private extern static int AcquireCredentialsHandle(
string pszPrincipal,
string pszPackage,
int fCredentialUse,
IntPtr pvLogonID,
IntPtr pAuthData,
IntPtr pGetKeyFn,
IntPtr pvGetKeyArgument,
ref SecHandle phCredential,
out SecHandle ptsExpiry
);
static extern int InitializeSecurityContext(
ref SecHandle phCredential,
ref SecHandle phContext,
string pszTargetName,
int fContextReq,
int Reserved1,
int TargetDataRep,
ref SecBufferDesc pInput,
int Reserved2,
out SecHandle phNewContext,
out SecBufferDesc pOutput,
out int pfContextAttr,
out SecHandle ptsExpiry);
static extern int InitializeSecurityContext(
ref SecHandle phCredential,
IntPtr phContext,
string pszTargetName,
int fContextReq,
int Reserved1,
int TargetDataRep,
IntPtr pInput,
int Reserved2,
out SecHandle phNewContext,
out SecBufferDesc pOutput,
out int pfContextAttr,
out SecHandle ptsExpiry);
public static extern int InitializeSecurityContext(
[In] ref SecHandle phCredential,
[In] ref SecHandle phContext,
[In] string pszTargetName,
[In] int fContextReq,
[In] int Reserved1,
[In] int TargetDataRep,
[In] ref SecBufferDesc SecBufferDesc,
[In] int Reserved2,
[In][Out] ref SecHandle phNewContext,
[In][Out] ref SecBufferDesc pOutput,
[Out] out uint pfContextAttr,
[Out] out SECURITY_INTEGER ptsExpiry);
internal static byte[] GetSessionKey(SecHandle context)
{
using (var buffer = new SafeStructureInOutBuffer <SecPkgContext_SessionKey>()) {
var result = SecurityNativeMethods.QueryContextAttributesEx(context, SECPKG_ATTR.SESSION_KEY, buffer, buffer.Length);
if (result == SecStatusCode.Success)
{
byte[] ret = new byte[buffer.Result.SessionKeyLength];
Marshal.Copy(buffer.Result.SessionKey, ret, 0, ret.Length);
return(ret);
}
}
return(new byte[0]);
}
internal static SecStatusCode InitializeSecurityContext(
CredentialHandle credential,
SecHandle context,
string target_name,
InitializeContextReqFlags req_attributes,
SecDataRep data_rep,
IList <SecurityBuffer> input,
SecHandle new_context,
IList <SecurityBuffer> output,
out InitializeContextRetFlags ret_attributes,
LargeInteger expiry,
bool throw_on_error)
{
using (DisposableList list = new DisposableList())
{
var input_buffers = input?.ToBufferList(list);
var output_buffers = output?.ToBufferList(list);
var in_buffer_desc = input_buffers.ToDesc(list);
var out_buffer_desc = output_buffers.ToDesc(list);
var result = SecurityNativeMethods.InitializeSecurityContext(credential.CredHandle,
context, target_name, req_attributes, 0, data_rep, in_buffer_desc, 0,
new_context, out_buffer_desc, out ret_attributes, expiry).CheckResult(throw_on_error);
if (!result.IsSuccess())
{
return(result);
}
try
{
if (result == SecStatusCode.SEC_I_COMPLETE_NEEDED || result == SecStatusCode.SEC_I_COMPLETE_AND_CONTINUE)
{
var comp_result = SecurityNativeMethods.CompleteAuthToken(new_context, out_buffer_desc).CheckResult(throw_on_error);
if (!comp_result.IsSuccess())
{
return(comp_result);
}
}
}
finally
{
if (result.IsSuccess())
{
output?.UpdateBuffers(out_buffer_desc);
}
}
return(result);
}
}
static extern int InitializeSecurityContext(
ref SecHandle phCredential, //PCredHandle
ref SecHandle phContext, //PCtxtHandle
string pszTargetName,
int fContextReq,
int Reserved1,
int TargetDataRep,
ref SecBufferDesc SecBufferDesc, //PSecBufferDesc SecBufferDesc
int Reserved2,
out SecHandle phNewContext, //PCtxtHandle
ref SecBufferDesc pOutput, //PSecBufferDesc SecBufferDesc
out uint pfContextAttr, //managed ulong == 64 bits!!!
out SecInteger ptsExpiry //PTimeStamp
);
/// <summary>
/// Creates SSPIHelper with given security package and remote principal and gets client credentials
/// </summary>
/// <param name="securityPackage">Name of security package (e.g. NTLM, Kerberos, ...)</param>
/// <param name="remotePrincipal">SPN of server (may be necessary for Kerberos</param>
public SspiHelper(string securityPackage, string remotePrincipal)
{
_securPackage = securityPackage;
_remotePrincipal = remotePrincipal;
_clientCredentials = new SecHandle();
int resCode = AcquireCredentialsHandle(null, securityPackage, SECPKG_CRED_OUTBOUND,
IntPtr.Zero, IntPtr.Zero, 0, IntPtr.Zero,
out _clientCredentials, out var expiry);
if (resCode != SEC_E_OK)
{
throw new Exception($"{nameof(AcquireCredentialsHandle)} failed");
}
}
private static X509Certificate2 GetCertificate(SecHandle context, SECPKG_ATTR attr)
{
using (var buffer = new SafeStructureInOutBuffer <IntPtr>())
{
SecurityNativeMethods.QueryContextAttributesEx(context, attr, buffer, buffer.Length).CheckResult();
try
{
return(new X509Certificate2(buffer.Result));
}
finally
{
SecurityNativeMethods.CertFreeCertificateContext(buffer.Result);
}
}
}
internal static byte[] DecryptMessage(
SecHandle context,
EncryptedMessage message,
int sequence_no)
{
if (message is null)
{
throw new ArgumentNullException(nameof(message));
}
SecurityBuffer buffer = new SecurityBufferInOut(SecurityBufferType.Data, message.Message);
DecryptMessage(context, new[] { buffer }, message.Signature, sequence_no);
return(buffer.ToArray());
}
internal static bool VerifySignature(
SecHandle context,
IEnumerable <SecurityBuffer> messages,
byte[] signature,
int sequence_no)
{
List <SecurityBuffer> sig_buffers = new List <SecurityBuffer>(messages);
sig_buffers.Add(new SecurityBufferInOut(SecurityBufferType.Token | SecurityBufferType.ReadOnly, signature));
using (var list = new DisposableList())
{
List <SecBuffer> buffers = sig_buffers.ToBufferList(list);
SecBufferDesc desc = buffers.ToDesc(list);
return(SecurityNativeMethods.VerifySignature(context, desc, sequence_no, out int _) == SecStatusCode.SUCCESS);
}
}
internal static EncryptedMessage EncryptMessage(
SecHandle context,
SecurityQualityOfProtectionFlags flags,
byte[] message,
int sequence_no)
{
if (message is null)
{
throw new ArgumentNullException(nameof(message));
}
SecurityBuffer buffer = new SecurityBufferInOut(SecurityBufferType.Data, message);
var signature = EncryptMessage(context, flags, new[] { buffer }, sequence_no);
return(new EncryptedMessage(buffer.ToArray(), signature));
}
internal static void DecryptMessage(
SecHandle context,
IEnumerable <SecurityBuffer> messages,
byte[] signature,
int sequence_no)
{
List <SecurityBuffer> sig_buffers = new List <SecurityBuffer>(messages);
sig_buffers.Add(new SecurityBufferInOut(SecurityBufferType.Token | SecurityBufferType.ReadOnly, signature));
using (var list = new DisposableList())
{
var buffers = sig_buffers.ToBufferList(list);
var desc = buffers.ToDesc(list);
SecurityNativeMethods.DecryptMessage(context, desc, sequence_no, out _).CheckResult();
sig_buffers.UpdateBuffers(buffers);
}
}
internal static byte[] MakeSignature(
SecHandle context,
int flags,
IEnumerable <SecurityBuffer> messages,
int sequence_no)
{
int max_sig_size = QueryContextAttribute <SecPkgContext_Sizes>(context, SECPKG_ATTR.SIZES).cbMaxSignature;
List <SecurityBuffer> sig_buffers = new List <SecurityBuffer>(messages);
SecurityBufferOut signature_buffer = new SecurityBufferOut(SecurityBufferType.Token, max_sig_size);
sig_buffers.Add(signature_buffer);
using (var list = new DisposableList())
{
List <SecBuffer> buffers = sig_buffers.ToBufferList(list);
SecBufferDesc desc = buffers.ToDesc(list);
SecurityNativeMethods.MakeSignature(context, flags, desc, sequence_no).CheckResult();
sig_buffers.UpdateBuffers(desc);
return(signature_buffer.ToArray());
}
}
internal static byte[] EncryptMessage(
SecHandle context,
SecQopFlags flags,
IEnumerable <SecurityBuffer> messages,
int sequence_no)
{
List <SecurityBuffer> sig_buffers = new List <SecurityBuffer>(messages);
var sizes = QueryContextAttribute <SecPkgContext_Sizes>(context, SECPKG_ATTR.SIZES);
var out_sig_buffer = new SecurityBufferOut(SecurityBufferType.Token, sizes.cbSecurityTrailer);
sig_buffers.Add(out_sig_buffer);
using (var list = new DisposableList())
{
var buffers = sig_buffers.ToBufferList(list);
var desc = buffers.ToDesc(list);
SecurityNativeMethods.EncryptMessage(context, flags, desc, sequence_no).CheckResult();
sig_buffers.UpdateBuffers(buffers);
return(out_sig_buffer.ToArray());
}
}
internal static byte[] GetSessionKey(SecHandle context)
{
var result = QueryContextAttributeNoThrow <SecPkgContext_SessionKey>(context, SECPKG_ATTR.SESSION_KEY);
if (result.Item2 != SecStatusCode.SUCCESS)
{
return(new byte[0]);
}
var key = result.Item1;
try
{
byte[] ret = new byte[key.SessionKeyLength];
Marshal.Copy(key.SessionKey, ret, 0, ret.Length);
return(ret);
}
finally
{
SecurityNativeMethods.FreeContextBuffer(key.SessionKey);
}
}
internal static void DecryptMessageNoSignature(
SecHandle context,
IEnumerable <SecurityBuffer> messages,
int sequence_no)
{
if (context is null)
{
throw new ArgumentNullException(nameof(context));
}
if (messages is null)
{
throw new ArgumentNullException(nameof(messages));
}
using (var list = new DisposableList())
{
var buffers = messages.ToBufferList(list);
var desc = buffers.ToDesc(list);
SecurityNativeMethods.DecryptMessage(context, desc, sequence_no, out _).CheckResult();
messages.UpdateBuffers(desc);
}
}
internal static ExportedSecurityContext ExportContext(SecHandle context, SecPkgContextExportFlags export_flags, string package, bool client)
{
if (context is null)
{
throw new ArgumentNullException(nameof(context));
}
SecBuffer buffer = new SecBuffer(SecurityBufferType.Empty);
try
{
SecurityNativeMethods.ExportSecurityContext(context, export_flags,
buffer, out SafeKernelObjectHandle token).CheckResult();
return(new ExportedSecurityContext(package, buffer.ToArray(), !token.IsInvalid ? NtToken.FromHandle(token) : null, client));
}
finally
{
if (buffer.pvBuffer != IntPtr.Zero)
{
SecurityNativeMethods.FreeContextBuffer(buffer.pvBuffer);
}
}
}
internal static byte[] EncryptMessage(
SecHandle context,
SecurityQualityOfProtectionFlags flags,
IEnumerable <SecurityBuffer> messages,
int sequence_no)
{
if (context is null)
{
throw new ArgumentNullException(nameof(context));
}
if (messages is null)
{
throw new ArgumentNullException(nameof(messages));
}
List <SecurityBuffer> sig_buffers = new List <SecurityBuffer>(messages);
var out_sig_buffer = new SecurityBufferOut(SecurityBufferType.Token, GetSecurityTrailerSize(context));
sig_buffers.Add(out_sig_buffer);
EncryptMessageNoSignature(context, flags, sig_buffers, sequence_no);
return(out_sig_buffer.ToArray());
}
static extern int FreeCredentialsHandle(ref SecHandle phCredential); //PCredHandle
public static extern int QuerySecurityContextToken(ref SecHandle phContext, ref IntPtr phToken);
public static extern int DeleteSecurityContext(ref SecHandle phContext);
public static extern int AcceptSecurityContext(ref SecHandle phCredential, IntPtr phContext,
ref SecBufferDesc pInput, uint fContextReq, uint TargetDataRep,
ref SecHandle phNewContext, ref SecBufferDesc pOutput,
ref uint pfContextAttr, ref long ptsTimeStamp);
private void CloseClientCredentials()
{
if (!_clientCredentials.IsInvalid)
{
FreeCredentialsHandle(ref _clientCredentials);
_clientCredentials = new SecHandle();
}
}
static extern int DeleteSecurityContext(ref SecHandle phContext); //PCtxtHandle
/// <summary>
/// Gets SecPkgContext_Sizes via QueryContextAttributes call.
/// Throws an exception if the call fails.
/// </summary>
/// <param name="phContext">Security context.</param>
/// <param name="secPkgContext_Sizes">Reference to SecPkgContext_Sizes instance.</param>
public static void QueryContextSizes(SecHandle phContext, ref SecPkgContext_Sizes secPkgContext_Sizes)
{
int result = 0;
if (_isNT)
result = QueryContextAttributes_NT(phContext, SECPKG_ATTR_SIZES, ref secPkgContext_Sizes);
else
result = QueryContextAttributes__(phContext, SECPKG_ATTR_SIZES, ref secPkgContext_Sizes);
if (result != SspiApi.SEC_E_OK)
throw GenuineExceptions.Get_Windows_SspiError(result);
}
public static extern int AcquireCredentialsHandle(string pszPrincipal, string pszPackage, uint fCredentialUse,
IntPtr pvLogonID, IntPtr pAuthData, IntPtr pGetKeyFn,
IntPtr pvGetKeyArgument, ref SecHandle phCredential,
ref long ptsExpiry);
private static extern int RevertSecurityContext__(SecHandle phContext);
private static extern int VerifySignature__(SecHandle phContext,
ref SecBufferDescNative pMessage, int MessageSeqNo,
ref int pfQOP);
/// <summary>
/// Calls DeleteSecurityContext SSPI API function.
/// Ignores all possible returned errors.
/// </summary>
/// <param name="phContext">Security context being deleted.</param>
public static void DeleteSecurityContext(SecHandle phContext)
{
if (_isNT)
DeleteSecurityContext_NT(phContext);
else
DeleteSecurityContext__(phContext);
phContext.dwLower = 0;
phContext.dwUpper = 0;
}
/// <summary>
/// Calls FreeCredentialsHandle SSPI API function.
/// Ignores all possible returned errors.
/// </summary>
/// <param name="credHandle">Credential handle being freed.</param>
public static void FreeCredentialsHandle(SecHandle credHandle)
{
if (_isNT)
FreeCredentialsHandle_NT(credHandle);
else
FreeCredentialsHandle__(credHandle);
credHandle.dwLower = 0;
credHandle.dwUpper = 0;
}
/// <summary>
/// Duplicates a security token for another process.
/// </summary>
/// <param name="phContext">Security context handle.</param>
/// <param name="remoteProcessId">The identifier of the remote process.</param>
/// <returns>The handle of security token for another process.</returns>
public static IntPtr CloneSecurityToken(SecHandle phContext, int remoteProcessId)
{
int result = 0;
// get the security token
IntPtr phToken = IntPtr.Zero;
if (_isNT)
result = QuerySecurityContextToken_NT(phContext, out phToken);
else
result = QuerySecurityContextToken__(phContext, out phToken);
if (result != SspiApi.SEC_E_OK)
throw GenuineExceptions.Get_Windows_SspiError(result);
try
{
return CloneSecurityToken(phToken, remoteProcessId);
}
finally
{
// close security token
CloseHandle(phToken);
}
}
private static extern int FreeCredentialsHandle__(SecHandle phContext);
static extern int InitializeSecurityContext( ref SecHandle phCredential,//PCredHandle ref SecHandle phContext, //PCtxtHandle string pszTargetName, int fContextReq, int Reserved1, int TargetDataRep, ref SecBufferDesc SecBufferDesc, //PSecBufferDesc SecBufferDesc int Reserved2, out SecHandle phNewContext, //PCtxtHandle ref SecBufferDesc pOutput, //PSecBufferDesc SecBufferDesc out uint pfContextAttr, //managed ulong == 64 bits!!! out SecInteger ptsExpiry //PTimeStamp );
private extern static int DeleteSecurityContext(
ref SecHandle phContext
);
/// <summary>
/// Calls QuerySecurityContextToken SSPI API function.
/// Throws an exception if the call fails.
/// </summary>
/// <param name="phContext">Security context handle.</param>
/// <returns>WindowsIdentity representing the user account.</returns>
public static WindowsIdentity QuerySecurityContextToken(SecHandle phContext)
{
int result = 0;
IntPtr phToken = IntPtr.Zero;
if (_isNT)
result = QuerySecurityContextToken_NT(phContext, out phToken);
else
result = QuerySecurityContextToken__(phContext, out phToken);
if (result != SspiApi.SEC_E_OK)
throw GenuineExceptions.Get_Windows_SspiError(result);
try
{
return new WindowsIdentity(phToken);
}
finally
{
CloseHandle(phToken);
}
}
private static extern int AcceptSecurityContext__(SecHandle phCredential,
SecHandle phContext, ref SecBufferDescNative pInput, int fContextReq, int TargetDataRep,
SecHandle phNewContext, ref SecBufferDescNative pOutput, ref int pfContextAttr,
ref Int64 ptsExpiry);
private static extern int QuerySecurityContextToken__(SecHandle phContext, out IntPtr phToken);
static extern int FreeCredentialsHandle(ref SecHandle phCredential); //PCredHandle
public static extern int FreeCredentialsHandle(ref SecHandle phCredential);
private void CloseClientContext()
{
if (!_clientContext.IsInvalid)
{
DeleteSecurityContext(ref _clientContext);
_clientContext = new SecHandle();
}
}
private static extern int QueryContextAttributes__(SecHandle phContext,
int ulAttribute, ref SecPkgContext_Sizes pBuffer);
internal AuthenticationImpersonationContext(SecHandle context)
{
_context = context;
}
private static NtResult <SafeLsaReturnBufferHandle> QueryCachedTicket(SafeLsaLogonHandle handle, uint auth_package, string target_name, KERB_RETRIEVE_TICKET_FLAGS flags,
Luid logon_id, SecHandle sec_handle, bool throw_on_error)
{
int string_length = (target_name.Length) * 2;
int max_string_length = string_length + 2;
using (var request = new SafeStructureInOutBuffer <KERB_RETRIEVE_TKT_REQUEST>(max_string_length, true)) {
request.Data.WriteUnicodeString(target_name + '\0');
var request_str = new KERB_RETRIEVE_TKT_REQUEST()
{
CacheOptions = flags,
CredentialsHandle = sec_handle,
LogonId = logon_id,
MessageType = KERB_PROTOCOL_MESSAGE_TYPE.KerbRetrieveEncodedTicketMessage,
TargetName = new UnicodeStringOut()
{
Length = (ushort)string_length,
MaximumLength = (ushort)max_string_length,
Buffer = request.Data.DangerousGetHandle()
}
};
request.Result = request_str;
using (var result = handle.CallPackage(auth_package, request, throw_on_error)) {
if (!result.IsSuccess)
{
return(result.Cast <SafeLsaReturnBufferHandle>());
}
if (!result.Result.Status.IsSuccess())
{
return(result.Result.Status.CreateResultFromError <SafeLsaReturnBufferHandle>(throw_on_error));
}
return(result.Result.Buffer.Detach().CreateResult());
}
}
}
public static extern int AcquireCredentialsHandle(string pszPrincipal, string pszPackage, uint fCredentialUse,
IntPtr pvLogonID, IntPtr pAuthData, IntPtr pGetKeyFn,
IntPtr pvGetKeyArgument, ref SecHandle phCredential,
ref long ptsExpiry);
private static NtResult <KerberosExternalTicket> QueryCachedTicket(SafeLsaLogonHandle handle, string target_name, KERB_RETRIEVE_TICKET_FLAGS flags,
Luid logon_id, SecHandle sec_handle, bool throw_on_error)
{
var package = handle.LookupAuthPackage(AuthenticationPackage.KERBEROS_NAME, throw_on_error);
if (!package.IsSuccess)
{
return(package.Cast <KerberosExternalTicket>());
}
using (var buffer = QueryCachedTicket(handle, package.Result, target_name, flags, logon_id, sec_handle, throw_on_error)) {
if (!buffer.IsSuccess)
{
return(buffer.Cast <KerberosExternalTicket>());
}
KERB_EXTERNAL_TICKET ticket = buffer.Result.Read <KERB_EXTERNAL_TICKET>(0);
if (!KerberosExternalTicket.TryParse(ticket, out KerberosExternalTicket ret))
{
return(NtStatus.STATUS_INVALID_PARAMETER.CreateResultFromError <KerberosExternalTicket>(throw_on_error));
}
return(ret.CreateResult());
}
}
public static extern int FreeCredentialsHandle(ref SecHandle phCredential);
private static extern int MakeSignature__(SecHandle phContext, int fQOP,
ref SecBufferDescNative pMessage, int MessageSeqNo);
private static extern int ImpersonateSecurityContext__(SecHandle phContext);
private static extern int InitializeSecurityContext__(SecHandle phCredential,
SecHandle phContext, string pszTargetName, int fContextReq, int Reserved1,
int TargetDataRep, ref SecBufferDescNative pInput, int Reserved2, SecHandle phNewContext,
ref SecBufferDescNative pOutput, ref int pfContextAttr, ref Int64 ptsExpiry);
static extern int DeleteSecurityContext(ref SecHandle phContext); //PCtxtHandle
private static extern int DeleteSecurityContext(
ref SecHandle phContext
);
private extern static int FreeCredentialsHandle(
ref SecHandle phCredential
);
private static extern int FreeCredentialsHandle(
ref SecHandle phCredential
);
public static extern int AcceptSecurityContext(ref SecHandle phCredential, IntPtr phContext,
ref SecBufferDesc pInput, uint fContextReq, uint TargetDataRep,
ref SecHandle phNewContext, ref SecBufferDesc pOutput,
ref uint pfContextAttr, ref long ptsTimeStamp);
static extern int AcquireCredentialsHandle( string pszPrincipal, //SEC_CHAR* string pszPackage, //SEC_CHAR* //"Kerberos","NTLM","Negotiative" int fCredentialUse, IntPtr PAuthenticationID,//_LUID AuthenticationID,//pvLogonID, //PLUID IntPtr pAuthData,//PVOID int pGetKeyFn, //SEC_GET_KEY_FN IntPtr pvGetKeyArgument, //PVOID out SecHandle phCredential, //SecHandle //PCtxtHandle ref out SecInteger ptsExpiry //PTimeStamp //TimeStamp ref );
public static extern int DeleteSecurityContext(ref SecHandle phContext);
/// <summary>
/// Calls RevertSecurityContext_NT SSPI API function.
/// Throws an exception if the call fails.
/// </summary>
/// <param name="phContext">Security context handle.</param>
public static void RevertSecurityContext(SecHandle phContext)
{
int result = 0;
if (_isNT)
result = RevertSecurityContext_NT(phContext);
else
result = RevertSecurityContext__(phContext);
if (result != SspiApi.SEC_E_OK)
throw GenuineExceptions.Get_Windows_SspiError(result);
}
public static extern int QuerySecurityContextToken(ref SecHandle phContext, ref IntPtr phToken);
internal static AuthenticationPackage GetAuthenticationPackage(SecHandle context)
{
var pkg_info = QueryContextAttribute <SecPkgContext_PackageInfo>(context, SECPKG_ATTR.PACKAGE_INFO);
return(new AuthenticationPackage(pkg_info.PackageInfo.ReadStruct <SecPkgInfo>()));
}
