/// <summary>
/// create sasl bind response packet.
/// </summary>
/// <param name="context">
/// an AdtsLdapContext object that indicates the context of LDAP.
/// </param>
/// <param name="securityContext">
/// a ServerSecurityContext object that specifies the security provider.
/// </param>
/// <param name="enableMessageSecurity">
/// a bool value that indicates whether enable message security.
/// </param>
/// <returns>
/// a BindResponsePacket object that responses the SASL bind request.
/// </returns>
/// <exception cref="ArgumentNullException">
/// thrown when context is null.
/// </exception>
/// <exception cref="ArgumentNullException">
/// thrown when securityContext is null.
/// </exception>
public AdtsBindResponsePacket CreateSaslBindResponse(
AdtsLdapContext context, ServerSecurityContext securityContext, bool enableMessageSecurity)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (securityContext == null)
{
throw new ArgumentNullException("securityContext");
}
if (context.Security == null)
{
context.Security = new AdtsLdapSaslSecurityLayer(securityContext);
context.UsingMessageSecurity = enableMessageSecurity;
}
ResultCode resultCode = ResultCode.Success;
if (securityContext.NeedContinueProcessing)
{
resultCode = ResultCode.SaslBindInProgress;
}
return(this.CreateBindResponse(
context, resultCode,
string.Empty, string.Empty, null, securityContext.Token));
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="connection">The SMB connection associated with this session.</param>
/// <param name="sessionId">Session Id of the Session</param>
/// <param name="securityContext">The security context of the user that established the session, as obtained
/// from the authentication subsystem after successful authentication.</param>
/// <param name="creationTime">The time that the session was established.</param>
/// <param name="idleTime">The time that the session processed its most recent request.</param>
/// <param name="userName">The name of the user who established the session.</param>
/// <param name="sessionGlobalId">A numeric 32-bit value obtained by registration with the Server Service Remote
/// Protocol.</param>
public CifsServerPerSession(
IFileServiceServerConnection connection,
long sessionId,
ServerSecurityContext securityContext,
DateTime creationTime,
DateTime idleTime,
string userName,
int sessionGlobalId)
{
this.connection = connection;
this.sessionId = sessionId;
this.securityContext = securityContext;
this.creationTime = creationTime;
this.idleTime = idleTime;
this.userName = userName;
this.sessionGlobalId = sessionGlobalId;
this.treeConnectTable = new Dictionary <ushort, IFileServiceServerTreeConnect>();
}
/// <summary>
/// create sicily bind response packet.
/// </summary>
/// <param name="context">
/// an AdtsLdapContext object that indicates the context of LDAP.
/// </param>
/// <param name="securityContext">
/// a ServerSecurityContext object that specifies the security provider.
/// </param>
/// <param name="enableMessageSecurity">
/// a bool value that indicates whether enable message security.
/// </param>
/// <returns>
/// a SicilyBindResponsePacket object that responses the Sicily bind request.
/// </returns>
/// <exception cref="ArgumentNullException">
/// thrown when context is null.
/// </exception>
/// <exception cref="ArgumentNullException">
/// thrown when securityContext is null.
/// </exception>
public AdtsSicilyBindResponsePacket CreateSicilyBindResponse(
AdtsLdapContext context, ServerSecurityContext securityContext, bool enableMessageSecurity)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (securityContext == null)
{
throw new ArgumentNullException("securityContext");
}
if (context.Security == null)
{
context.Security = new AdtsLdapSaslSecurityLayer(securityContext);
context.UsingMessageSecurity = enableMessageSecurity;
}
return(this.CreateSicilyBindResponse(
context, ResultCode.Success, securityContext.Token, string.Empty));
}
/// <summary>
/// AcquireCredentialsHandle
/// </summary>
/// <param name="accountCredential"></param>
protected void AcquireCredentialsHandle <T>(T accountCredential)
{
switch (packageType)
{
case SecurityPackageType.Ntlm:
{
if (accountCredential is AccountCredential)
{
var credential = accountCredential as AccountCredential;
this.Context = new NlmpServerSecurityContext(
NegotiateTypes.NTLM_NEGOTIATE_OEM | NegotiateTypes.NTLMSSP_NEGOTIATE_NTLM,
new NlmpClientCredential(string.Empty, credential.DomainName,
credential.AccountName, credential.Password),
!string.IsNullOrEmpty(credential.DomainName),
credential.DomainName,
this.serverPrincipalName
);
}
else
{
throw new NotSupportedException("NTLM only support AccountCredential, Please provide an AccountCredential and try again.");
}
return;
}
//case SecurityPackageType.Kerberos:
// throw new NotImplementedException();
//case SecurityPackageType.Negotiate:
// throw new NotImplementedException();
//case SecurityPackageType.Schannel:
// throw new NotImplementedException();
//case SecurityPackageType.CredSsp:
// throw new NotImplementedException();
//default:
// throw new NotImplementedException();
}
this.UseNativeSSP(accountCredential);
}
/// <summary>
/// Use Native SSP to do auth
/// </summary>
/// <typeparam name="T"></typeparam>
/// <param name="accountCredential"></param>
private void UseNativeSSP <T>(T accountCredential)
{
if (accountCredential is AccountCredential)
{
this.Context = new Sspi.SspiServerSecurityContext(
packageType,
accountCredential as AccountCredential,
this.ServerPrincipalName,
securityContextAttributes,
targetDataRepresentaion
);
}
else if (accountCredential is CertificateCredential)
{
this.Context = new Sspi.SspiServerSecurityContext(
packageType,
accountCredential as CertificateCredential,
this.ServerPrincipalName,
securityContextAttributes,
targetDataRepresentaion
);
}
}
/// <summary>
/// Decrypt stub and validate auth_token.
/// </summary>
public override bool ValidateAuthenticationToken()
{
FieldInfo fieldInfo = this.GetType().GetField("auth_verifier");
if (fieldInfo == null)
{
// PDU has no auth_verifier field, do nothing.
return(true);
}
auth_verifier_co_t?authVerifier = (auth_verifier_co_t?)fieldInfo.GetValue(this);
if (authVerifier == null)
{
// PDU has no auth_verifier, do nothing.
return(true);
}
if (authVerifier.Value.auth_type != (byte)context.AuthenticationType ||
authVerifier.Value.auth_level != (byte)context.AuthenticationLevel ||
authVerifier.Value.auth_context_id != context.AuthenticationContextId)
{
//SecurityProvider in context is not the right SSPI to decrypt and validate the PDU.
return(false);
}
bool result = true;
if (PTYPE == RpcePacketType.Bind ||
PTYPE == RpcePacketType.AlterContext ||
PTYPE == RpcePacketType.Auth3)
{
ServerSecurityContext serverSspi = context.SecurityContext as ServerSecurityContext;
if (serverSspi != null)
{
// Accept or Initialize should throw exception when token is incorrect.
serverSspi.Accept(authVerifier.Value.auth_value);
securityContextNeedContinueProcessing = serverSspi.NeedContinueProcessing;
}
}
else if (PTYPE == RpcePacketType.BindAck ||
PTYPE == RpcePacketType.AlterContextResp)
{
ClientSecurityContext clientSspi = context.SecurityContext as ClientSecurityContext;
if (clientSspi != null)
{
//BindAck only received on client.
clientSspi.Initialize(authVerifier.Value.auth_value);
securityContextNeedContinueProcessing = clientSspi.NeedContinueProcessing;
}
}
else if (context.AuthenticationLevel != RpceAuthenticationLevel.RPC_C_AUTHN_LEVEL_DEFAULT &&
context.AuthenticationLevel != RpceAuthenticationLevel.RPC_C_AUTHN_LEVEL_CONNECT)
{
auth_verifier_co_t newAuthVerifier = authVerifier.Value;
result = DecryptAndVerify(ref newAuthVerifier);
authVerifier = newAuthVerifier;
}
return(result);
}
/// <summary>
/// Dispose Server Security Context
/// </summary>
public void Dispose()
{
this.Context = null;
GC.SuppressFinalize(this);
}
