private static unsafe int QueryContextChannelBinding_SCHANNEL(SafeDeleteContext phContext, ContextAttribute contextAttribute, Bindings* buffer, SafeFreeContextBufferChannelBinding refHandle)
{
int num = -2146893055;
bool success = false;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
phContext.DangerousAddRef(ref success);
}
catch (Exception exception)
{
if (success)
{
phContext.DangerousRelease();
success = false;
}
if (!(exception is ObjectDisposedException))
{
throw;
}
}
finally
{
if (success)
{
num = UnsafeNclNativeMethods.SafeNetHandles_SCHANNEL.QueryContextAttributesA(ref phContext._handle, contextAttribute, (void*) buffer);
phContext.DangerousRelease();
}
if ((num == 0) && (refHandle != null))
{
refHandle.Set(buffer.pBindings);
refHandle.size = buffer.BindingsLength;
}
if ((num != 0) && (refHandle != null))
{
refHandle.SetHandleAsInvalid();
}
}
return num;
}
private unsafe int DecryptMessageHelper(SafeDeleteContext context, SecurityBufferDescriptor inputOutput, uint sequenceNumber)
{
int num = -2146893055;
bool success = false;
uint qualityOfProtection = 0;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
context.DangerousAddRef(ref success);
}
catch (Exception exception)
{
if (success)
{
context.DangerousRelease();
success = false;
}
if (!(exception is ObjectDisposedException))
{
throw;
}
}
finally
{
if (success)
{
num = UnsafeNclNativeMethods.NativeNTSSPI.DecryptMessage(ref context._handle, inputOutput, sequenceNumber, &qualityOfProtection);
context.DangerousRelease();
}
}
if ((num == 0) && (qualityOfProtection == 0x80000001))
{
throw new InvalidOperationException(SR.GetString("net_auth_message_not_encrypted"));
}
return num;
}
private static int GetSecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle safeHandle)
{
safeHandle = null;
try
{
bool ignore = false;
phContext.DangerousAddRef(ref ignore);
return(Interop.SspiCli.QuerySecurityContextToken(ref phContext._handle, out safeHandle));
}
finally
{
phContext.DangerousRelease();
}
}
public int MakeSignature(SafeDeleteContext context, Interop.Secur32.SecurityBufferDescriptor inputOutput, uint sequenceNumber)
{
try
{
bool ignore = false;
context.DangerousAddRef(ref ignore);
return(Interop.Secur32.EncryptMessage(ref context._handle, Interop.Secur32.SECQOP_WRAP_NO_ENCRYPT, inputOutput, sequenceNumber));
}
finally
{
context.DangerousRelease();
}
}
public unsafe int VerifySignature(SafeDeleteContext context, ref Interop.SspiCli.SecBufferDesc inputOutput, uint sequenceNumber)
{
try
{
bool ignore = false;
uint qop = 0;
context.DangerousAddRef(ref ignore);
return(Interop.SspiCli.DecryptMessage(ref context._handle, ref inputOutput, sequenceNumber, &qop));
}
finally
{
context.DangerousRelease();
}
}
private int EncryptMessage(SafeDeleteContext context, Interop.Secur32.SecurityBufferDescriptor inputOutput, uint sequenceNumber)
{
int status = (int)Interop.SecurityStatus.InvalidHandle;
try
{
bool ignore = false;
context.DangerousAddRef(ref ignore);
status = Interop.Secur32.EncryptMessage(ref context._handle, 0, inputOutput, sequenceNumber);
return(status);
}
finally
{
context.DangerousRelease();
}
}
private static int GetSecurityContextToken(SafeDeleteContext phContext, out SecurityContextTokenHandle safeHandle)
{
int status = (int)Interop.SecurityStatus.InvalidHandle;
safeHandle = null;
try
{
bool ignore = false;
phContext.DangerousAddRef(ref ignore);
status = Interop.Secur32.QuerySecurityContextToken(ref phContext._handle, out safeHandle);
}
finally
{
phContext.DangerousRelease();
}
return(status);
}
public unsafe int DecryptMessage(SafeDeleteContext context, ref Interop.SspiCli.SecBufferDesc inputOutput, out uint qop)
{
int status = (int)Interop.SECURITY_STATUS.InvalidHandle;
uint qopTemp = 0;
try
{
bool ignore = false;
context.DangerousAddRef(ref ignore);
status = Interop.SspiCli.DecryptMessage(ref context._handle, ref inputOutput, 0, &qopTemp);
}
finally
{
context.DangerousRelease();
}
qop = qopTemp;
return(status);
}
private SecurityStatus EncryptDecryptHelper(SafeDeleteContext securityContext, byte[] buffer, int offset, int size, int headerSize, int trailerSize, bool encrypt, out int resultSize)
{
bool gotReference = false;
resultSize = 0;
try
{
securityContext.DangerousAddRef(ref gotReference);
unsafe
{
fixed(byte *bufferPtr = buffer)
{
IntPtr inputPtr = new IntPtr(bufferPtr);
IntPtr scHandle = securityContext.DangerousGetHandle();
resultSize = encrypt ?
Interop.OpenSsl.Encrypt(scHandle, inputPtr, offset, size, buffer.Length) :
Interop.OpenSsl.Decrypt(scHandle, inputPtr, size);
}
}
return(((size == 0) || (resultSize > 0)) ? SecurityStatus.OK : SecurityStatus.ContextExpired);
}
catch (Exception ex)
{
Debug.Fail("Exception Caught. - " + ex);
return(SecurityStatus.InternalError);
}
finally
{
if (gotReference)
{
securityContext.DangerousRelease();
}
}
}
public unsafe int DecryptMessage(SafeDeleteContext context, ref Interop.SspiCli.SecBufferDesc inputOutput, uint sequenceNumber)
{
int status = (int)Interop.SECURITY_STATUS.InvalidHandle;
uint qop = 0;
try
{
bool ignore = false;
context.DangerousAddRef(ref ignore);
status = Interop.SspiCli.DecryptMessage(ref context._handle, ref inputOutput, sequenceNumber, &qop);
}
finally
{
context.DangerousRelease();
}
if (status == 0 && qop == Interop.SspiCli.SECQOP_WRAP_NO_ENCRYPT)
{
NetEventSource.Fail(this, $"Expected qop = 0, returned value = {qop}");
throw new InvalidOperationException(SR.net_auth_message_not_encrypted);
}
return(status);
}
public int QueryContextRemoteCertificate(SafeDeleteContext securityContext, out SafeFreeCertContext remoteCertContext)
{
bool gotReference = false;
remoteCertContext = null;
try
{
securityContext.DangerousAddRef(ref gotReference);
IntPtr certPtr = Interop.OpenSsl.GetPeerCertificate(securityContext.DangerousGetHandle());
remoteCertContext = new SafeFreeCertContext(certPtr);
return(0);
}
catch
{
return(-1);
}
finally
{
if (gotReference)
{
securityContext.DangerousRelease();
}
}
}
public int QueryContextConnectionInfo(SafeDeleteContext securityContext, out SslConnectionInfo connectionInfo)
{
bool gotReference = false;
connectionInfo = null;
try
{
securityContext.DangerousAddRef(ref gotReference);
Interop.libssl.SSL_CIPHER cipher = Interop.OpenSsl.GetConnectionInfo(securityContext.DangerousGetHandle());
connectionInfo = new SslConnectionInfo(cipher);
return(0);
}
catch
{
return(-1);
}
finally
{
if (gotReference)
{
securityContext.DangerousRelease();
}
}
}
private static unsafe int QueryContextAttributes_SCHANNEL(SafeDeleteContext phContext, ContextAttribute contextAttribute, byte* buffer, SafeHandle refHandle)
{
int num = -2146893055;
bool success = false;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
phContext.DangerousAddRef(ref success);
}
catch (Exception exception)
{
if (success)
{
phContext.DangerousRelease();
success = false;
}
if (!(exception is ObjectDisposedException))
{
throw;
}
}
finally
{
if (success)
{
num = UnsafeNclNativeMethods.SafeNetHandles_SCHANNEL.QueryContextAttributesA(ref phContext._handle, contextAttribute, (void*) buffer);
phContext.DangerousRelease();
}
if ((num == 0) && (refHandle != null))
{
if (refHandle is SafeFreeContextBuffer)
{
((SafeFreeContextBuffer) refHandle).Set(*((IntPtr*) buffer));
}
else
{
((SafeFreeCertContext) refHandle).Set(*((IntPtr*) buffer));
}
}
if ((num != 0) && (refHandle != null))
{
refHandle.SetHandleAsInvalid();
}
}
return num;
}
private static int SetContextAttributes_SECURITY(
SafeDeleteContext phContext,
ContextAttribute contextAttribute,
byte[] buffer)
{
int status = (int)SecurityStatus.InvalidHandle;
bool b = false;
// We don't want to be interrupted by thread abort exceptions or unexpected out-of-memory errors failing
// to jit one of the following methods. So run within a CER non-interruptible block.
RuntimeHelpers.PrepareConstrainedRegions();
try {
phContext.DangerousAddRef(ref b);
}
catch(Exception e) {
if (b)
{
phContext.DangerousRelease();
b = false;
}
if (!(e is ObjectDisposedException))
throw;
}
finally {
if (b)
{
status = UnsafeNclNativeMethods.SafeNetHandles_SECURITY.SetContextAttributesW(
ref phContext._handle, contextAttribute, buffer, buffer.Length);
phContext.DangerousRelease();
}
}
return status;
}
private unsafe static int QueryContextAttributes_SECURITY(
SafeDeleteContext phContext,
ContextAttribute contextAttribute,
byte* buffer,
SafeHandle refHandle)
{
int status = (int)SecurityStatus.InvalidHandle;
bool b = false;
// We don't want to be interrupted by thread abort exceptions or unexpected out-of-memory errors failing to jit
// one of the following methods. So run within a CER non-interruptible block.
RuntimeHelpers.PrepareConstrainedRegions();
try {
phContext.DangerousAddRef(ref b);
}
catch(Exception e) {
if (b)
{
phContext.DangerousRelease();
b = false;
}
if (!(e is ObjectDisposedException))
throw;
}
finally {
if (b)
{
status = UnsafeNclNativeMethods.SafeNetHandles_SECURITY.QueryContextAttributesW(ref phContext._handle, contextAttribute, buffer);
phContext.DangerousRelease();
}
if (status == 0 && refHandle != null) {
if (refHandle is SafeFreeContextBuffer) {
((SafeFreeContextBuffer)refHandle).Set(*(IntPtr*)buffer);
}
else {
((SafeFreeCertContext)refHandle).Set(*(IntPtr*)buffer);
}
}
if (status != 0 && refHandle != null) {
refHandle.SetHandleAsInvalid();
}
}
return status;
}
//
// After PINvoke call the method will fix the handleTemplate.handle with the returned value.
// The caller is responsible for creating a correct SafeFreeContextBuffer_XXX flavour or null can be passed if no handle is returned.
//
// Since it has a CER, this method can't have any references to imports from DLLs that may not exist on the system.
//
private static unsafe int MustRunAcceptSecurityContext_SECURITY(
ref SafeFreeCredentials inCredentials,
void* inContextPtr,
SecurityBufferDescriptor inputBuffer,
ContextFlags inFlags,
Endianness endianness,
SafeDeleteContext outContext,
SecurityBufferDescriptor outputBuffer,
ref ContextFlags outFlags,
SafeFreeContextBuffer handleTemplate)
{
int errorCode = (int) SecurityStatus.InvalidHandle;
bool b1 = false;
bool b2 = false;
// Run the body of this method as a non-interruptible block.
RuntimeHelpers.PrepareConstrainedRegions();
try
{
inCredentials.DangerousAddRef(ref b1);
outContext.DangerousAddRef(ref b2);
}
catch(Exception e)
{
if (b1)
{
inCredentials.DangerousRelease();
b1 = false;
}
if (b2)
{
outContext.DangerousRelease();
b2 = false;
}
if (!(e is ObjectDisposedException))
throw;
}
finally {
SSPIHandle credentialHandle = inCredentials._handle;
long timeStamp;
if (!b1)
{
// caller should retry
inCredentials = null;
}
else if (b1 && b2)
{
errorCode = UnsafeNclNativeMethods.SafeNetHandles_SECURITY.AcceptSecurityContext(
ref credentialHandle,
inContextPtr,
inputBuffer,
inFlags,
endianness,
ref outContext._handle,
outputBuffer,
ref outFlags,
out timeStamp);
//
// When a credential handle is first associated with the context we keep credential
// ref count bumped up to ensure ordered finalization.
// If the credential handle has been changed we de-ref the old one and associate the
// context with the new cred handle but only if the call was successful.
if (outContext._EffectiveCredential != inCredentials && (errorCode & 0x80000000) == 0)
{
// Disassociate the previous credential handle
if (outContext._EffectiveCredential != null)
outContext._EffectiveCredential.DangerousRelease();
outContext._EffectiveCredential = inCredentials;
}
else
{
inCredentials.DangerousRelease();
}
outContext.DangerousRelease();
// The idea is that SSPI has allocated a block and filled up outUnmanagedBuffer+8 slot with the pointer.
if (handleTemplate != null)
{
handleTemplate.Set(((SecurityBufferStruct*)outputBuffer.UnmanagedPointer)->token); //ATTN: on 64 BIT that is still +8 cause of 2* c++ unsigned long == 8 bytes
if (handleTemplate.IsInvalid)
{
handleTemplate.SetHandleAsInvalid();
}
}
}
if (inContextPtr == null && (errorCode & 0x80000000) != 0)
{
// an error on the first call, need to set the out handle to invalid value
outContext._handle.SetToInvalid();
}
}
return errorCode;
}
private unsafe static int QueryContextChannelBinding_SECURITY(SafeDeleteContext phContext, ContextAttribute contextAttribute, Bindings* buffer, SafeFreeContextBufferChannelBinding refHandle)
{
int status = (int)SecurityStatus.InvalidHandle;
bool b = false;
// SCHANNEL only supports SECPKG_ATTR_ENDPOINT_BINDINGS and SECPKG_ATTR_UNIQUE_BINDINGS which
// map to our enum ChannelBindingKind.Endpoint and ChannelBindingKind.Unique.
if (contextAttribute != ContextAttribute.EndpointBindings && contextAttribute != ContextAttribute.UniqueBindings)
{
return status;
}
// We don't want to be interrupted by thread abort exceptions or unexpected out-of-memory errors failing to jit
// one of the following methods. So run within a CER non-interruptible block.
RuntimeHelpers.PrepareConstrainedRegions();
try {
phContext.DangerousAddRef(ref b);
}
catch(Exception e) {
if (b)
{
phContext.DangerousRelease();
b = false;
}
if (!(e is ObjectDisposedException))
throw;
}
finally {
if (b)
{
status = UnsafeNclNativeMethods.SafeNetHandles_SECURITY.QueryContextAttributesW(ref phContext._handle, contextAttribute, buffer);
phContext.DangerousRelease();
}
if (status == 0 && refHandle != null) {
refHandle.Set((*buffer).pBindings);
refHandle.size = (*buffer).BindingsLength;
}
if (status != 0 && refHandle != null) {
refHandle.SetHandleAsInvalid();
}
}
return status;
}
public int EncryptMessage(SafeDeleteContext context, SecurityBufferDescriptor inputOutput, uint sequenceNumber)
{
int status = (int)SecurityStatus.InvalidHandle;
bool b = false;
RuntimeHelpers.PrepareConstrainedRegions();
try {
context.DangerousAddRef(ref b);
}
catch(Exception e) {
if (b)
{
context.DangerousRelease();
b = false;
}
if (!(e is ObjectDisposedException))
throw;
}
finally {
if (b)
{
status = UnsafeNclNativeMethods.NativeNTSSPI.EncryptMessage(ref context._handle, 0, inputOutput, sequenceNumber);
context.DangerousRelease();
}
}
return status;
}
private static int GetSecurityContextToken(SafeDeleteContext phContext, out SafeCloseHandle safeHandle) {
int status = (int)SecurityStatus.InvalidHandle;
bool b = false;
safeHandle = null;
RuntimeHelpers.PrepareConstrainedRegions();
try {
phContext.DangerousAddRef(ref b);
}
catch (Exception e) {
if (b) {
phContext.DangerousRelease();
b = false;
}
if (!(e is ObjectDisposedException))
throw;
}
finally {
if (b) {
status = UnsafeNclNativeMethods.SafeNetHandles.QuerySecurityContextToken(ref phContext._handle, out safeHandle);
phContext.DangerousRelease();
}
}
return status;
}
public unsafe int DecryptMessage(SafeDeleteContext context, SecurityBufferDescriptor inputOutput, uint sequenceNumber) {
int status = (int)SecurityStatus.InvalidHandle;
bool b = false;
uint qop = 0;
RuntimeHelpers.PrepareConstrainedRegions();
try {
context.DangerousAddRef(ref b);
}
catch(Exception e) {
if (b)
{
context.DangerousRelease();
b = false;
}
if (!(e is ObjectDisposedException))
throw;
}
finally {
if (b)
{
status = UnsafeNclNativeMethods.NativeNTSSPI.DecryptMessage(ref context._handle, inputOutput, sequenceNumber, &qop);
context.DangerousRelease();
}
}
const uint SECQOP_WRAP_NO_ENCRYPT = 0x80000001;
if (status == 0 && qop == SECQOP_WRAP_NO_ENCRYPT)
{
GlobalLog.Assert("NativeNTSSPI.DecryptMessage", "Expected qop = 0, returned value = " + qop.ToString("x", CultureInfo.InvariantCulture));
throw new InvalidOperationException(SR.GetString(SR.net_auth_message_not_encrypted));
}
return status;
}
private static int GetSecurityContextToken(SafeDeleteContext phContext, out SafeCloseHandle safeHandle)
{
int num = -2146893055;
bool success = false;
safeHandle = null;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
phContext.DangerousAddRef(ref success);
}
catch (Exception exception)
{
if (success)
{
phContext.DangerousRelease();
success = false;
}
if (!(exception is ObjectDisposedException))
{
throw;
}
}
finally
{
if (success)
{
num = UnsafeNclNativeMethods.SafeNetHandles.QuerySecurityContextToken(ref phContext._handle, out safeHandle);
phContext.DangerousRelease();
}
}
return num;
}
private unsafe int VerifySignatureHelper(SafeDeleteContext context, SecurityBufferDescriptor inputOutput, uint sequenceNumber)
{
int num = -2146893055;
bool success = false;
uint qualityOfProtection = 0;
RuntimeHelpers.PrepareConstrainedRegions();
try
{
context.DangerousAddRef(ref success);
}
catch (Exception exception)
{
if (success)
{
context.DangerousRelease();
success = false;
}
if (!(exception is ObjectDisposedException))
{
throw;
}
}
finally
{
if (success)
{
num = UnsafeNclNativeMethods.NativeNTSSPI.DecryptMessage(ref context._handle, inputOutput, sequenceNumber, &qualityOfProtection);
context.DangerousRelease();
}
}
return num;
}