예제 #1
0
		private void BindSecure(System.String username, System.String password, AuthenticationTypes authenticationTypes)
		{
			if ((authenticationTypes & AuthenticationTypes.Secure) != 0) {			
				LoginContext loginContext = null;
				try {					
					if (username != null && password != null) {
						AuthenticationCallbackHandler callbackHandler = new AuthenticationCallbackHandler (username,password);
						loginContext = new LoginContext (SecurityAppName, callbackHandler);
					}
					else
						loginContext = new LoginContext (SecurityAppName);

					loginContext.login ();
				}
				catch (Exception e) {
					throw new LdapException ("Failed to create login security context", 80, "", e);
				}

				Krb5Helper krb5Helper = null;
				try {
					krb5Helper = new Krb5Helper ("ldap@" + conn.Host, username, loginContext.getSubject (), authenticationTypes, SecurityMech);
				}
				finally {
					loginContext.logout();
				}
				sbyte [] token = krb5Helper.ExchangeTokens (Krb5Helper.EmptyToken);

				for (;;) {
					LdapResponseQueue queue = Bind(LdapConnection.Ldap_V3, username, token, null, null, AuthenticationMech);
					LdapResponse res = (LdapResponse) queue.getResponse ();
					if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS &&
						res.ResultCode != LdapException.SUCCESS) {
						krb5Helper.Dispose();
						throw new LdapException(ExceptionMessages.CONNECTION_ERROR, res.ResultCode, res.ErrorMessage);
					}
					Asn1OctetString serverSaslCreds = ((RfcBindResponse)res.Asn1Object.Response).ServerSaslCreds;
					token = serverSaslCreds != null ? serverSaslCreds.byteValue () : null;

					token = krb5Helper.ExchangeTokens(token == null ? Krb5Helper.EmptyToken : token);

					if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS)
						break;

					conn.ReplaceStreams (conn.InputStream,conn.OutputStream);
				}

				System.IO.Stream inStream = conn.InputStream;
				System.IO.Stream newIn = new SecureStream (inStream, krb5Helper);
				System.IO.Stream outStream = conn.OutputStream;
				System.IO.Stream newOut = new SecureStream (outStream, krb5Helper);
				conn.ReplaceStreams (newIn,newOut);
			}		
		}
예제 #2
0
        public sbyte [] ExchangeTokens(sbyte [] clientToken)
        {
            if (Context.isEstablished())
            {
                if (clientToken == null || clientToken.Length == 0)
                {
                    return(Krb5Helper.EmptyToken);
                }

                //final handshake
                byte [] challengeData = (byte [])TypeUtils.ToByteArray(clientToken);
                byte [] gssOutToken   = Unwrap(challengeData, 0, challengeData.Length, new MessageProp(false));

                QOP myCop = QOP.NO_PROTECTION;

                if (_encryption)
                {
                    myCop = QOP.PRIVACY_PROTECTION;
                }
                else if (_signing || (((QOP)gssOutToken [0] & QOP.INTEGRITY_ONLY_PROTECTION) != 0))
                {
                    myCop = QOP.INTEGRITY_ONLY_PROTECTION;
                }

                if ((myCop & (QOP)gssOutToken [0]) == 0)
                {
                    throw new LdapException("Server does not support the requested security level", 80, "");
                }

                int srvMaxBufSize = SecureStream.NetworkByteOrderToInt(gssOutToken, 1, 3);

                //int rawSendSize = Context.getWrapSizeLimit(0, _encryption, srvMaxBufSize);

                byte [] gssInToken = new byte [4];
                gssInToken [0] = (byte)myCop;

                SecureStream.IntToNetworkByteOrder(srvMaxBufSize, gssInToken, 1, 3);

                gssOutToken = Wrap(gssInToken, 0, gssInToken.Length, new MessageProp(true));

                return(TypeUtils.ToSByteArray(gssOutToken));
            }

            sbyte [] token = Context.initSecContext(clientToken, 0, clientToken.Length);

            if (Context.isEstablished())
            {
                if (Context.getConfState() != _encryption)
                {
                    throw new LdapException("Encryption protocol was not established layer between client and server", 80, "");
                }

                if (Context.getCredDelegState() != _delegation)
                {
                    throw new LdapException("Credential delegation was not established layer between client and server", 80, "");
                }

                if (_signing && (Context.getIntegState() != _signing))
                {
                    throw new LdapException("Signing protocol was not established layer between client and server", 80, "");
                }

                if (token == null)
                {
                    return(EmptyToken);
                }
            }
            return(token);
        }