint[3] << 24);
}
_AllowedProtocols = allowedProtocols;
_HashCode ^= (int)_AllowedProtocols;
}
internal static void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
if (!creds.IsInvalid)
{
object obj2 = new SslCredKey(thumbPrint, allowedProtocols, encryptionPolicy);
SafeCredentialReference reference = s_CachedCreds[obj2] as SafeCredentialReference;
if (((reference == null) || reference.IsClosed) || reference._Target.IsInvalid)
{
lock (s_CachedCreds)
{
reference = s_CachedCreds[obj2] as SafeCredentialReference;
if ((reference == null) || reference.IsClosed)
{
reference = SafeCredentialReference.CreateReference(creds);
if (reference != null)
{
s_CachedCreds[obj2] = reference;
if ((s_CachedCreds.Count % 0x20) == 0)
{
DictionaryEntry[] array = new DictionaryEntry[s_CachedCreds.Count];
s_CachedCreds.CopyTo(array, 0);
for (int i = 0; i < array.Length; i++)
{
reference = array[i].Value as SafeCredentialReference;
if (reference != null)
{
creds = reference._Target;
reference.Close();
if ((!creds.IsClosed && !creds.IsInvalid) && ((reference = SafeCredentialReference.CreateReference(creds)) != null))
{
s_CachedCreds[array[i].Key] = reference;
}
else
{
s_CachedCreds.Remove(array[i].Key);
}
}
}
}
}
}
}
}
}
}
public SecureCredential(int version, X509Certificate2 certificate,
SecureCredential.Flags flags, SchProtocols protocols)
{
//Setting default values
rootStore = phMappers = palgSupportedAlgs = certContextArray = IntPtr.Zero;
cCreds = cMappers = cSupportedAlgs = 0;
dwMinimumCipherStrength = dwMaximumCipherStrength = 0;
dwSessionLifespan = reserved = 0;
this.version = version;
dwFlags = flags;
grbitEnabledProtocols = protocols;
if (certificate != null)
{
certContextArray = certificate.Handle;
cCreds = 1;
}
}
private TlsSspiNegotiation(string destination, bool isServer, SchProtocols protocolFlags, X509Certificate2 serverCertificate, X509Certificate2 clientCertificate, bool clientCertRequired)
{
this.syncObject = new object();
SspiWrapper.GetVerifyPackageInfo("Microsoft Unified Security Protocol Provider");
this.destination = destination;
this.isServer = isServer;
this.protocolFlags = protocolFlags;
this.serverCertificate = serverCertificate;
this.clientCertificate = clientCertificate;
this.clientCertRequired = clientCertRequired;
this.securityContext = null;
if (isServer)
{
this.ValidateServerCertificate();
}
else
{
this.ValidateClientCertificate();
}
if (this.isServer)
{
try
{
this.AcquireServerCredentials();
}
catch (Win32Exception exception)
{
if (exception.NativeErrorCode != -2146893043)
{
throw;
}
if (System.ServiceModel.DiagnosticUtility.ShouldTraceInformation)
{
System.ServiceModel.DiagnosticUtility.ExceptionUtility.TraceHandledException(exception, TraceEventType.Information);
}
Thread.Sleep(0);
this.AcquireServerCredentials();
}
}
else
{
this.AcquireDummyCredentials();
}
}
private TlsSspiNegotiation(string destination, bool isServer, SchProtocols protocolFlags, X509Certificate2 serverCertificate, X509Certificate2 clientCertificate, bool clientCertRequired)
{
this.syncObject = new object();
SspiWrapper.GetVerifyPackageInfo("Microsoft Unified Security Protocol Provider");
this.destination = destination;
this.isServer = isServer;
this.protocolFlags = protocolFlags;
this.serverCertificate = serverCertificate;
this.clientCertificate = clientCertificate;
this.clientCertRequired = clientCertRequired;
this.securityContext = null;
if (isServer)
{
this.ValidateServerCertificate();
}
else
{
this.ValidateClientCertificate();
}
if (this.isServer)
{
try
{
this.AcquireServerCredentials();
}
catch (Win32Exception exception)
{
if (exception.NativeErrorCode != -2146893043)
{
throw;
}
if (System.ServiceModel.DiagnosticUtility.ShouldTraceInformation)
{
System.ServiceModel.DiagnosticUtility.ExceptionUtility.TraceHandledException(exception, TraceEventType.Information);
}
Thread.Sleep(0);
this.AcquireServerCredentials();
}
}
else
{
this.AcquireDummyCredentials();
}
}
//
// Returns null or previously cached cred handle
//
// ATTN: The returned handle can be invalid, the callers of InitializeSecurityContext and AcceptSecurityContext
// must be prepared to execute a backout code if the call fails.
//
// Note:thumbPrint is a cryptographicaly strong hash of a certificate
//
internal static SafeFreeCredentials TryCachedCredential(byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
if (s_CachedCreds.Count == 0)
{
GlobalLog.Print("TryCachedCredential() Not Found, Current Cache Count = " + s_CachedCreds.Count);
return(null);
}
object key = new SslCredKey(thumbPrint, allowedProtocols, encryptionPolicy);
SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed || cached._Target.IsInvalid)
{
GlobalLog.Print("TryCachedCredential() Not Found, Current Cache Count = " + s_CachedCreds.Count);
return(null);
}
GlobalLog.Print("TryCachedCredential() Found a cached Handle = " + cached._Target.ToString());
return(cached._Target);
}
/// <summary>
/// Server side ctor
/// </summary>
public TlsSspiNegotiation(
SchProtocols protocolFlags,
X509Certificate2 serverCertificate,
bool clientCertRequired) :
this(null, true, protocolFlags, serverCertificate, null, clientCertRequired)
{ }
/// <summary>
/// Client side ctor
/// </summary>
public TlsSspiNegotiation(
string destination,
SchProtocols protocolFlags,
X509Certificate2 clientCertificate) :
this(destination, false, protocolFlags, null, clientCertificate, false)
{ }
//
// The app is calling this method after starting an SSL handshake.
//
// ATTN: The thumbPrint must be from inspected and possbly cloned user Cert object or we get a security hole in SslCredKey ctor.
//
internal static void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
GlobalLog.Assert(creds != null, "CacheCredential|creds == null");
if (creds.IsInvalid)
{
GlobalLog.Print("CacheCredential() Refused to cache an Invalid Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
return;
}
object key = new SslCredKey(thumbPrint, allowedProtocols, encryptionPolicy);
SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed || cached._Target.IsInvalid)
{
lock (s_CachedCreds)
{
cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed)
{
cached = SafeCredentialReference.CreateReference(creds);
if (cached == null)
{
// Means the handle got closed in between, return it back and let caller deal with the issue.
return;
}
s_CachedCreds[key] = cached;
GlobalLog.Print("CacheCredential() Caching New Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
//
// A simplest way of preventing infinite cache grows.
//
// Security relief (DoS):
// A number of active creds is never greater than a number of _outstanding_
// security sessions, i.e. ssl connections.
// So we will try to shrink cache to the number of active creds once in a while.
//
// Just to make clear we won't shrink cache in the case when NO new handles are coming to it.
//
if ((s_CachedCreds.Count % c_CheckExpiredModulo) == 0)
{
DictionaryEntry[] toRemoveAttempt = new DictionaryEntry[s_CachedCreds.Count];
s_CachedCreds.CopyTo(toRemoveAttempt, 0);
for (int i = 0; i < toRemoveAttempt.Length; ++i)
{
cached = toRemoveAttempt[i].Value as SafeCredentialReference;
if (cached != null)
{
creds = cached._Target;
cached.Close();
if (!creds.IsClosed && !creds.IsInvalid && (cached = SafeCredentialReference.CreateReference(creds)) != null)
{
s_CachedCreds[toRemoveAttempt[i].Key] = cached;
}
else
{
s_CachedCreds.Remove(toRemoveAttempt[i].Key);
}
}
}
GlobalLog.Print("Scavenged cache, New Cache Count = " + s_CachedCreds.Count);
}
}
else
{
GlobalLog.Print("CacheCredential() (locked retry) Found already cached Handle = " + cached._Target.ToString());
}
}
}
else
{
GlobalLog.Print("CacheCredential() Ignoring incoming handle = " + creds.ToString() + " since found already cached Handle = " + cached._Target.ToString());
}
}
public SecureCredential(int version, X509Certificate certificate, SecureCredential.Flags flags, SchProtocols protocols, EncryptionPolicy policy) {
// default values required for a struct
rootStore = phMappers = palgSupportedAlgs = certContextArray = IntPtr.Zero;
cCreds = cMappers = cSupportedAlgs = 0;
if (policy == EncryptionPolicy.RequireEncryption) {
// Prohibit null encryption cipher
dwMinimumCipherStrength = 0;
dwMaximumCipherStrength = 0;
}
else if (policy == EncryptionPolicy.AllowNoEncryption) {
// Allow null encryption cipher in addition to other ciphers
dwMinimumCipherStrength = -1;
dwMaximumCipherStrength = 0;
}
else if (policy == EncryptionPolicy.NoEncryption) {
// Suppress all encryption and require null encryption cipher only
dwMinimumCipherStrength = -1;
dwMaximumCipherStrength = -1;
}
else {
throw new ArgumentException(SR.GetString(SR.net_invalid_enum, "EncryptionPolicy"), "policy");
}
dwSessionLifespan = reserved = 0;
this.version = version;
dwFlags = flags;
grbitEnabledProtocols = protocols;
if (certificate != null) {
certContextArray = certificate.Handle;
cCreds = 1;
}
}
public SecureCredential(int version, X509Certificate2 certificate,
SecureCredential.Flags flags, SchProtocols protocols)
{
//Setting default values
rootStore = phMappers = palgSupportedAlgs = certContextArray = IntPtr.Zero;
cCreds = cMappers = cSupportedAlgs = 0;
dwMinimumCipherStrength = dwMaximumCipherStrength = 0;
dwSessionLifespan = reserved = 0;
this.version = version;
dwFlags = flags;
grbitEnabledProtocols = protocols;
if (certificate != null)
{
certContextArray = certificate.Handle;
cCreds = 1;
}
}
public SchannelCred(X509Certificate certificate, SchProtocols protocols)
: this(CurrentVersion, certificate, SchannelCred.Flags.Zero, protocols)
{
}
internal static void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SchProtocols allowedProtocols, EncryptionPolicy encryptionPolicy)
{
if (!creds.IsInvalid)
{
object obj2 = new SslCredKey(thumbPrint, allowedProtocols, encryptionPolicy);
SafeCredentialReference reference = s_CachedCreds[obj2] as SafeCredentialReference;
if (((reference == null) || reference.IsClosed) || reference._Target.IsInvalid)
{
lock (s_CachedCreds)
{
reference = s_CachedCreds[obj2] as SafeCredentialReference;
if ((reference == null) || reference.IsClosed)
{
reference = SafeCredentialReference.CreateReference(creds);
if (reference != null)
{
s_CachedCreds[obj2] = reference;
if ((s_CachedCreds.Count % 0x20) == 0)
{
DictionaryEntry[] array = new DictionaryEntry[s_CachedCreds.Count];
s_CachedCreds.CopyTo(array, 0);
for (int i = 0; i < array.Length; i++)
{
reference = array[i].Value as SafeCredentialReference;
if (reference != null)
{
creds = reference._Target;
reference.Close();
if ((!creds.IsClosed && !creds.IsInvalid) && ((reference = SafeCredentialReference.CreateReference(creds)) != null))
{
s_CachedCreds[array[i].Key] = reference;
}
else
{
s_CachedCreds.Remove(array[i].Key);
}
}
}
}
}
}
}
}
}
}
public SecureCredential (int version, X509Certificate2 certificate, SecureCredential.Flags flags, SchProtocols protocols, EncryptionPolicy policy)
{
this.version = version;
this.certificate = certificate;
this.protocols = protocols;
this.policy = policy;
}
//
// The app is calling this method after starting an SSL handshake.
//
// ATTN: The thumbPrint must be from inspected and possbly cloned user Cert object or we get a security hole in SslCredKey ctor.
//
internal static void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SchProtocols allowedProtocols)
{
GlobalLog.Assert(creds != null, "CacheCredential|creds == null");
if (creds.IsInvalid)
{
GlobalLog.Print("CacheCredential() Refused to cache an Invalid Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
return;
}
object key = new SslCredKey(thumbPrint, allowedProtocols);
SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed || cached._Target.IsInvalid)
{
lock(s_CachedCreds)
{
cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed)
{
cached = SafeCredentialReference.CreateReference(creds);
if (cached == null)
{
// Means the handle got closed in between, return it back and let caller deal with the issue.
return;
}
s_CachedCreds[key] = cached;
GlobalLog.Print("CacheCredential() Caching New Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
//
// A simplest way of preventing infinite cache grows.
//
// Security relief (DoS):
// A number of active creds is never greater than a number of _outstanding_
// security sessions, i.e. ssl connections.
// So we will try to shrink cache to the number of active creds once in a while.
//
// Just to make clear we won't shrink cache in the case when NO new handles are coming to it.
//
if ((s_CachedCreds.Count%c_CheckExpiredModulo) == 0)
{
DictionaryEntry[] toRemoveAttempt = new DictionaryEntry[s_CachedCreds.Count];
s_CachedCreds.CopyTo(toRemoveAttempt, 0);
for(int i = 0; i < toRemoveAttempt.Length; ++i)
{
cached = toRemoveAttempt[i].Value as SafeCredentialReference;
if (cached != null)
{
creds = cached._Target;
cached.Close();
if (!creds.IsClosed && !creds.IsInvalid && (cached = SafeCredentialReference.CreateReference(creds)) != null)
s_CachedCreds[toRemoveAttempt[i].Key] = cached;
else
s_CachedCreds.Remove(toRemoveAttempt[i].Key);
}
}
GlobalLog.Print("Scavenged cache, New Cache Count = " + s_CachedCreds.Count);
}
}
else
{
GlobalLog.Print("CacheCredential() (locked retry) Found already cached Handle = " + cached._Target.ToString());
}
}
}
else
{
GlobalLog.Print("CacheCredential() Ignoring incoming handle = " + creds.ToString() + " since found already cached Handle = " + cached._Target.ToString());
}
}
//
// Returns null or previously cached cred handle
//
// ATTN: The returned handle can be invalid, the callers of InitializeSecurityContext and AcceptSecurityContext
// must be prepared to execute a backout code if the call fails.
//
// Note:thumbPrint is a cryptographicaly strong hash of a certificate
//
internal static SafeFreeCredentials TryCachedCredential(byte[] thumbPrint, SchProtocols allowedProtocols)
{
if (s_CachedCreds.Count == 0)
{
GlobalLog.Print("TryCachedCredential() Not Found, Current Cache Count = " + s_CachedCreds.Count);
return null;
}
object key = new SslCredKey(thumbPrint, allowedProtocols);
SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed || cached._Target.IsInvalid)
{
GlobalLog.Print("TryCachedCredential() Not Found, Current Cache Count = " + s_CachedCreds.Count);
return null;
}
GlobalLog.Print("TryCachedCredential() Found a cached Handle = " + cached._Target.ToString());
return cached._Target;
}
public SchannelCred(X509Certificate certificate, SchProtocols protocols)
{
this = new SchannelCred(4, certificate, SchannelCred.Flags.Zero, protocols);
}
