public static unsafe int AcquireCredentialsHandle(string package, CredentialUse intent, ref SecureCredential authdata, out SafeFreeCredentials outCredential) { int num = -1; IntPtr certContextArray = authdata.certContextArray; try { IntPtr ptr2 = new IntPtr((void*) &certContextArray); if (certContextArray != IntPtr.Zero) { authdata.certContextArray = ptr2; } outCredential = new SafeFreeCredentials(); RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { long num2; num = AcquireCredentialsHandleW(null, package, (int) intent, null, ref authdata, null, null, ref outCredential._handle, out num2); if (num != 0) { outCredential.SetHandleAsInvalid(); } } } finally { authdata.certContextArray = certContextArray; } return num; }
public override void OnOpening() { bool flag = System.ServiceModel.Security.SecurityUtils.IsOsGreaterThanXP(); base.OnOpening(); if (this.credentialsHandle == null) { string str; if (!this.allowNtlm && !flag) { str = "Kerberos"; } else { str = "Negotiate"; } NetworkCredential credential = null; if (this.clientCredential != null) { credential = this.clientCredential.GetCredential(base.TargetAddress.Uri, str); } if (!this.allowNtlm && flag) { this.credentialsHandle = System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(str, credential, false, new string[] { "!NTLM" }); } else { this.credentialsHandle = System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle(str, credential, false, new string[0]); } this.ownCredentialsHandle = true; } }
private void FreeCredentialsHandle() { if (this.credentialsHandle != null) { this.credentialsHandle.Close(); this.credentialsHandle = null; } }
public override void OnOpening() { base.OnOpening(); if (this.credentialsHandle == null) { this.credentialsHandle = System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle("Negotiate", this.serverCredential, true, new string[0]); } }
public SpnegoTokenProvider(System.IdentityModel.SafeFreeCredentials credentialsHandle, SecurityBindingElement securityBindingElement) : base(securityBindingElement) { this.allowedImpersonationLevel = TokenImpersonationLevel.Identification; this.identityVerifier = System.ServiceModel.Security.IdentityVerifier.CreateDefault(); this.allowNtlm = true; this.authenticateServer = true; this.interactiveNegoExLogonEnabled = true; this.credentialsHandle = credentialsHandle; }
public override void OnOpening() { base.OnOpening(); if (this.credentialsHandle == null) { this.credentialsHandle = System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle("Kerberos", this.innerProvider.NetworkCredential, false, new string[0]); this.ownCredentialsHandle = true; } }
public static int AcquireCredentialsHandle(string package, CredentialUse intent, ref IntPtr ppAuthIdentity, out SafeFreeCredentials outCredential) { int num = -1; outCredential = new SafeFreeCredentials(); RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { long num2; num = AcquireCredentialsHandleW(null, package, (int) intent, null, ppAuthIdentity, null, null, ref outCredential._handle, out num2); if (num != 0) { outCredential.SetHandleAsInvalid(); } } return num; }
private WindowsSspiNegotiation(bool isServer, string package, SafeFreeCredentials credentialsHandle, TokenImpersonationLevel impersonationLevel, string servicePrincipalName, bool doMutualAuth, bool interactiveLogonEnabled, bool ntlmEnabled) { this.syncObject = new object(); this.interactiveNegoLogonEnabled = true; this.saveClientCredentialsOnSspiUi = true; this.tokenSize = SspiWrapper.GetVerifyPackageInfo(package).MaxToken; this.isServer = isServer; this.servicePrincipalName = servicePrincipalName; this.securityContext = null; if (isServer) { this.impersonationLevel = TokenImpersonationLevel.Delegation; this.doMutualAuth = false; } else { this.impersonationLevel = impersonationLevel; this.doMutualAuth = doMutualAuth; this.interactiveNegoLogonEnabled = interactiveLogonEnabled; this.clientPackageName = package; this.allowNtlm = ntlmEnabled; } this.credentialsHandle = credentialsHandle; }
public static int AcquireCredentialsHandle(string package, CredentialUse intent, ref IntPtr ppAuthIdentity, out SafeFreeCredentials outCredential) { int num = -1; outCredential = new SafeFreeCredentials(); RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { long num2; num = AcquireCredentialsHandleW(null, package, (int)intent, null, ppAuthIdentity, null, null, ref outCredential._handle, out num2); if (num != 0) { outCredential.SetHandleAsInvalid(); } } return(num); }
public static unsafe int AcquireCredentialsHandle(string package, CredentialUse intent, ref SecureCredential authdata, out SafeFreeCredentials outCredential) { int num = -1; IntPtr certContextArray = authdata.certContextArray; try { IntPtr ptr2 = new IntPtr((void *)&certContextArray); if (certContextArray != IntPtr.Zero) { authdata.certContextArray = ptr2; } outCredential = new SafeFreeCredentials(); RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { long num2; num = AcquireCredentialsHandleW(null, package, (int)intent, null, ref authdata, null, null, ref outCredential._handle, out num2); if (num != 0) { outCredential.SetHandleAsInvalid(); } } } finally { authdata.certContextArray = certContextArray; } return(num); }
internal KerberosRequestorSecurityToken(string servicePrincipalName, TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, string id, System.IdentityModel.SafeFreeCredentials credentialsHandle, ChannelBinding channelBinding) { if (servicePrincipalName == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("servicePrincipalName"); } if ((tokenImpersonationLevel != TokenImpersonationLevel.Identification) && (tokenImpersonationLevel != TokenImpersonationLevel.Impersonation)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("tokenImpersonationLevel", System.IdentityModel.SR.GetString("ImpersonationLevelNotSupported", new object[] { tokenImpersonationLevel }))); } if (id == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("id"); } this.servicePrincipalName = servicePrincipalName; if (((networkCredential != null) && (networkCredential != CredentialCache.DefaultNetworkCredentials)) && string.IsNullOrEmpty(networkCredential.UserName)) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgument(System.IdentityModel.SR.GetString("ProvidedNetworkCredentialsForKerberosHasInvalidUserName")); } this.id = id; try { this.Initialize(tokenImpersonationLevel, networkCredential, credentialsHandle, channelBinding); } catch (Win32Exception exception) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("UnableToCreateKerberosCredentials"), exception)); } catch (SecurityTokenException exception2) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenValidationException(System.IdentityModel.SR.GetString("UnableToCreateKerberosCredentials"), exception2)); } }
internal static int AcceptSecurityContext(SafeFreeCredentials credential, ref SafeDeleteContext refContext, SspiContextFlags inFlags, Endianness datarep, SecurityBuffer[] inputBuffers, SecurityBuffer outputBuffer, ref SspiContextFlags outFlags) { return SafeDeleteContext.AcceptSecurityContext(credential, ref refContext, inFlags, datarep, null, inputBuffers, outputBuffer, ref outFlags); }
// After PINvoke call the method will fix the handleTemplate.handle with the returned value. // The caller is responsible for creating a correct SafeFreeContextBuffer_XXX flavour or null can be passed if no handle is returned. // This method is run as non-interruptible. static unsafe int MustRunAcceptSecurityContext( SafeFreeCredentials inCredentials, void* inContextPtr, SecurityBufferDescriptor inputBuffer, SspiContextFlags inFlags, Endianness endianness, SafeDeleteContext outContext, SecurityBufferDescriptor outputBuffer, ref SspiContextFlags outFlags, SafeFreeContextBuffer handleTemplate) { int errorCode = -1; bool b1 = false; bool b2 = false; // Run the body of this method as a non-interruptible block. RuntimeHelpers.PrepareConstrainedRegions(); try { inCredentials.DangerousAddRef(ref b1); outContext.DangerousAddRef(ref b2); } catch (Exception e) { if (System.Runtime.Fx.IsFatal(e)) throw; if (b1) { inCredentials.DangerousRelease(); b1 = false; } if (b2) { outContext.DangerousRelease(); b2 = false; } if (!(e is ObjectDisposedException)) throw; } finally { long timeStamp; if (!b1) { // caller should retry inCredentials = null; } else if (b1 && b2) { SSPIHandle credentialHandle = inCredentials._handle; // PreSharp Bug: Call 'Marshal.GetLastWin32Error' or 'Marshal.GetHRForLastWin32Error' before any other interop call. #pragma warning suppress 56523 // This API does not set Win32 Last Error. errorCode = AcceptSecurityContext( ref credentialHandle, inContextPtr, inputBuffer, inFlags, endianness, ref outContext._handle, outputBuffer, ref outFlags, out timeStamp ); // // When a credential handle is first associated with the context we keep credential // ref count bumped up to ensure ordered finalization. // If the credential handle has been changed we de-ref the old one and associate the // context with the new cred handle but only if the call was successful. if (outContext._EffectiveCredential != inCredentials && (errorCode & 0x80000000) == 0) { // Disassociate the previous credential handle if (outContext._EffectiveCredential != null) outContext._EffectiveCredential.DangerousRelease(); outContext._EffectiveCredential = inCredentials; } else { inCredentials.DangerousRelease(); } outContext.DangerousRelease(); // The idea is that SSPI has allocated a block and filled up outUnmanagedBuffer+8 slot with the pointer. if (handleTemplate != null) { handleTemplate.Set(((SecurityBufferStruct*)outputBuffer.UnmanagedPointer)->token); //ATTN: on 64 BIT that is still +8 cause of 2* c++ unsigned long == 8 bytes if (handleTemplate.IsInvalid) { handleTemplate.SetHandleAsInvalid(); } } if (inContextPtr == null && (errorCode & 0x80000000) != 0) { // an error on the first call, need to set the out handle to invalid value outContext._handle.SetToInvalid(); } } } return errorCode; }
private static unsafe int MustRunInitializeSecurityContext(SafeFreeCredentials inCredentials, void *inContextPtr, byte *targetName, SspiContextFlags inFlags, Endianness endianness, SecurityBufferDescriptor inputBuffer, SafeDeleteContext outContext, SecurityBufferDescriptor outputBuffer, ref SspiContextFlags attributes, SafeFreeContextBuffer handleTemplate) { int num = -1; bool success = false; bool flag2 = false; RuntimeHelpers.PrepareConstrainedRegions(); try { inCredentials.DangerousAddRef(ref success); outContext.DangerousAddRef(ref flag2); } catch (Exception exception) { if (success) { inCredentials.DangerousRelease(); success = false; } if (flag2) { outContext.DangerousRelease(); flag2 = false; } if (!(exception is ObjectDisposedException)) { throw; } } finally { if (!success) { inCredentials = null; } else if (success && flag2) { long num2; num = InitializeSecurityContextW(ref inCredentials._handle, inContextPtr, targetName, inFlags, 0, endianness, inputBuffer, 0, ref outContext._handle, outputBuffer, ref attributes, out num2); if ((outContext._EffectiveCredential != inCredentials) && ((num & 0x80000000L) == 0L)) { if (outContext._EffectiveCredential != null) { outContext._EffectiveCredential.DangerousRelease(); } outContext._EffectiveCredential = inCredentials; } else { inCredentials.DangerousRelease(); } outContext.DangerousRelease(); if (handleTemplate != null) { handleTemplate.Set(outputBuffer.UnmanagedPointer.token); if (handleTemplate.IsInvalid) { handleTemplate.SetHandleAsInvalid(); } } } if ((inContextPtr == null) && ((num & 0x80000000L) != 0L)) { outContext._handle.SetToInvalid(); } } return(num); }
internal static unsafe int InitializeSecurityContext(SafeFreeCredentials inCredentials, ref SafeDeleteContext refContext, string targetName, SspiContextFlags inFlags, Endianness endianness, SecurityBuffer inSecBuffer, SecurityBuffer[] inSecBuffers, SecurityBuffer outSecBuffer, ref SspiContextFlags outFlags) { if (inCredentials == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("inCredentials"); } SecurityBufferDescriptor inputBuffer = null; if (inSecBuffer != null) { inputBuffer = new SecurityBufferDescriptor(1); } else if (inSecBuffers != null) { inputBuffer = new SecurityBufferDescriptor(inSecBuffers.Length); } SecurityBufferDescriptor outputBuffer = new SecurityBufferDescriptor(1); bool flag = (inFlags & SspiContextFlags.AllocateMemory) != SspiContextFlags.Zero; int num = -1; SSPIHandle handle = new SSPIHandle(); if (refContext != null) { handle = refContext._handle; } GCHandle[] handleArray = null; GCHandle handle2 = new GCHandle(); SafeFreeContextBuffer handleTemplate = null; try { handle2 = GCHandle.Alloc(outSecBuffer.token, GCHandleType.Pinned); SecurityBufferStruct[] structArray = new SecurityBufferStruct[(inputBuffer == null) ? 1 : inputBuffer.Count]; try { SecurityBufferStruct[] structArray3; if (((structArray3 = structArray) == null) || (structArray3.Length == 0)) { ptrRef = null; goto Label_00A9; } fixed(IntPtr *ptrRef = structArray3) { Label_00A9: if (inputBuffer != null) { inputBuffer.UnmanagedPointer = (void *)ptrRef; handleArray = new GCHandle[inputBuffer.Count]; for (int i = 0; i < inputBuffer.Count; i++) { SecurityBuffer buffer2 = (inSecBuffer != null) ? inSecBuffer : inSecBuffers[i]; if (buffer2 != null) { structArray[i].count = buffer2.size; structArray[i].type = buffer2.type; if (buffer2.unmanagedToken != null) { structArray[i].token = buffer2.unmanagedToken.DangerousGetHandle(); } else if ((buffer2.token == null) || (buffer2.token.Length == 0)) { structArray[i].token = IntPtr.Zero; } else { handleArray[i] = GCHandle.Alloc(buffer2.token, GCHandleType.Pinned); structArray[i].token = Marshal.UnsafeAddrOfPinnedArrayElement(buffer2.token, buffer2.offset); } } } } SecurityBufferStruct[] structArray2 = new SecurityBufferStruct[1]; try { SecurityBufferStruct[] structArray4; if (((structArray4 = structArray2) == null) || (structArray4.Length == 0)) { ptrRef2 = null; goto Label_01CF; } fixed(IntPtr *ptrRef2 = structArray4) { Label_01CF: outputBuffer.UnmanagedPointer = (void *)ptrRef2; structArray2[0].count = outSecBuffer.size; structArray2[0].type = outSecBuffer.type; if ((outSecBuffer.token == null) || (outSecBuffer.token.Length == 0)) { structArray2[0].token = IntPtr.Zero; } else { structArray2[0].token = Marshal.UnsafeAddrOfPinnedArrayElement(outSecBuffer.token, outSecBuffer.offset); } if (flag) { handleTemplate = SafeFreeContextBuffer.CreateEmptyHandle(); } if ((refContext == null) || refContext.IsInvalid) { refContext = new SafeDeleteContext(); } if ((targetName == null) || (targetName.Length == 0)) { targetName = " "; } fixed(char *str = ((char *)targetName)) { char *chPtr = str; num = MustRunInitializeSecurityContext(inCredentials, handle.IsZero ? null : ((void *)&handle), (targetName == " ") ? null : ((byte *)chPtr), inFlags, endianness, inputBuffer, refContext, outputBuffer, ref outFlags, handleTemplate); } outSecBuffer.size = structArray2[0].count; outSecBuffer.type = structArray2[0].type; if (outSecBuffer.size > 0) { outSecBuffer.token = DiagnosticUtility.Utility.AllocateByteArray(outSecBuffer.size); Marshal.Copy(structArray2[0].token, outSecBuffer.token, 0, outSecBuffer.size); return(num); } outSecBuffer.token = null; return(num); } } finally { ptrRef2 = null; } return(num); } } finally { ptrRef = null; } } finally { if (handleArray != null) { for (int j = 0; j < handleArray.Length; j++) { if (handleArray[j].IsAllocated) { handleArray[j].Free(); } } } if (handle2.IsAllocated) { handle2.Free(); } if (handleTemplate != null) { handleTemplate.Close(); } } return(num); }
internal WindowsSspiNegotiation(string package, SafeFreeCredentials credentialsHandle, TokenImpersonationLevel impersonationLevel, string servicePrincipalName, bool doMutualAuth, bool interactiveLogonEnabled, bool ntlmEnabled) : this(false, package, credentialsHandle, impersonationLevel, servicePrincipalName, doMutualAuth, interactiveLogonEnabled, ntlmEnabled) { }
internal WindowsSspiNegotiation(string package, SafeFreeCredentials credentialsHandle, string defaultServiceBinding) : this(true, package, credentialsHandle, TokenImpersonationLevel.Delegation, defaultServiceBinding, false, false, true) { }
public byte[] GetOutgoingBlob(byte[] incomingBlob, ChannelBinding channelbinding, ExtendedProtectionPolicy protectionPolicy) { this.ThrowIfDisposed(); int error = 0; SspiContextFlags inFlags = SspiContextFlags.Confidentiality | SspiContextFlags.SequenceDetect | SspiContextFlags.ReplayDetect; if (this.doMutualAuth) { inFlags |= SspiContextFlags.MutualAuth; } if (this.impersonationLevel == TokenImpersonationLevel.Delegation) { inFlags |= SspiContextFlags.Delegate; } else if (!this.isServer && (this.impersonationLevel == TokenImpersonationLevel.Identification)) { inFlags |= SspiContextFlags.InitIdentify; } else if (!this.isServer && (this.impersonationLevel == TokenImpersonationLevel.Anonymous)) { inFlags |= SspiContextFlags.InitAnonymous; } ExtendedProtectionPolicyHelper helper = new ExtendedProtectionPolicyHelper(channelbinding, protectionPolicy); if (this.isServer) { if (((helper.PolicyEnforcement == PolicyEnforcement.Always) && (helper.ChannelBinding == null)) && (helper.ProtectionScenario != ProtectionScenario.TrustedProxy)) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.ServiceModel.SR.GetString("SecurityChannelBindingMissing"))); } if (helper.PolicyEnforcement == PolicyEnforcement.WhenSupported) { inFlags |= SspiContextFlags.ChannelBindingAllowMissingBindings; } if (helper.ProtectionScenario == ProtectionScenario.TrustedProxy) { inFlags |= SspiContextFlags.ChannelBindingProxyBindings; } } List<SecurityBuffer> list = new List<SecurityBuffer>(2); if (incomingBlob != null) { list.Add(new SecurityBuffer(incomingBlob, BufferType.Token)); } if (this.isServer) { if (helper.ShouldAddChannelBindingToASC()) { list.Add(new SecurityBuffer(helper.ChannelBinding)); } } else if (helper.ChannelBinding != null) { list.Add(new SecurityBuffer(helper.ChannelBinding)); } SecurityBuffer[] inputBuffers = null; if (list.Count > 0) { inputBuffers = list.ToArray(); } SecurityBuffer outputBuffer = new SecurityBuffer(this.tokenSize, BufferType.Token); if (!this.isServer) { error = SspiWrapper.InitializeSecurityContext(this.credentialsHandle, ref this.securityContext, this.servicePrincipalName, inFlags, Endianness.Network, inputBuffers, outputBuffer, ref this.contextFlags); } else { bool flag = this.securityContext == null; SspiContextFlags contextFlags = this.contextFlags; error = SspiWrapper.AcceptSecurityContext(this.credentialsHandle, ref this.securityContext, inFlags, Endianness.Network, inputBuffers, outputBuffer, ref this.contextFlags); if ((error == -2146893048) && !flag) { this.contextFlags = contextFlags; this.CloseContext(); error = SspiWrapper.AcceptSecurityContext(this.credentialsHandle, ref this.securityContext, inFlags, Endianness.Network, inputBuffers, outputBuffer, ref this.contextFlags); } } if ((error & -2147483648) != 0) { if (((!this.isServer && this.interactiveNegoLogonEnabled) && (System.ServiceModel.Security.SecurityUtils.IsOSGreaterThanOrEqualToWin7() && SspiWrapper.IsSspiPromptingNeeded((uint) error))) && SspiWrapper.IsNegotiateExPackagePresent()) { if (this.MaxPromptAttempts >= 1) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(error, System.ServiceModel.SR.GetString("InvalidClientCredentials"))); } IntPtr zero = IntPtr.Zero; uint num2 = SspiWrapper.SspiPromptForCredential(this.servicePrincipalName, this.clientPackageName, out zero, ref this.saveClientCredentialsOnSspiUi); if (num2 == 0) { IntPtr ppNewAuthIdentity = IntPtr.Zero; if (!this.allowNtlm) { UnsafeNativeMethods.SspiExcludePackage(zero, "NTLM", out ppNewAuthIdentity); } else { ppNewAuthIdentity = zero; } this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle(this.clientPackageName, CredentialUse.Outbound, ref ppNewAuthIdentity); if (IntPtr.Zero != ppNewAuthIdentity) { UnsafeNativeMethods.SspiFreeAuthIdentity(ppNewAuthIdentity); } this.CloseContext(); this.MaxPromptAttempts++; return this.GetOutgoingBlob(null, channelbinding, protectionPolicy); } if (IntPtr.Zero != zero) { UnsafeNativeMethods.SspiFreeAuthIdentity(zero); } this.CloseContext(); this.isCompleted = true; throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception((int) num2, System.ServiceModel.SR.GetString("SspiErrorOrInvalidClientCredentials"))); } this.CloseContext(); this.isCompleted = true; if (this.isServer || (((error != -2146893042) && (error != -2146893053)) && (error != -2146893022))) { throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(error, System.ServiceModel.SR.GetString("InvalidSspiNegotiation"))); } throw System.ServiceModel.DiagnosticUtility.ExceptionUtility.ThrowHelperError(new Win32Exception(error, System.ServiceModel.SR.GetString("IncorrectSpnOrUpnSpecified", new object[] { this.servicePrincipalName }))); } if (System.ServiceModel.DiagnosticUtility.ShouldTraceInformation) { if (this.isServer) { SecurityTraceRecordHelper.TraceServiceOutgoingSpnego(this); } else { SecurityTraceRecordHelper.TraceClientOutgoingSpnego(this); } } if (error == 0) { this.isCompleted = true; if ((this.isServer && ((this.contextFlags & SspiContextFlags.AcceptAnonymous) == SspiContextFlags.Zero)) && ((string.Compare(this.ProtocolName, "Kerberos", StringComparison.OrdinalIgnoreCase) != 0) && helper.ShouldCheckServiceBinding)) { helper.CheckServiceBinding(this.securityContext, this.servicePrincipalName); } } return outputBuffer.token; }
public static unsafe int AcquireCredentialsHandle( string package, CredentialUse intent, ref SecureCredential authdata, out SafeFreeCredentials outCredential) { int errorCode = -1; long timeStamp; // If there is a certificate, wrap it into an array IntPtr copiedPtr = authdata.certContextArray; try { IntPtr certArrayPtr = new IntPtr(&copiedPtr); if (copiedPtr != IntPtr.Zero) { authdata.certContextArray = certArrayPtr; } outCredential = new SafeFreeCredentials(); RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { // PreSharp Bug: Call 'Marshal.GetLastWin32Error' or 'Marshal.GetHRForLastWin32Error' before any other interop call. #pragma warning suppress 56523 // The API does not set Win32 Last Error. It returns a error code. errorCode = AcquireCredentialsHandleW( null, package, (int)intent, null, ref authdata, null, null, ref outCredential._handle, out timeStamp ); if (errorCode != 0) { outCredential.SetHandleAsInvalid(); } } } finally { authdata.certContextArray = copiedPtr; } return errorCode; }
internal static int AcceptSecurityContext(SafeFreeCredentials credential, ref SafeDeleteContext refContext, SspiContextFlags inFlags, Endianness datarep, SecurityBuffer[] inputBuffers, SecurityBuffer outputBuffer, ref SspiContextFlags outFlags) { return(SafeDeleteContext.AcceptSecurityContext(credential, ref refContext, inFlags, datarep, null, inputBuffers, outputBuffer, ref outFlags)); }
//------------------------------------------------------------------- internal static unsafe int AcceptSecurityContext( SafeFreeCredentials inCredentials, ref SafeDeleteContext refContext, SspiContextFlags inFlags, Endianness endianness, SecurityBuffer inSecBuffer, SecurityBuffer[] inSecBuffers, SecurityBuffer outSecBuffer, ref SspiContextFlags outFlags) { if (inCredentials == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("inCredentials"); } SecurityBufferDescriptor inSecurityBufferDescriptor = null; if (inSecBuffer != null) { inSecurityBufferDescriptor = new SecurityBufferDescriptor(1); } else if (inSecBuffers != null) { inSecurityBufferDescriptor = new SecurityBufferDescriptor(inSecBuffers.Length); } SecurityBufferDescriptor outSecurityBufferDescriptor = new SecurityBufferDescriptor(1); // actually this is returned in outFlags bool isSspiAllocated = (inFlags & SspiContextFlags.AllocateMemory) != 0 ? true : false; int errorCode = -1; SSPIHandle contextHandle = new SSPIHandle(); if (refContext != null) { contextHandle = refContext._handle; } // these are pinned user byte arrays passed along with SecurityBuffers GCHandle[] pinnedInBytes = null; GCHandle pinnedOutBytes = new GCHandle(); // optional output buffer that may need to be freed SafeFreeContextBuffer outFreeContextBuffer = null; try { pinnedOutBytes = GCHandle.Alloc(outSecBuffer.token, GCHandleType.Pinned); SecurityBufferStruct[] inUnmanagedBuffer = new SecurityBufferStruct[inSecurityBufferDescriptor == null ? 1 : inSecurityBufferDescriptor.Count]; fixed (void* inUnmanagedBufferPtr = inUnmanagedBuffer) { if (inSecurityBufferDescriptor != null) { // Fix Descriptor pointer that points to unmanaged SecurityBuffers inSecurityBufferDescriptor.UnmanagedPointer = inUnmanagedBufferPtr; pinnedInBytes = new GCHandle[inSecurityBufferDescriptor.Count]; SecurityBuffer securityBuffer; for (int index = 0; index < inSecurityBufferDescriptor.Count; ++index) { securityBuffer = inSecBuffer != null ? inSecBuffer : inSecBuffers[index]; if (securityBuffer != null) { // Copy the SecurityBuffer content into unmanaged place holder inUnmanagedBuffer[index].count = securityBuffer.size; inUnmanagedBuffer[index].type = securityBuffer.type; // use the unmanaged token if it's not null; otherwise use the managed buffer if (securityBuffer.unmanagedToken != null) { inUnmanagedBuffer[index].token = securityBuffer.unmanagedToken.DangerousGetHandle(); } else if (securityBuffer.token == null || securityBuffer.token.Length == 0) { inUnmanagedBuffer[index].token = IntPtr.Zero; } else { pinnedInBytes[index] = GCHandle.Alloc(securityBuffer.token, GCHandleType.Pinned); inUnmanagedBuffer[index].token = Marshal.UnsafeAddrOfPinnedArrayElement(securityBuffer.token, securityBuffer.offset); } } } } SecurityBufferStruct[] outUnmanagedBuffer = new SecurityBufferStruct[1]; fixed (void* outUnmanagedBufferPtr = outUnmanagedBuffer) { // Fix Descriptor pointer that points to unmanaged SecurityBuffers outSecurityBufferDescriptor.UnmanagedPointer = outUnmanagedBufferPtr; // Copy the SecurityBuffer content into unmanaged place holder outUnmanagedBuffer[0].count = outSecBuffer.size; outUnmanagedBuffer[0].type = outSecBuffer.type; if (outSecBuffer.token == null || outSecBuffer.token.Length == 0) { outUnmanagedBuffer[0].token = IntPtr.Zero; } else { outUnmanagedBuffer[0].token = Marshal.UnsafeAddrOfPinnedArrayElement(outSecBuffer.token, outSecBuffer.offset); } if (isSspiAllocated) { outFreeContextBuffer = SafeFreeContextBuffer.CreateEmptyHandle(); } if (refContext == null || refContext.IsInvalid) { refContext = new SafeDeleteContext(); } errorCode = MustRunAcceptSecurityContext( inCredentials, contextHandle.IsZero ? null : &contextHandle, inSecurityBufferDescriptor, inFlags, endianness, refContext, outSecurityBufferDescriptor, ref outFlags, outFreeContextBuffer ); // Get unmanaged buffer with index 0 as the only one passed into PInvoke outSecBuffer.size = outUnmanagedBuffer[0].count; outSecBuffer.type = outUnmanagedBuffer[0].type; if (outSecBuffer.size > 0) { outSecBuffer.token = DiagnosticUtility.Utility.AllocateByteArray(outSecBuffer.size); Marshal.Copy(outUnmanagedBuffer[0].token, outSecBuffer.token, 0, outSecBuffer.size); } else { outSecBuffer.token = null; } } } } finally { if (pinnedInBytes != null) { for (int index = 0; index < pinnedInBytes.Length; index++) { if (pinnedInBytes[index].IsAllocated) { pinnedInBytes[index].Free(); } } } if (pinnedOutBytes.IsAllocated) { pinnedOutBytes.Free(); } if (outFreeContextBuffer != null) { outFreeContextBuffer.Close(); } } return errorCode; }
public KerberosSecurityTokenProviderWrapper(KerberosSecurityTokenProvider innerProvider, System.IdentityModel.SafeFreeCredentials credentialsHandle) { this.innerProvider = innerProvider; this.credentialsHandle = credentialsHandle; }
//This method should never be called for this type //public new IntPtr DangerousGetHandle() //{ // throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException()); //} public static unsafe int AcquireCredentialsHandle( string package, CredentialUse intent, ref AuthIdentityEx authdata, out SafeFreeCredentials outCredential) { int errorCode = -1; long timeStamp; outCredential = new SafeFreeCredentials(); RuntimeHelpers.PrepareConstrainedRegions(); try { } finally { // PreSharp Bug: Call 'Marshal.GetLastWin32Error' or 'Marshal.GetHRForLastWin32Error' before any other interop call. #pragma warning suppress 56523 // The API does not set Win32 Last Error. It returns a error code. errorCode = AcquireCredentialsHandleW( null, package, (int)intent, null, ref authdata, null, null, ref outCredential._handle, out timeStamp ); if (errorCode != 0) { outCredential.SetHandleAsInvalid(); } } return errorCode; }
public SspiIssuanceChannelParameter(bool getTokenOnOpen, SafeFreeCredentials credentialsHandle) { this.getTokenOnOpen = getTokenOnOpen; this.credentialsHandle = credentialsHandle; }
public override void OnOpening() { base.OnOpening(); if (this.credentialsHandle == null) { this.credentialsHandle = System.ServiceModel.Security.SecurityUtils.GetCredentialsHandle("Kerberos", null, true, new string[0]); } }
private void AcquireServerCredentials() { SecureCredential secureCredential = new SecureCredential(SecureCredential.CurrentVersion, this.serverCertificate, SecureCredential.Flags.Zero, this.protocolFlags); this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle( SecurityPackage, CredentialUse.Inbound, secureCredential ); }
internal static int InitializeSecurityContext(SafeFreeCredentials credential, ref SafeDeleteContext context, string targetName, SspiContextFlags inFlags, Endianness datarep, SecurityBuffer[] inputBuffers, SecurityBuffer outputBuffer, ref SspiContextFlags outFlags) { return SafeDeleteContext.InitializeSecurityContext(credential, ref context, targetName, inFlags, datarep, null, inputBuffers, outputBuffer, ref outFlags); }
private static unsafe int MustRunInitializeSecurityContext(SafeFreeCredentials inCredentials, void* inContextPtr, byte* targetName, SspiContextFlags inFlags, Endianness endianness, SecurityBufferDescriptor inputBuffer, SafeDeleteContext outContext, SecurityBufferDescriptor outputBuffer, ref SspiContextFlags attributes, SafeFreeContextBuffer handleTemplate) { int num = -1; bool success = false; bool flag2 = false; RuntimeHelpers.PrepareConstrainedRegions(); try { inCredentials.DangerousAddRef(ref success); outContext.DangerousAddRef(ref flag2); } catch (Exception exception) { if (success) { inCredentials.DangerousRelease(); success = false; } if (flag2) { outContext.DangerousRelease(); flag2 = false; } if (!(exception is ObjectDisposedException)) { throw; } } finally { if (!success) { inCredentials = null; } else if (success && flag2) { long num2; num = InitializeSecurityContextW(ref inCredentials._handle, inContextPtr, targetName, inFlags, 0, endianness, inputBuffer, 0, ref outContext._handle, outputBuffer, ref attributes, out num2); if ((outContext._EffectiveCredential != inCredentials) && ((num & 0x80000000L) == 0L)) { if (outContext._EffectiveCredential != null) { outContext._EffectiveCredential.DangerousRelease(); } outContext._EffectiveCredential = inCredentials; } else { inCredentials.DangerousRelease(); } outContext.DangerousRelease(); if (handleTemplate != null) { handleTemplate.Set(outputBuffer.UnmanagedPointer.token); if (handleTemplate.IsInvalid) { handleTemplate.SetHandleAsInvalid(); } } } if ((inContextPtr == null) && ((num & 0x80000000L) != 0L)) { outContext._handle.SetToInvalid(); } } return num; }
private void Initialize(TokenImpersonationLevel tokenImpersonationLevel, NetworkCredential networkCredential, System.IdentityModel.SafeFreeCredentials credentialsHandle, ChannelBinding channelBinding) { bool flag = false; System.IdentityModel.SafeDeleteContext context = null; try { if (credentialsHandle == null) { if ((networkCredential == null) || (networkCredential == CredentialCache.DefaultNetworkCredentials)) { credentialsHandle = SspiWrapper.AcquireDefaultCredential("Kerberos", System.IdentityModel.CredentialUse.Outbound, new string[0]); } else { AuthIdentityEx authdata = new AuthIdentityEx(networkCredential.UserName, networkCredential.Password, networkCredential.Domain, new string[0]); credentialsHandle = SspiWrapper.AcquireCredentialsHandle("Kerberos", System.IdentityModel.CredentialUse.Outbound, ref authdata); } flag = true; } SspiContextFlags inFlags = SspiContextFlags.AllocateMemory | SspiContextFlags.Confidentiality | SspiContextFlags.SequenceDetect | SspiContextFlags.ReplayDetect; if (tokenImpersonationLevel == TokenImpersonationLevel.Identification) { inFlags |= SspiContextFlags.InitIdentify; } SspiContextFlags zero = SspiContextFlags.Zero; System.IdentityModel.SecurityBuffer inputBuffer = null; if (channelBinding != null) { inputBuffer = new System.IdentityModel.SecurityBuffer(channelBinding); } System.IdentityModel.SecurityBuffer outputBuffer = new System.IdentityModel.SecurityBuffer(0, System.IdentityModel.BufferType.Token); int error = SspiWrapper.InitializeSecurityContext(credentialsHandle, ref context, this.servicePrincipalName, inFlags, System.IdentityModel.Endianness.Native, inputBuffer, outputBuffer, ref zero); switch (error) { case 0: break; case 0x90312: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("KerberosMultilegsNotSupported"), new Win32Exception(error))); default: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new SecurityTokenException(System.IdentityModel.SR.GetString("FailInitializeSecurityContext"), new Win32Exception(error))); } this.apreq = outputBuffer.token; LifeSpan span = (LifeSpan)SspiWrapper.QueryContextAttributes(context, System.IdentityModel.ContextAttribute.Lifespan); this.effectiveTime = span.EffectiveTimeUtc; this.expirationTime = span.ExpiryTimeUtc; SecuritySessionKeyClass class2 = (SecuritySessionKeyClass)SspiWrapper.QueryContextAttributes(context, System.IdentityModel.ContextAttribute.SessionKey); this.symmetricSecurityKey = new InMemorySymmetricSecurityKey(class2.SessionKey); } finally { if (context != null) { context.Close(); } if (flag && (credentialsHandle != null)) { credentialsHandle.Close(); } } }
internal static int InitializeSecurityContext(SafeFreeCredentials credential, ref SafeDeleteContext context, string targetName, SspiContextFlags inFlags, Endianness datarep, SecurityBuffer[] inputBuffers, SecurityBuffer outputBuffer, ref SspiContextFlags outFlags) { return(SafeDeleteContext.InitializeSecurityContext(credential, ref context, targetName, inFlags, datarep, null, inputBuffers, outputBuffer, ref outFlags)); }
public SpnegoTokenProvider(System.IdentityModel.SafeFreeCredentials credentialsHandle) : this(credentialsHandle, null) { }
private void AcquireServerCredentials() { SecureCredential scc = new SecureCredential(4, this.serverCertificate, SecureCredential.Flags.Zero, this.protocolFlags); this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle("Microsoft Unified Security Protocol Provider", CredentialUse.Inbound, scc); }
private void Dispose(bool disposing) { lock (this.syncObject) { if (!this.disposed) { this.disposed = true; if (disposing) { if (this.securityContext != null) { this.securityContext.Close(); this.securityContext = null; } if (this.credentialsHandle != null) { this.credentialsHandle.Close(); this.credentialsHandle = null; } } this.connectionInfo = null; this.destination = null; this.streamSizes = null; } } }
private void AcquireDummyCredentials() { SecureCredential secureCredential = new SecureCredential(SecureCredential.CurrentVersion, null, SecureCredential.Flags.ValidateManual | SecureCredential.Flags.NoDefaultCred, this.protocolFlags); this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle(SecurityPackage, CredentialUse.Outbound, secureCredential); }
private void AcquireDummyCredentials() { SecureCredential scc = new SecureCredential(4, null, SecureCredential.Flags.NoDefaultCred | SecureCredential.Flags.ValidateManual, this.protocolFlags); this.credentialsHandle = SspiWrapper.AcquireCredentialsHandle("Microsoft Unified Security Protocol Provider", CredentialUse.Outbound, scc); }
private void Dispose(bool disposing) { lock (this.syncObject) { if (this.disposed == false) { this.disposed = true; if (disposing) { if (this.securityContext != null) { this.securityContext.Close(); this.securityContext = null; } if (this.credentialsHandle != null) { this.credentialsHandle.Close(); this.credentialsHandle = null; } } // set to null any references that aren't finalizable this.connectionInfo = null; this.destination = null; this.streamSizes = null; } } }
internal static unsafe int InitializeSecurityContext(SafeFreeCredentials inCredentials, ref SafeDeleteContext refContext, string targetName, SspiContextFlags inFlags, Endianness endianness, SecurityBuffer inSecBuffer, SecurityBuffer[] inSecBuffers, SecurityBuffer outSecBuffer, ref SspiContextFlags outFlags) { if (inCredentials == null) { throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("inCredentials"); } SecurityBufferDescriptor inputBuffer = null; if (inSecBuffer != null) { inputBuffer = new SecurityBufferDescriptor(1); } else if (inSecBuffers != null) { inputBuffer = new SecurityBufferDescriptor(inSecBuffers.Length); } SecurityBufferDescriptor outputBuffer = new SecurityBufferDescriptor(1); bool flag = (inFlags & SspiContextFlags.AllocateMemory) != SspiContextFlags.Zero; int num = -1; SSPIHandle handle = new SSPIHandle(); if (refContext != null) { handle = refContext._handle; } GCHandle[] handleArray = null; GCHandle handle2 = new GCHandle(); SafeFreeContextBuffer handleTemplate = null; try { handle2 = GCHandle.Alloc(outSecBuffer.token, GCHandleType.Pinned); SecurityBufferStruct[] structArray = new SecurityBufferStruct[(inputBuffer == null) ? 1 : inputBuffer.Count]; try { SecurityBufferStruct[] structArray3; if (((structArray3 = structArray) == null) || (structArray3.Length == 0)) { ptrRef = null; goto Label_00A9; } fixed (IntPtr* ptrRef = structArray3) { Label_00A9: if (inputBuffer != null) { inputBuffer.UnmanagedPointer = (void*) ptrRef; handleArray = new GCHandle[inputBuffer.Count]; for (int i = 0; i < inputBuffer.Count; i++) { SecurityBuffer buffer2 = (inSecBuffer != null) ? inSecBuffer : inSecBuffers[i]; if (buffer2 != null) { structArray[i].count = buffer2.size; structArray[i].type = buffer2.type; if (buffer2.unmanagedToken != null) { structArray[i].token = buffer2.unmanagedToken.DangerousGetHandle(); } else if ((buffer2.token == null) || (buffer2.token.Length == 0)) { structArray[i].token = IntPtr.Zero; } else { handleArray[i] = GCHandle.Alloc(buffer2.token, GCHandleType.Pinned); structArray[i].token = Marshal.UnsafeAddrOfPinnedArrayElement(buffer2.token, buffer2.offset); } } } } SecurityBufferStruct[] structArray2 = new SecurityBufferStruct[1]; try { SecurityBufferStruct[] structArray4; if (((structArray4 = structArray2) == null) || (structArray4.Length == 0)) { ptrRef2 = null; goto Label_01CF; } fixed (IntPtr* ptrRef2 = structArray4) { Label_01CF: outputBuffer.UnmanagedPointer = (void*) ptrRef2; structArray2[0].count = outSecBuffer.size; structArray2[0].type = outSecBuffer.type; if ((outSecBuffer.token == null) || (outSecBuffer.token.Length == 0)) { structArray2[0].token = IntPtr.Zero; } else { structArray2[0].token = Marshal.UnsafeAddrOfPinnedArrayElement(outSecBuffer.token, outSecBuffer.offset); } if (flag) { handleTemplate = SafeFreeContextBuffer.CreateEmptyHandle(); } if ((refContext == null) || refContext.IsInvalid) { refContext = new SafeDeleteContext(); } if ((targetName == null) || (targetName.Length == 0)) { targetName = " "; } fixed (char* str = ((char*) targetName)) { char* chPtr = str; num = MustRunInitializeSecurityContext(inCredentials, handle.IsZero ? null : ((void*) &handle), (targetName == " ") ? null : ((byte*) chPtr), inFlags, endianness, inputBuffer, refContext, outputBuffer, ref outFlags, handleTemplate); } outSecBuffer.size = structArray2[0].count; outSecBuffer.type = structArray2[0].type; if (outSecBuffer.size > 0) { outSecBuffer.token = DiagnosticUtility.Utility.AllocateByteArray(outSecBuffer.size); Marshal.Copy(structArray2[0].token, outSecBuffer.token, 0, outSecBuffer.size); return num; } outSecBuffer.token = null; return num; } } finally { ptrRef2 = null; } return num; } } finally { ptrRef = null; } } finally { if (handleArray != null) { for (int j = 0; j < handleArray.Length; j++) { if (handleArray[j].IsAllocated) { handleArray[j].Free(); } } } if (handle2.IsAllocated) { handle2.Free(); } if (handleTemplate != null) { handleTemplate.Close(); } } return num; }