/// <summary>
/// Generate SSPI context
/// </summary>
/// <param name="handle">SNI connection handle</param>
/// <param name="receivedBuff">Receive buffer</param>
/// <param name="receivedLength">Received length</param>
/// <param name="sendBuff">Send buffer</param>
/// <param name="sendLength">Send length</param>
/// <param name="serverName">Service Principal Name buffer</param>
/// <param name="serverNameLength">Length of Service Principal Name</param>
/// <returns>SNI error code</returns>
public void GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, byte[] receivedBuff, ref byte[] sendBuff, byte[] serverName)
{
SafeDeleteContext securityContext = sspiClientContextStatus.SecurityContext;
ContextFlagsPal contextFlags = sspiClientContextStatus.ContextFlags;
SafeFreeCredentials credentialsHandle = sspiClientContextStatus.CredentialsHandle;
SecurityBuffer[] inSecurityBufferArray = null;
if (securityContext == null) //first iteration
{
credentialsHandle = NegotiateStreamPal.AcquireDefaultCredential(Kerberos, false);
}
else
{
inSecurityBufferArray = new SecurityBuffer[] { new SecurityBuffer(receivedBuff, SecurityBufferType.SECBUFFER_TOKEN) };
}
int tokenSize = NegotiateStreamPal.QueryMaxTokenSize(Kerberos);
SecurityBuffer outSecurityBuffer = new SecurityBuffer(tokenSize, SecurityBufferType.SECBUFFER_TOKEN);
ContextFlagsPal requestedContextFlags = ContextFlagsPal.Connection
| ContextFlagsPal.Confidentiality
| ContextFlagsPal.MutualAuth;
string serverSPN = System.Text.Encoding.UTF8.GetString(serverName);
SecurityStatusPal statusCode = NegotiateStreamPal.InitializeSecurityContext(
credentialsHandle,
ref securityContext,
serverSPN,
requestedContextFlags,
inSecurityBufferArray,
outSecurityBuffer,
ref contextFlags);
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded ||
statusCode.ErrorCode == SecurityStatusPalErrorCode.CompAndContinue)
{
inSecurityBufferArray = new SecurityBuffer[] { outSecurityBuffer };
statusCode = NegotiateStreamPal.CompleteAuthToken(ref securityContext, inSecurityBufferArray);
}
sendBuff = outSecurityBuffer.token;
sspiClientContextStatus.SecurityContext = securityContext;
sspiClientContextStatus.ContextFlags = contextFlags;
sspiClientContextStatus.CredentialsHandle = credentialsHandle;
if (IsErrorStatus(statusCode.ErrorCode))
{
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.InternalError &&
statusCode.Exception is Interop.NetSecurityNative.GssApiException) // when unable to access Kerberos Ticket
{
throw new Exception(SQLMessage.KerberosTicketMissingError() + "\n" + statusCode);
}
else
{
throw new Exception(SQLMessage.SSPIGenerateError() + "\n" + statusCode);
}
}
}
internal int Encrypt(byte[] buffer, int offset, int count, ref byte[] output, uint sequenceNumber)
{
return(NegotiateStreamPal.Encrypt(
_securityContext,
buffer,
offset,
count,
IsConfidentialityFlag,
IsNTLM,
ref output,
sequenceNumber));
}
private string GetClientSpecifiedSpn()
{
if (!(IsValidContext && IsCompleted))
{
NetEventSource.Fail(this, "Trying to get the client SPN before handshaking is done!");
}
string spn = NegotiateStreamPal.QueryContextClientSpecifiedSpn(_securityContext);
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(this, $"The client specified SPN is [{spn}]");
}
return(spn);
}
private string GetClientSpecifiedSpn()
{
if (!(IsValidContext && IsCompleted))
{
if (GlobalLog.IsEnabled)
{
GlobalLog.Assert("NTAuthentication: Trying to get the client SPN before handshaking is done!");
}
Debug.Fail("NTAuthentication: Trying to get the client SPN before handshaking is done!");
}
string spn = NegotiateStreamPal.QueryContextClientSpecifiedSpn(_securityContext);
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("NTAuthentication: The client specified SPN is [" + spn + "]");
}
return(spn);
}
private void Initialize(bool isServer, string package, NetworkCredential credential, string spn, ContextFlagsPal requestedContextFlags, ChannelBinding channelBinding)
{
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("NTAuthentication#" + LoggingHash.HashString(this) + "::.ctor() package:" + LoggingHash.ObjectToString(package) + " spn:" + LoggingHash.ObjectToString(spn) + " flags :" + requestedContextFlags.ToString());
}
_tokenSize = NegotiateStreamPal.QueryMaxTokenSize(package);
_isServer = isServer;
_spn = spn;
_securityContext = null;
_requestedContextFlags = requestedContextFlags;
_package = package;
_channelBinding = channelBinding;
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("Peer SPN-> '" + _spn + "'");
}
//
// Check if we're using DefaultCredentials.
//
Debug.Assert(CredentialCache.DefaultCredentials == CredentialCache.DefaultNetworkCredentials);
if (credential == CredentialCache.DefaultCredentials)
{
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("NTAuthentication#" + LoggingHash.HashString(this) + "::.ctor(): using DefaultCredentials");
}
_credentialsHandle = NegotiateStreamPal.AcquireDefaultCredential(package, _isServer);
}
else
{
_credentialsHandle = NegotiateStreamPal.AcquireCredentialsHandle(package, _isServer, credential);
}
}
private void Initialize(bool isServer, string package, NetworkCredential credential, string spn, ContextFlagsPal requestedContextFlags, ChannelBinding channelBinding)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Enter(this, package, spn, requestedContextFlags);
}
_tokenSize = NegotiateStreamPal.QueryMaxTokenSize(package);
_isServer = isServer;
_spn = spn;
_securityContext = null;
_requestedContextFlags = requestedContextFlags;
_package = package;
_channelBinding = channelBinding;
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(this, $"Peer SPN-> '{_spn}'");
}
//
// Check if we're using DefaultCredentials.
//
Debug.Assert(CredentialCache.DefaultCredentials == CredentialCache.DefaultNetworkCredentials);
if (credential == CredentialCache.DefaultCredentials)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(this, "using DefaultCredentials");
}
_credentialsHandle = NegotiateStreamPal.AcquireDefaultCredential(package, _isServer);
}
else
{
_credentialsHandle = NegotiateStreamPal.AcquireCredentialsHandle(package, _isServer, credential);
}
}
// Accepts an incoming binary security blob and returns an outgoing binary security blob.
internal byte[] GetOutgoingBlob(byte[] incomingBlob, bool throwOnError, out SecurityStatusPal statusCode)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Enter(this, incomingBlob);
}
SecurityBuffer[] inSecurityBufferArray = null;
if (incomingBlob != null && _channelBinding != null)
{
inSecurityBufferArray = new SecurityBuffer[2]
{
new SecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN),
new SecurityBuffer(_channelBinding)
};
}
else if (incomingBlob != null)
{
inSecurityBufferArray = new SecurityBuffer[1] {
new SecurityBuffer(incomingBlob, SecurityBufferType.SECBUFFER_TOKEN)
};
}
else if (_channelBinding != null)
{
inSecurityBufferArray = new SecurityBuffer[1] {
new SecurityBuffer(_channelBinding)
};
}
var outSecurityBuffer = new SecurityBuffer(_tokenSize, SecurityBufferType.SECBUFFER_TOKEN);
bool firstTime = _securityContext == null;
try
{
if (!_isServer)
{
// client session
statusCode = NegotiateStreamPal.InitializeSecurityContext(
_credentialsHandle,
ref _securityContext,
_spn,
_requestedContextFlags,
inSecurityBufferArray,
outSecurityBuffer,
ref _contextFlags);
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(this, $"SSPIWrapper.InitializeSecurityContext() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded)
{
var inSecurityBuffers = new SecurityBuffer[1];
inSecurityBuffers[0] = outSecurityBuffer;
statusCode = NegotiateStreamPal.CompleteAuthToken(ref _securityContext, inSecurityBuffers);
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(this, $"SSPIWrapper.CompleteAuthToken() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
outSecurityBuffer.token = null;
}
}
else
{
// Server session.
statusCode = NegotiateStreamPal.AcceptSecurityContext(
_credentialsHandle,
ref _securityContext,
_requestedContextFlags,
inSecurityBufferArray,
outSecurityBuffer,
ref _contextFlags);
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(this, $"SSPIWrapper.AcceptSecurityContext() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
}
}
finally
{
//
// Assuming the ISC or ASC has referenced the credential on the first successful call,
// we want to decrement the effective ref count by "disposing" it.
// The real dispose will happen when the security context is closed.
// Note if the first call was not successful the handle is physically destroyed here.
//
if (firstTime && _credentialsHandle != null)
{
_credentialsHandle.Dispose();
}
}
if (((int)statusCode.ErrorCode >= (int)SecurityStatusPalErrorCode.OutOfMemory))
{
CloseContext();
_isCompleted = true;
if (throwOnError)
{
Exception exception = NegotiateStreamPal.CreateExceptionFromError(statusCode);
if (NetEventSource.IsEnabled)
{
NetEventSource.Exit(this, exception);
}
throw exception;
}
if (NetEventSource.IsEnabled)
{
NetEventSource.Exit(this, $"null statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
return(null);
}
else if (firstTime && _credentialsHandle != null)
{
// Cache until it is pushed out by newly incoming handles.
SSPIHandleCache.CacheCredential(_credentialsHandle);
}
// The return value will tell us correctly if the handshake is over or not
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.OK)
{
// Success.
_isCompleted = true;
}
else if (NetEventSource.IsEnabled)
{
// We need to continue.
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(this, $"need continue statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode}) _securityContext:{_securityContext}");
}
}
if (NetEventSource.IsEnabled)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Exit(this, $"IsCompleted: {IsCompleted}");
}
}
return(outSecurityBuffer.token);
}
internal int MakeSignature(byte[] buffer, int offset, int count, ref byte[] output)
{
return(NegotiateStreamPal.MakeSignature(_securityContext, buffer, offset, count, ref output));
}
internal int VerifySignature(byte[] buffer, int offset, int count)
{
return(NegotiateStreamPal.VerifySignature(_securityContext, buffer, offset, count));
}
internal int Decrypt(byte[] payload, int offset, int count, out int newOffset, uint expectedSeqNumber)
{
return(NegotiateStreamPal.Decrypt(_securityContext, payload, offset, count, IsConfidentialityFlag, IsNTLM, out newOffset, expectedSeqNumber));
}
/// <summary>
/// Generate SSPI context
/// </summary>
/// <param name="sspiClientContextStatus">SSPI client context status</param>
/// <param name="receivedBuff">Receive buffer</param>
/// <param name="sendBuff">Send buffer</param>
/// <param name="serverName">Service Principal Name buffer</param>
public void GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, byte[] receivedBuff, ref byte[] sendBuff, byte[] serverName)
{
SafeDeleteContext securityContext = sspiClientContextStatus.SecurityContext;
ContextFlagsPal contextFlags = sspiClientContextStatus.ContextFlags;
SafeFreeCredentials credentialsHandle = sspiClientContextStatus.CredentialsHandle;
string securityPackage = NegotiationInfoClass.Negotiate;
if (securityContext == null)
{
credentialsHandle = NegotiateStreamPal.AcquireDefaultCredential(securityPackage, false);
}
int tokenSize = NegotiateStreamPal.QueryMaxTokenSize(securityPackage);
byte[] resultToken = new byte[tokenSize];
ContextFlagsPal requestedContextFlags = ContextFlagsPal.Connection
| ContextFlagsPal.Confidentiality
| ContextFlagsPal.Delegate
| ContextFlagsPal.MutualAuth;
string serverSPN = System.Text.Encoding.UTF8.GetString(serverName);
SecurityStatusPal statusCode = NegotiateStreamPal.InitializeSecurityContext(
ref credentialsHandle,
ref securityContext,
serverSPN,
requestedContextFlags,
receivedBuff,
null,
ref resultToken,
ref contextFlags);
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded ||
statusCode.ErrorCode == SecurityStatusPalErrorCode.CompAndContinue)
{
statusCode = NegotiateStreamPal.CompleteAuthToken(ref securityContext, resultToken);
resultToken = null;
}
sendBuff = resultToken;
if (sendBuff == null)
{
sendBuff = Array.Empty <byte>();
}
sspiClientContextStatus.SecurityContext = securityContext;
sspiClientContextStatus.ContextFlags = contextFlags;
sspiClientContextStatus.CredentialsHandle = credentialsHandle;
if (IsErrorStatus(statusCode.ErrorCode))
{
// Could not access Kerberos Ticket.
//
// SecurityStatusPalErrorCode.InternalError only occurs in Unix and always comes with a GssApiException,
// so we don't need to check for a GssApiException here.
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.InternalError)
{
throw new InvalidOperationException(SQLMessage.KerberosTicketMissingError() + "\n" + statusCode);
}
else
{
throw new InvalidOperationException(SQLMessage.SSPIGenerateError() + "\n" + statusCode);
}
}
}
// Accepts an incoming binary security blob and returns an outgoing binary security blob.
internal byte[] GetOutgoingBlob(byte[] incomingBlob, bool throwOnError, out SecurityStatusPal statusCode)
{
if (GlobalLog.IsEnabled)
{
GlobalLog.Enter("NTAuthentication#" + LoggingHash.HashString(this) + "::GetOutgoingBlob", ((incomingBlob == null) ? "0" : incomingBlob.Length.ToString(NumberFormatInfo.InvariantInfo)) + " bytes");
}
var list = new List <SecurityBuffer>(2);
if (incomingBlob != null)
{
list.Add(new SecurityBuffer(incomingBlob, SecurityBufferType.Token));
}
if (_channelBinding != null)
{
list.Add(new SecurityBuffer(_channelBinding));
}
SecurityBuffer[] inSecurityBufferArray = null;
if (list.Count > 0)
{
inSecurityBufferArray = list.ToArray();
}
var outSecurityBuffer = new SecurityBuffer(_tokenSize, SecurityBufferType.Token);
bool firstTime = _securityContext == null;
try
{
if (!_isServer)
{
// client session
statusCode = NegotiateStreamPal.InitializeSecurityContext(
_credentialsHandle,
ref _securityContext,
_spn,
_requestedContextFlags,
inSecurityBufferArray,
outSecurityBuffer,
ref _contextFlags);
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("NTAuthentication#" + LoggingHash.HashString(this) + "::GetOutgoingBlob() SSPIWrapper.InitializeSecurityContext() returns statusCode:0x" + ((int)statusCode.ErrorCode).ToString("x8", NumberFormatInfo.InvariantInfo) + " (" + statusCode.ToString() + ")");
}
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded)
{
var inSecurityBuffers = new SecurityBuffer[1];
inSecurityBuffers[0] = outSecurityBuffer;
statusCode = NegotiateStreamPal.CompleteAuthToken(ref _securityContext, inSecurityBuffers);
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("NTAuthentication#" + LoggingHash.HashString(this) + "::GetOutgoingDigestBlob() SSPIWrapper.CompleteAuthToken() returns statusCode:0x" + ((int)statusCode.ErrorCode).ToString("x8", NumberFormatInfo.InvariantInfo) + " (" + statusCode.ToString() + ")");
}
outSecurityBuffer.token = null;
}
}
else
{
// Server session.
statusCode = NegotiateStreamPal.AcceptSecurityContext(
_credentialsHandle,
ref _securityContext,
_requestedContextFlags,
inSecurityBufferArray,
outSecurityBuffer,
ref _contextFlags);
if (GlobalLog.IsEnabled)
{
GlobalLog.Print("NTAuthentication#" + LoggingHash.HashString(this) + "::GetOutgoingBlob() SSPIWrapper.AcceptSecurityContext() returns statusCode:0x" + ((int)statusCode.ErrorCode).ToString("x8", NumberFormatInfo.InvariantInfo) + " (" + statusCode.ToString() + ")");
}
}
}
finally
{
//
// Assuming the ISC or ASC has referenced the credential on the first successful call,
// we want to decrement the effective ref count by "disposing" it.
// The real dispose will happen when the security context is closed.
// Note if the first call was not successful the handle is physically destroyed here.
//
if (firstTime && _credentialsHandle != null)
{
_credentialsHandle.Dispose();
}
}
if (NegoState.IsError(statusCode))
{
CloseContext();
_isCompleted = true;
if (throwOnError)
{
Exception exception = NegotiateStreamPal.CreateExceptionFromError(statusCode);
if (GlobalLog.IsEnabled)
{
GlobalLog.Leave("NTAuthentication#" + LoggingHash.HashString(this) + "::GetOutgoingBlob", "Win32Exception:" + exception);
}
throw exception;
}
if (GlobalLog.IsEnabled)
{
GlobalLog.Leave("NTAuthentication#" + LoggingHash.HashString(this) + "::GetOutgoingBlob", "null statusCode:0x" + ((int)statusCode.ErrorCode).ToString("x8", NumberFormatInfo.InvariantInfo) + " (" + statusCode.ToString() + ")");
}
return(null);
}
else if (firstTime && _credentialsHandle != null)
{
// Cache until it is pushed out by newly incoming handles.
SSPIHandleCache.CacheCredential(_credentialsHandle);
}
// The return value will tell us correctly if the handshake is over or not
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.OK)
{
// Success.
_isCompleted = true;
}
else if (GlobalLog.IsEnabled)
{
// We need to continue.
GlobalLog.Print("NTAuthentication#" + LoggingHash.HashString(this) + "::GetOutgoingBlob() need continue statusCode:[0x" + ((int)statusCode.ErrorCode).ToString("x8", NumberFormatInfo.InvariantInfo) + "] (" + statusCode.ToString() + ") m_SecurityContext#" + LoggingHash.HashString(_securityContext) + "::Handle:" + LoggingHash.ObjectToString(_securityContext) + "]");
}
if (GlobalLog.IsEnabled)
{
GlobalLog.Leave("NTAuthentication#" + LoggingHash.HashString(this) + "::GetOutgoingBlob", "IsCompleted:" + IsCompleted.ToString());
}
return(outSecurityBuffer.token);
}
internal byte[]? GetOutgoingBlob(ReadOnlySpan <byte> incomingBlob, bool throwOnError, out SecurityStatusPal statusCode)
{
_tokenBuffer ??= _tokenSize == 0 ? Array.Empty <byte>() : new byte[_tokenSize];
bool firstTime = _securityContext == null;
int resultBlobLength;
try
{
if (!_isServer)
{
// client session
statusCode = NegotiateStreamPal.InitializeSecurityContext(
ref _credentialsHandle !,
ref _securityContext,
_spn,
_requestedContextFlags,
incomingBlob,
_channelBinding,
ref _tokenBuffer,
out resultBlobLength,
ref _contextFlags);
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(this, $"SSPIWrapper.InitializeSecurityContext() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded)
{
statusCode = NegotiateStreamPal.CompleteAuthToken(ref _securityContext, _tokenBuffer.AsSpan(0, resultBlobLength));
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(this, $"SSPIWrapper.CompleteAuthToken() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
resultBlobLength = 0;
}
}
else
{
// Server session.
statusCode = NegotiateStreamPal.AcceptSecurityContext(
_credentialsHandle,
ref _securityContext,
_requestedContextFlags,
incomingBlob,
_channelBinding,
ref _tokenBuffer,
out resultBlobLength,
ref _contextFlags);
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(this, $"SSPIWrapper.AcceptSecurityContext() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
}
}
finally
{
//
// Assuming the ISC or ASC has referenced the credential on the first successful call,
// we want to decrement the effective ref count by "disposing" it.
// The real dispose will happen when the security context is closed.
// Note if the first call was not successful the handle is physically destroyed here.
//
if (firstTime)
{
_credentialsHandle?.Dispose();
}
}
if (((int)statusCode.ErrorCode >= (int)SecurityStatusPalErrorCode.OutOfMemory))
{
CloseContext();
_isCompleted = true;
_tokenBuffer = null;
if (throwOnError)
{
throw NegotiateStreamPal.CreateExceptionFromError(statusCode);
}
return(null);
}
else if (firstTime && _credentialsHandle != null)
{
// Cache until it is pushed out by newly incoming handles.
SSPIHandleCache.CacheCredential(_credentialsHandle);
}
byte[]? result =
resultBlobLength == 0 || _tokenBuffer == null ? null :
_tokenBuffer.Length == resultBlobLength ? _tokenBuffer :
_tokenBuffer[0..resultBlobLength];
/// <summary>
/// Generate SSPI context
/// </summary>
/// <param name="sspiClientContextStatus">SSPI client context status</param>
/// <param name="receivedBuff">Receive buffer</param>
/// <param name="sendBuff">Send buffer</param>
/// <param name="serverName">Service Principal Name buffer</param>
/// <returns>SNI error code</returns>
internal static void GenSspiClientContext(SspiClientContextStatus sspiClientContextStatus, byte[] receivedBuff, ref byte[] sendBuff, byte[][] serverName)
{
SafeDeleteContext securityContext = sspiClientContextStatus.SecurityContext;
ContextFlagsPal contextFlags = sspiClientContextStatus.ContextFlags;
SafeFreeCredentials credentialsHandle = sspiClientContextStatus.CredentialsHandle;
string securityPackage = NegotiationInfoClass.Negotiate;
if (securityContext == null)
{
credentialsHandle = NegotiateStreamPal.AcquireDefaultCredential(securityPackage, false);
}
SecurityBuffer[] inSecurityBufferArray;
if (receivedBuff != null)
{
inSecurityBufferArray = new SecurityBuffer[] { new SecurityBuffer(receivedBuff, SecurityBufferType.SECBUFFER_TOKEN) };
}
else
{
inSecurityBufferArray = Array.Empty <SecurityBuffer>();
}
int tokenSize = NegotiateStreamPal.QueryMaxTokenSize(securityPackage);
SecurityBuffer outSecurityBuffer = new SecurityBuffer(tokenSize, SecurityBufferType.SECBUFFER_TOKEN);
ContextFlagsPal requestedContextFlags = ContextFlagsPal.Connection
| ContextFlagsPal.Confidentiality
| ContextFlagsPal.Delegate
| ContextFlagsPal.MutualAuth;
string[] serverSPNs = new string[serverName.Length];
for (int i = 0; i < serverName.Length; i++)
{
serverSPNs[i] = Encoding.UTF8.GetString(serverName[i]);
}
SecurityStatusPal statusCode = NegotiateStreamPal.InitializeSecurityContext(
credentialsHandle,
ref securityContext,
serverSPNs,
requestedContextFlags,
inSecurityBufferArray,
outSecurityBuffer,
ref contextFlags);
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded ||
statusCode.ErrorCode == SecurityStatusPalErrorCode.CompAndContinue)
{
inSecurityBufferArray = new SecurityBuffer[] { outSecurityBuffer };
statusCode = NegotiateStreamPal.CompleteAuthToken(ref securityContext, inSecurityBufferArray);
outSecurityBuffer.token = null;
}
sendBuff = outSecurityBuffer.token;
if (sendBuff == null)
{
sendBuff = Array.Empty <byte>();
}
sspiClientContextStatus.SecurityContext = securityContext;
sspiClientContextStatus.ContextFlags = contextFlags;
sspiClientContextStatus.CredentialsHandle = credentialsHandle;
if (IsErrorStatus(statusCode.ErrorCode))
{
// Could not access Kerberos Ticket.
//
// SecurityStatusPalErrorCode.InternalError only occurs in Unix and always comes with a GssApiException,
// so we don't need to check for a GssApiException here.
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.InternalError)
{
throw new InvalidOperationException(SQLMessage.KerberosTicketMissingError() + "\n" + statusCode);
}
else
{
throw new InvalidOperationException(SQLMessage.SSPIGenerateError() + "\n" + statusCode);
}
}
}
// Accepts an incoming binary security blob and returns an outgoing binary security blob.
internal byte[]? GetOutgoingBlob(byte[]?incomingBlob, bool throwOnError, out SecurityStatusPal statusCode)
{
byte[]? result = new byte[_tokenSize];
bool firstTime = _securityContext == null;
try
{
if (!_isServer)
{
// client session
statusCode = NegotiateStreamPal.InitializeSecurityContext(
ref _credentialsHandle !,
ref _securityContext,
_spn,
_requestedContextFlags,
incomingBlob,
_channelBinding,
ref result,
ref _contextFlags);
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(this, $"SSPIWrapper.InitializeSecurityContext() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded)
{
statusCode = NegotiateStreamPal.CompleteAuthToken(ref _securityContext, result);
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(this, $"SSPIWrapper.CompleteAuthToken() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
result = null;
}
}
else
{
// Server session.
statusCode = NegotiateStreamPal.AcceptSecurityContext(
_credentialsHandle,
ref _securityContext,
_requestedContextFlags,
incomingBlob,
_channelBinding,
ref result,
ref _contextFlags);
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(this, $"SSPIWrapper.AcceptSecurityContext() returns statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode})");
}
}
}
finally
{
//
// Assuming the ISC or ASC has referenced the credential on the first successful call,
// we want to decrement the effective ref count by "disposing" it.
// The real dispose will happen when the security context is closed.
// Note if the first call was not successful the handle is physically destroyed here.
//
if (firstTime)
{
_credentialsHandle?.Dispose();
}
}
if (((int)statusCode.ErrorCode >= (int)SecurityStatusPalErrorCode.OutOfMemory))
{
CloseContext();
_isCompleted = true;
if (throwOnError)
{
throw NegotiateStreamPal.CreateExceptionFromError(statusCode);
}
return(null);
}
else if (firstTime && _credentialsHandle != null)
{
// Cache until it is pushed out by newly incoming handles.
SSPIHandleCache.CacheCredential(_credentialsHandle);
}
// The return value will tell us correctly if the handshake is over or not
if (statusCode.ErrorCode == SecurityStatusPalErrorCode.OK ||
(_isServer && statusCode.ErrorCode == SecurityStatusPalErrorCode.CompleteNeeded))
{
// Success.
_isCompleted = true;
}
else
{
// We need to continue.
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(this, $"need continue statusCode:0x{((int)statusCode.ErrorCode):x8} ({statusCode}) _securityContext:{_securityContext}");
}
}
return(result);
}
