public static SecurityStatusPal DecryptMessage(SafeDeleteContext securityContext, byte[] buffer, ref int offset, ref int count)
{
// Decryption using SCHANNEL requires four buffers.
SecurityBuffer[] decspc = new SecurityBuffer[4];
decspc[0] = new SecurityBuffer(buffer, offset, count, SecurityBufferType.SECBUFFER_DATA);
decspc[1] = new SecurityBuffer(null, SecurityBufferType.SECBUFFER_EMPTY);
decspc[2] = new SecurityBuffer(null, SecurityBufferType.SECBUFFER_EMPTY);
decspc[3] = new SecurityBuffer(null, SecurityBufferType.SECBUFFER_EMPTY);
Interop.SECURITY_STATUS errorCode = (Interop.SECURITY_STATUS)SSPIWrapper.DecryptMessage(
GlobalSSPI.SSPISecureChannel,
securityContext,
decspc,
0);
count = 0;
for (int i = 0; i < decspc.Length; i++)
{
// Successfully decoded data and placed it at the following position in the buffer,
if ((errorCode == Interop.SECURITY_STATUS.OK && decspc[i].type == SecurityBufferType.SECBUFFER_DATA)
// or we failed to decode the data, here is the encoded data.
|| (errorCode != Interop.SECURITY_STATUS.OK && decspc[i].type == SecurityBufferType.SECBUFFER_EXTRA))
{
offset = decspc[i].offset;
count = decspc[i].size;
break;
}
}
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(errorCode));
}
public void OperationReturnedSomething(string operation, Interop.SECURITY_STATUS errorCode)
{
if (IsEnabled())
{
WriteEvent(OperationReturnedSomethingId, operation, errorCode);
}
}
internal static unsafe SafeFreeCredentials AcquireCredentialsHandle(string package, bool isServer, NetworkCredential credential)
{
SafeSspiAuthDataHandle authData = null;
try
{
Interop.SECURITY_STATUS result = Interop.SspiCli.SspiEncodeStringsAsAuthIdentity(
credential.UserName, credential.Domain,
credential.Password, out authData);
if (result != Interop.SECURITY_STATUS.OK)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Error(null, StringsHelper.Format(Strings.net_log_operation_failed_with_error, nameof(Interop.SspiCli.SspiEncodeStringsAsAuthIdentity), $"0x{(int)result:X}"));
}
throw new Win32Exception((int)result);
}
return(SSPIWrapper.AcquireCredentialsHandle(GlobalSSPI.SSPIAuth,
package, (isServer ? Interop.SspiCli.CredentialUse.SECPKG_CRED_INBOUND : Interop.SspiCli.CredentialUse.SECPKG_CRED_OUTBOUND), ref authData));
}
finally
{
if (authData != null)
{
authData.Dispose();
}
}
}
internal void OperationReturnedSomething(string operation, Interop.SECURITY_STATUS errorCode)
{
if (!s_log.IsEnabled())
{
return;
}
WriteEvent(OperationReturnedSomethingId, operation, errorCode);
}
internal static SecurityStatusPal InitializeSecurityContext(
ref SafeFreeCredentials credentialsHandle,
ref SafeDeleteContext securityContext,
string spn,
ContextFlagsPal requestedContextFlags,
byte[] incomingBlob,
ChannelBinding channelBinding,
ref byte[] resultBlob,
ref ContextFlagsPal contextFlags)
{
#if netstandard
Span <SecurityBuffer> inSecurityBufferSpan = new SecurityBuffer[2];
#else
TwoSecurityBuffers twoSecurityBuffers = default;
Span <SecurityBuffer> inSecurityBufferSpan = MemoryMarshal.CreateSpan(ref twoSecurityBuffers._item0, 2);
#endif
int inSecurityBufferSpanLength = 0;
if (incomingBlob != null && channelBinding != null)
{
inSecurityBufferSpan[0] = new SecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN);
inSecurityBufferSpan[1] = new SecurityBuffer(channelBinding);
inSecurityBufferSpanLength = 2;
}
else if (incomingBlob != null)
{
inSecurityBufferSpan[0] = new SecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN);
inSecurityBufferSpanLength = 1;
}
else if (channelBinding != null)
{
inSecurityBufferSpan[0] = new SecurityBuffer(channelBinding);
inSecurityBufferSpanLength = 1;
}
inSecurityBufferSpan = inSecurityBufferSpan.Slice(0, inSecurityBufferSpanLength);
var outSecurityBuffer = new SecurityBuffer(resultBlob, SecurityBufferType.SECBUFFER_TOKEN);
Interop.SspiCli.ContextFlags outContextFlags = Interop.SspiCli.ContextFlags.Zero;
// There is only one SafeDeleteContext type on Windows which is SafeDeleteSslContext so this cast is safe.
SafeDeleteSslContext sslContext = (SafeDeleteSslContext)securityContext;
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.InitializeSecurityContext(
GlobalSSPI.SSPIAuth,
ref credentialsHandle,
ref sslContext,
spn,
ContextFlagsAdapterPal.GetInteropFromContextFlagsPal(requestedContextFlags),
Interop.SspiCli.Endianness.SECURITY_NETWORK_DREP,
inSecurityBufferSpan,
ref outSecurityBuffer,
ref outContextFlags);
securityContext = sslContext;
resultBlob = outSecurityBuffer.token;
contextFlags = ContextFlagsAdapterPal.GetContextFlagsPalFromInterop(outContextFlags);
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(winStatus));
}
internal static SecurityStatusPal CompleteAuthToken(
ref SafeDeleteContext securityContext,
SecurityBuffer[] inSecurityBufferArray)
{
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.CompleteAuthToken(
GlobalSSPI.SSPIAuth,
ref securityContext,
inSecurityBufferArray);
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(winStatus));
}
internal static IIdentity GetIdentity(NTAuthentication context)
{
IIdentity?result;
string? name = context.IsServer ? null : context.Spn;
string protocol = context.ProtocolName;
if (context.IsServer)
{
SecurityContextTokenHandle?token = null;
try
{
SafeDeleteContext?securityContext = context.GetContext(out SecurityStatusPal status);
if (status.ErrorCode != SecurityStatusPalErrorCode.OK)
{
throw new Win32Exception((int)SecurityStatusAdapterPal.GetInteropFromSecurityStatusPal(status));
}
name = QueryContextAssociatedName(securityContext !);
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(context, $"NTAuthentication: The context is associated with [{name}]");
}
// This will return a client token when conducted authentication on server side.
// This token can be used for impersonation. We use it to create a WindowsIdentity and hand it out to the server app.
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.QuerySecurityContextToken(
GlobalSSPI.SSPIAuth,
securityContext !,
out token);
if (winStatus != Interop.SECURITY_STATUS.OK)
{
throw new Win32Exception((int)winStatus);
}
string authtype = context.ProtocolName;
// The following call was also specifying WindowsAccountType.Normal, true.
// WindowsIdentity.IsAuthenticated is no longer supported in .NET Core
result = new WindowsIdentity(token.DangerousGetHandle(), authtype);
return(result);
}
catch (SecurityException)
{
// Ignore and construct generic Identity if failed due to security problem.
}
finally
{
token?.Dispose();
}
}
// On the client we don't have access to the remote side identity.
result = new GenericIdentity(name ?? string.Empty, protocol);
return(result);
}
internal static SecurityStatusPal AcceptSecurityContext(
SafeFreeCredentials?credentialsHandle,
ref SafeDeleteContext?securityContext,
ContextFlagsPal requestedContextFlags,
ReadOnlySpan <byte> incomingBlob,
ChannelBinding?channelBinding,
ref byte[]?resultBlob,
out int resultBlobLength,
ref ContextFlagsPal contextFlags)
{
InputSecurityBuffers inputBuffers = default;
if (!incomingBlob.IsEmpty)
{
inputBuffers.SetNextBuffer(new InputSecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN));
}
if (channelBinding != null)
{
inputBuffers.SetNextBuffer(new InputSecurityBuffer(channelBinding));
}
var outSecurityBuffer = new SecurityBuffer(resultBlob, SecurityBufferType.SECBUFFER_TOKEN);
Interop.SspiCli.ContextFlags outContextFlags = Interop.SspiCli.ContextFlags.Zero;
// There is only one SafeDeleteContext type on Windows which is SafeDeleteSslContext so this cast is safe.
SafeDeleteSslContext?sslContext = (SafeDeleteSslContext?)securityContext;
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.AcceptSecurityContext(
GlobalSSPI.SSPIAuth,
credentialsHandle,
ref sslContext,
ContextFlagsAdapterPal.GetInteropFromContextFlagsPal(requestedContextFlags),
Interop.SspiCli.Endianness.SECURITY_NETWORK_DREP,
inputBuffers,
ref outSecurityBuffer,
ref outContextFlags);
// SSPI Workaround
// If a client sends up a blob on the initial request, Negotiate returns SEC_E_INVALID_HANDLE
// when it should return SEC_E_INVALID_TOKEN.
if (winStatus == Interop.SECURITY_STATUS.InvalidHandle && securityContext == null && !incomingBlob.IsEmpty)
{
winStatus = Interop.SECURITY_STATUS.InvalidToken;
}
Debug.Assert(outSecurityBuffer.offset == 0);
resultBlob = outSecurityBuffer.token;
resultBlobLength = outSecurityBuffer.size;
securityContext = sslContext;
contextFlags = ContextFlagsAdapterPal.GetContextFlagsPalFromInterop(outContextFlags);
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(winStatus));
}
internal static SecurityStatusPal CompleteAuthToken(
ref SafeDeleteContext securityContext,
byte[] incomingBlob)
{
var inSecurityBuffer = new SecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN);
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.CompleteAuthToken(
GlobalSSPI.SSPIAuth,
ref securityContext,
in inSecurityBuffer);
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(winStatus));
}
internal static IIdentity GetIdentity(NTAuthentication context)
{
IIdentity result = null;
string name = context.IsServer ? context.AssociatedName : context.Spn;
string protocol = context.ProtocolName;
if (context.IsServer)
{
SecurityContextTokenHandle token = null;
try
{
SecurityStatusPal status;
SafeDeleteContext securityContext = context.GetContext(out status);
if (status.ErrorCode != SecurityStatusPalErrorCode.OK)
{
throw new Win32Exception((int)SecurityStatusAdapterPal.GetInteropFromSecurityStatusPal(status));
}
// This will return a client token when conducted authentication on server side.
// This token can be used for impersonation. We use it to create a WindowsIdentity and hand it out to the server app.
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.QuerySecurityContextToken(
GlobalSSPI.SSPIAuth,
securityContext,
out token);
if (winStatus != Interop.SECURITY_STATUS.OK)
{
throw new Win32Exception((int)winStatus);
}
string authtype = context.ProtocolName;
// TODO #5241:
// The following call was also specifying WindowsAccountType.Normal, true.
// WindowsIdentity.IsAuthenticated is no longer supported in CoreFX.
result = new WindowsIdentity(token.DangerousGetHandle(), authtype);
return(result);
}
catch (SecurityException)
{
// Ignore and construct generic Identity if failed due to security problem.
}
finally
{
if (token != null)
{
token.Dispose();
}
}
}
// On the client we don't have access to the remote side identity.
result = new GenericIdentity(name, protocol);
return(result);
}
internal static SecurityStatusPal CompleteAuthToken(
ref SafeDeleteContext?securityContext,
byte[]?incomingBlob)
{
// There is only one SafeDeleteContext type on Windows which is SafeDeleteSslContext so this cast is safe.
SafeDeleteSslContext?sslContext = (SafeDeleteSslContext?)securityContext;
var inSecurityBuffer = new SecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN);
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.CompleteAuthToken(
GlobalSSPI.SSPIAuth,
ref sslContext,
in inSecurityBuffer);
securityContext = sslContext;
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(winStatus));
}
public static unsafe SecurityStatusPal DecryptMessage(SafeDeleteContext securityContext, byte[] buffer, ref int offset, ref int count)
{
const int NumSecBuffers = 4; // data + empty + empty + empty
var unmanagedBuffer = stackalloc Interop.SspiCli.SecBuffer[NumSecBuffers];
var sdcInOut = new Interop.SspiCli.SecBufferDesc(NumSecBuffers);
sdcInOut.pBuffers = unmanagedBuffer;
fixed(byte *bufferPtr = buffer)
{
Interop.SspiCli.SecBuffer *dataBuffer = &unmanagedBuffer[0];
dataBuffer->BufferType = SecurityBufferType.SECBUFFER_DATA;
dataBuffer->pvBuffer = (IntPtr)bufferPtr + offset;
dataBuffer->cbBuffer = count;
for (int i = 1; i < NumSecBuffers; i++)
{
Interop.SspiCli.SecBuffer *emptyBuffer = &unmanagedBuffer[i];
emptyBuffer->BufferType = SecurityBufferType.SECBUFFER_EMPTY;
emptyBuffer->pvBuffer = IntPtr.Zero;
emptyBuffer->cbBuffer = 0;
}
Interop.SECURITY_STATUS errorCode = (Interop.SECURITY_STATUS)GlobalSSPI.SSPISecureChannel.DecryptMessage(securityContext, ref sdcInOut, 0);
// Decrypt may repopulate the sec buffers, likely with header + data + trailer + empty.
// We need to find the data.
count = 0;
for (int i = 0; i < NumSecBuffers; i++)
{
// Successfully decoded data and placed it at the following position in the buffer,
if ((errorCode == Interop.SECURITY_STATUS.OK && unmanagedBuffer[i].BufferType == SecurityBufferType.SECBUFFER_DATA)
// or we failed to decode the data, here is the encoded data.
|| (errorCode != Interop.SECURITY_STATUS.OK && unmanagedBuffer[i].BufferType == SecurityBufferType.SECBUFFER_EXTRA))
{
offset = (int)((byte *)unmanagedBuffer[i].pvBuffer - bufferPtr);
count = unmanagedBuffer[i].cbBuffer;
Debug.Assert(offset >= 0 && count >= 0, $"Expected offset and count greater than 0, got {offset} and {count}");
Debug.Assert(checked (offset + count) <= buffer.Length, $"Expected offset+count <= buffer.Length, got {offset}+{count}>={buffer.Length}");
break;
}
}
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(errorCode));
}
}
internal static SecurityStatusPal InitializeSecurityContext(
ref SafeFreeCredentials?credentialsHandle,
ref SafeDeleteContext?securityContext,
string?spn,
ContextFlagsPal requestedContextFlags,
ReadOnlySpan <byte> incomingBlob,
ChannelBinding?channelBinding,
ref byte[]?resultBlob,
out int resultBlobLength,
ref ContextFlagsPal contextFlags)
{
InputSecurityBuffers inputBuffers = default;
if (!incomingBlob.IsEmpty)
{
inputBuffers.SetNextBuffer(new InputSecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN));
}
if (channelBinding != null)
{
inputBuffers.SetNextBuffer(new InputSecurityBuffer(channelBinding));
}
var outSecurityBuffer = new SecurityBuffer(resultBlob, SecurityBufferType.SECBUFFER_TOKEN);
Interop.SspiCli.ContextFlags outContextFlags = Interop.SspiCli.ContextFlags.Zero;
// There is only one SafeDeleteContext type on Windows which is SafeDeleteSslContext so this cast is safe.
SafeDeleteSslContext?sslContext = (SafeDeleteSslContext?)securityContext;
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.InitializeSecurityContext(
GlobalSSPI.SSPIAuth,
ref credentialsHandle,
ref sslContext,
spn,
ContextFlagsAdapterPal.GetInteropFromContextFlagsPal(requestedContextFlags),
Interop.SspiCli.Endianness.SECURITY_NETWORK_DREP,
inputBuffers,
ref outSecurityBuffer,
ref outContextFlags);
securityContext = sslContext;
Debug.Assert(outSecurityBuffer.offset == 0);
resultBlob = outSecurityBuffer.token;
resultBlobLength = outSecurityBuffer.size;
contextFlags = ContextFlagsAdapterPal.GetContextFlagsPalFromInterop(outContextFlags);
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(winStatus));
}
internal static SecurityStatusPal GetSecurityStatusPalFromInterop(Interop.SECURITY_STATUS win32SecurityStatus, bool attachException = false)
{
SecurityStatusPalErrorCode statusCode;
if (!s_statusDictionary.TryGetForward(win32SecurityStatus, out statusCode))
{
Debug.Fail("Unknown Interop.SecurityStatus value: " + win32SecurityStatus);
throw new InternalException(win32SecurityStatus);
}
if (attachException)
{
return(new SecurityStatusPal(statusCode, new Win32Exception((int)win32SecurityStatus)));
}
else
{
return(new SecurityStatusPal(statusCode));
}
}
internal static SecurityStatusPal AcceptSecurityContext(
SafeFreeCredentials?credentialsHandle,
ref SafeDeleteContext?securityContext,
ContextFlagsPal requestedContextFlags,
byte[]?incomingBlob,
ChannelBinding?channelBinding,
ref byte[]?resultBlob,
ref ContextFlagsPal contextFlags)
{
InputSecurityBuffers inputBuffers = default;
if (incomingBlob != null)
{
inputBuffers.SetNextBuffer(new InputSecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN));
}
if (channelBinding != null)
{
inputBuffers.SetNextBuffer(new InputSecurityBuffer(channelBinding));
}
var outSecurityBuffer = new SecurityBuffer(resultBlob, SecurityBufferType.SECBUFFER_TOKEN);
Interop.SspiCli.ContextFlags outContextFlags = Interop.SspiCli.ContextFlags.Zero;
// There is only one SafeDeleteContext type on Windows which is SafeDeleteSslContext so this cast is safe.
SafeDeleteSslContext?sslContext = (SafeDeleteSslContext?)securityContext;
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.AcceptSecurityContext(
GlobalSSPI.SSPIAuth,
credentialsHandle,
ref sslContext,
ContextFlagsAdapterPal.GetInteropFromContextFlagsPal(requestedContextFlags),
Interop.SspiCli.Endianness.SECURITY_NETWORK_DREP,
inputBuffers,
ref outSecurityBuffer,
ref outContextFlags);
resultBlob = outSecurityBuffer.token;
securityContext = sslContext;
contextFlags = ContextFlagsAdapterPal.GetContextFlagsPalFromInterop(outContextFlags);
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(winStatus));
}
internal static SecurityStatusPal AcceptSecurityContext(
SafeFreeCredentials credentialsHandle,
ref SafeDeleteContext securityContext,
ContextFlagsPal requestedContextFlags,
SecurityBuffer[] inSecurityBufferArray,
SecurityBuffer outSecurityBuffer,
ref ContextFlagsPal contextFlags)
{
Interop.SspiCli.ContextFlags outContextFlags = Interop.SspiCli.ContextFlags.Zero;
Interop.SECURITY_STATUS winStatus = (Interop.SECURITY_STATUS)SSPIWrapper.AcceptSecurityContext(
GlobalSSPI.SSPIAuth,
credentialsHandle,
ref securityContext,
ContextFlagsAdapterPal.GetInteropFromContextFlagsPal(requestedContextFlags),
Interop.SspiCli.Endianness.SECURITY_NETWORK_DREP,
inSecurityBufferArray,
outSecurityBuffer,
ref outContextFlags);
contextFlags = ContextFlagsAdapterPal.GetContextFlagsPalFromInterop(outContextFlags);
return(SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(winStatus));
}
internal unsafe static SafeFreeCredentials AcquireCredentialsHandle(string package, bool isServer, NetworkCredential credential)
{
SafeSspiAuthDataHandle authData = null;
try
{
Interop.SECURITY_STATUS result = Interop.SspiCli.SspiEncodeStringsAsAuthIdentity(
credential.UserName, credential.Domain,
credential.Password, out authData);
if (result != Interop.SECURITY_STATUS.OK)
{
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.PrintError(
NetEventSource.ComponentType.Security,
SR.Format(
SR.net_log_operation_failed_with_error,
"SspiEncodeStringsAsAuthIdentity()",
String.Format(CultureInfo.CurrentCulture, "0x{0:X}", (int)result)));
}
throw new Win32Exception((int)result);
}
return(SSPIWrapper.AcquireCredentialsHandle(GlobalSSPI.SSPIAuth,
package, (isServer ? Interop.SspiCli.CredentialUse.SECPKG_CRED_INBOUND : Interop.SspiCli.CredentialUse.SECPKG_CRED_OUTBOUND), ref authData));
}
finally
{
if (authData != null)
{
authData.Dispose();
}
}
}
public void SecurityContextInputBuffers(string context, int inputBuffersSize, int outputBufferSize, Interop.SECURITY_STATUS errorCode)
{
if (IsEnabled())
{
WriteEvent(SecurityContextInputBuffersId, context, inputBuffersSize, outputBufferSize, (int)errorCode);
}
}
internal unsafe void SecurityContextInputBuffers(string context, int inputBuffersSize, int outputBufferSize, Interop.SECURITY_STATUS errorCode)
{
if (!s_log.IsEnabled())
{
return;
}
fixed(char *arg1Ptr = context)
{
const int SizeData = 4;
EventData *dataDesc = stackalloc EventSource.EventData[SizeData];
dataDesc[0].DataPointer = (IntPtr)(arg1Ptr);
dataDesc[0].Size = (context.Length + 1) * sizeof(char);
dataDesc[1].DataPointer = (IntPtr)(&inputBuffersSize);
dataDesc[1].Size = sizeof(int);
dataDesc[2].DataPointer = (IntPtr)(&outputBufferSize);
dataDesc[2].Size = sizeof(int);
dataDesc[3].DataPointer = (IntPtr)(&errorCode);
dataDesc[3].Size = sizeof(int);
WriteEventCore(SecurityContextInputBuffersId, SizeData, dataDesc);
}
}
public void OperationReturnedSomething(string operation, Interop.SECURITY_STATUS errorCode) => WriteEvent(OperationReturnedSomethingId, operation, errorCode);
public void SecurityContextInputBuffer(string context, int inputBufferSize, int outputBufferSize, Interop.SECURITY_STATUS errorCode) => WriteEvent(SecurityContextInputBufferId, context, inputBufferSize, outputBufferSize, (int)errorCode);
