WIP: Add implementation of NegotiateAuthentication

Switch System.Net.Http to use NegotiateAuthentication Fix IsCompleted in managed NTLM implementation
dotnet · wfurt · Jun 21, 2022 · Jun 3, 2022 · Jun 4, 2022 · Jun 4, 2022
commit 4ac2501dad3b0bb4694a54daabe37556b4890371
diff --git a/src/libraries/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.PlatformNotSupported.cs b/src/libraries/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.PlatformNotSupported.cs
diff --git a/src/libraries/Common/src/System/Net/ContextFlagsAdapterPal.PlatformNotSupported.cs b/src/libraries/Common/src/System/Net/ContextFlagsAdapterPal.PlatformNotSupported.cs
diff --git a/src/libraries/Common/src/System/Net/NTAuthentication.Common.cs b/src/libraries/Common/src/System/Net/NTAuthentication.Common.cs
@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.ComponentModel;
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using System.Net.Security;
@@ -90,6 +91,34 @@ internal bool IsKerberos
             }
         }
 
+        internal bool IsNTLM
+        {
+            get
+            {
+                if (_lastProtocolName == null)
+                {
+                    _lastProtocolName = ProtocolName;
+                }
+
+                return (object)_lastProtocolName == (object)NegotiationInfoClass.NTLM;
+            }
+        }
+
+        internal string? AssociatedName
+        {
+            get
+            {
+                if (!(IsValidContext && IsCompleted))
+                {
+                    throw new Win32Exception((int)SecurityStatusPalErrorCode.InvalidHandle);
+                }
+
+                string? name = NegotiateStreamPal.QueryContextAssociatedName(_securityContext!);
+                if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(this, $"NTAuthentication: The context is associated with [{name}]");
+                return name;
+            }
+        }
+
         //
         // This overload does not attempt to impersonate because the caller either did it already or the original thread context is still preserved.
         //
@@ -312,5 +341,21 @@ internal int MakeSignature(byte[] buffer, int offset, int count, [AllowNull] ref
 
             return spn;
         }
+
+        internal int Encrypt(ReadOnlySpan<byte> buffer, [NotNull] ref byte[]? output, uint sequenceNumber)
+        {
+            return NegotiateStreamPal.Encrypt(
+                _securityContext!,
+                buffer,
+                IsConfidentialityFlag,
+                IsNTLM,
+                ref output,
+                sequenceNumber);
+        }
+
+        internal int Decrypt(byte[] payload, int offset, int count, out int newOffset, uint expectedSeqNumber)
+        {
+            return NegotiateStreamPal.Decrypt(_securityContext!, payload, offset, count, IsConfidentialityFlag, IsNTLM, out newOffset, expectedSeqNumber);
+        }
     }
 }
diff --git a/src/libraries/Common/src/System/Net/NTAuthentication.Managed.cs b/src/libraries/Common/src/System/Net/NTAuthentication.Managed.cs
@@ -7,7 +7,6 @@
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using System.Formats.Asn1;
-using System.Net.Http.Headers;
 using System.Net.Security;
 using System.Runtime.InteropServices;
 using System.Runtime.Versioning;
@@ -27,6 +26,7 @@ internal sealed partial class NTAuthentication
         private readonly NetworkCredential _credential;
         private readonly string? _spn;
         private readonly ChannelBinding? _channelBinding;
+        private readonly ContextFlagsPal _contextFlags;
 
         // State parameters
         private byte[]? _spnegoMechList;
@@ -278,10 +278,10 @@ internal NTAuthentication(bool isServer, string package, NetworkCredential crede
 
             if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(this, $"package={package}, spn={spn}, requestedContextFlags={requestedContextFlags}");
 
-            // TODO: requestedContextFlags
             _credential = credential;
             _spn = spn;
             _channelBinding = channelBinding;
+            _contextFlags = requestedContextFlags;
         }
 
         internal void CloseContext()
@@ -313,43 +313,60 @@ internal void CloseContext()
             {
                 decodedIncomingBlob = Convert.FromBase64String(incomingBlob);
             }
-            byte[]? decodedOutgoingBlob;
+            byte[]? decodedOutgoingBlob = GetOutgoingBlob(decodedIncomingBlob, true);
+            string? outgoingBlob = null;
+            if (decodedOutgoingBlob != null && decodedOutgoingBlob.Length > 0)
+            {
+                outgoingBlob = Convert.ToBase64String(decodedOutgoingBlob);
+            }
+
+            if (IsCompleted)
+            {
+                CloseContext();
+            }
+
+            return outgoingBlob;
+        }
+
+        internal byte[]? GetOutgoingBlob(byte[]? incomingBlob, bool throwOnError)
+        {
+            return GetOutgoingBlob(incomingBlob, throwOnError, out _);
+        }
+
+        // Accepts an incoming binary security blob and returns an outgoing binary security blob.
+        internal unsafe byte[]? GetOutgoingBlob(byte[]? incomingBlob, bool throwOnError, out SecurityStatusPal statusCode)
+        {
+            byte[]? outgoingBlob;
 
             // TODO: Logging, validation
             if (_negotiateMessage == null)
             {
-                Debug.Assert(decodedIncomingBlob == null);
+                Debug.Assert(incomingBlob == null);
 
                 _negotiateMessage = new byte[sizeof(NegotiateMessage)];
                 CreateNtlmNegotiateMessage(_negotiateMessage);
 
-                decodedOutgoingBlob = _isSpNego ? CreateSpNegoNegotiateMessage(_negotiateMessage) : _negotiateMessage;
+                outgoingBlob = _isSpNego ? CreateSpNegoNegotiateMessage(_negotiateMessage) : _negotiateMessage;
                 statusCode = SecurityStatusPalContinueNeeded;
             }
             else
             {
-                Debug.Assert(decodedIncomingBlob != null);
+                Debug.Assert(incomingBlob != null);
 
                 if (!_isSpNego)
                 {
                     IsCompleted = true;
-                    decodedOutgoingBlob = ProcessChallenge(decodedIncomingBlob, out statusCode);
+                    outgoingBlob = ProcessChallenge(incomingBlob, out statusCode);
                 }
                 else
                 {
-                    decodedOutgoingBlob = ProcessSpNegoChallenge(decodedIncomingBlob, out statusCode);
+                    outgoingBlob = ProcessSpNegoChallenge(incomingBlob, out statusCode);
                 }
             }
 
-            string? outgoingBlob = null;
-            if (decodedOutgoingBlob != null && decodedOutgoingBlob.Length > 0)
+            if (statusCode.ErrorCode >= SecurityStatusPalErrorCode.OutOfMemory && throwOnError)
             {
-                outgoingBlob = Convert.ToBase64String(decodedOutgoingBlob);
-            }
-
-            if (IsCompleted)
-            {
-                CloseContext();
+                throw new Win32Exception(NTE_FAIL, statusCode.ErrorCode.ToString());
             }
 
             return outgoingBlob;
@@ -917,8 +934,13 @@ private unsafe byte[] CreateSpNegoNegotiateMessage(ReadOnlySpan<byte> ntlmNegoti
             }
             catch (AsnContentException)
             {
+<<<<<<< HEAD
                 statusCode = SecurityStatusPalInvalidToken;
                 return null;
+=======
+                statusCode = new SecurityStatusPal(SecurityStatusPalErrorCode.IllegalMessage, e);
+                return Array.Empty<byte>();
+>>>>>>> WIP: Add implementation of NegotiateAuthentication
             }
 
             if (blob?.Length > 0)
@@ -927,9 +949,14 @@ private unsafe byte[] CreateSpNegoNegotiateMessage(ReadOnlySpan<byte> ntlmNegoti
                 // message with the challenge blob.
                 if (!NtlmOid.Equals(mech))
                 {
+<<<<<<< HEAD
                     if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(this, $"Server requested unknown mechanism {mech}");
                     statusCode = SecurityStatusPalPackageNotFound;
                     return null;
+=======
+                    statusCode = new SecurityStatusPal(SecurityStatusPalErrorCode.PackageNotFound);
+                    return Array.Empty<byte>();
+>>>>>>> WIP: Add implementation of NegotiateAuthentication
                 }
 
                 // Process decoded NTLM blob.
@@ -960,7 +987,11 @@ private unsafe byte[] CreateSpNegoNegotiateMessage(ReadOnlySpan<byte> ntlmNegoti
                         }
                     }
 
+<<<<<<< HEAD
                     statusCode = state == NegState.RequestMic ? SecurityStatusPalContinueNeeded : SecurityStatusPalOk;
+=======
+                    statusCode = SecurityStatusPalContinueNeeded;
+>>>>>>> WIP: Add implementation of NegotiateAuthentication
                     return writer.Encode();
                 }
             }
@@ -969,6 +1000,7 @@ private unsafe byte[] CreateSpNegoNegotiateMessage(ReadOnlySpan<byte> ntlmNegoti
             {
                 if (_spnegoMechList == null || state != NegState.AcceptCompleted)
                 {
+<<<<<<< HEAD
                     statusCode = SecurityStatusPalInternalError;
                     return null;
                 }
@@ -977,10 +1009,15 @@ private unsafe byte[] CreateSpNegoNegotiateMessage(ReadOnlySpan<byte> ntlmNegoti
                 {
                     statusCode = SecurityStatusPalMessageAltered;
                     return null;
+=======
+                    statusCode = new SecurityStatusPal(SecurityStatusPalErrorCode.MessageAltered);
+                    return Array.Empty<byte>();
+>>>>>>> WIP: Add implementation of NegotiateAuthentication
                 }
             }
 
             IsCompleted = state == NegState.AcceptCompleted || state == NegState.Reject;
+<<<<<<< HEAD
             statusCode = state switch {
                 NegState.AcceptCompleted => SecurityStatusPalOk,
                 NegState.AcceptIncomplete => SecurityStatusPalContinueNeeded,
@@ -989,6 +1026,35 @@ private unsafe byte[] CreateSpNegoNegotiateMessage(ReadOnlySpan<byte> ntlmNegoti
             };
 
             return null;
+=======
+
+            statusCode = IsCompleted ? SecurityStatusPalOk : new SecurityStatusPal(SecurityStatusPalErrorCode.LogonDenied);
+            return Array.Empty<byte>();
+>>>>>>> WIP: Add implementation of NegotiateAuthentication
+        }
+
+#pragma warning disable CA1822
+        internal int Encrypt(ReadOnlySpan<byte> buffer, [NotNull] ref byte[]? output, uint sequenceNumber)
+        {
+            throw new PlatformNotSupportedException();
         }
+
+        internal int Decrypt(byte[] payload, int offset, int count, out int newOffset, uint expectedSeqNumber)
+        {
+            throw new PlatformNotSupportedException();
+        }
+
+        internal string ProtocolName => _isSpNego ? NegotiationInfoClass.Negotiate : NegotiationInfoClass.NTLM;
+
+        internal bool IsNTLM => true;
+
+        internal bool IsKerberos => false;
+
+        internal bool IsServer => false;
+
+        internal bool IsValidContext => true;
+
+        internal string? ClientSpecifiedSpn => _spn;
+#pragma warning restore CA1822
     }
 }