Fix NegotitateStream (server) on Linux for NTLM (#42522)

davidsh · web-flow · commit 1054f1fba1b7 · 2019-11-11T15:49:41.000-08:00
This PR is a follow up to PR #36827 which added support for Linux server-side GSS-API (AcceptSecContext). This enabled NegotitateStream AuthenticateAsServer* support. It also provided support for ASP.NET Core to allow Kestrel server to have Negotiate authentication on Linux. This PR fixes some problems with Negotiate (SPNEGO) fallback from Kerberos to NTLM. Notably it passes in a correct GSS Acceptor credential so that fallback will work correctly. As part of fixing that, I noticed some other problems with returning the user-identity when NTLM is used. This was tested in a separate enterprise testing environment that I have created. It builds on technologies that we have started using like docker containers and Azure pipelines (e.g. HttpStress). The environment is currently here: https://dev.azure.com/systemnetncl/Enterprise%20Testing. The extra Kerberos tests and container support is here: https://github.com/davidsh/networkingtests When the repo merge is completed, I will work with the infra team to see what things can be merged back into the main repo/CI pipeline and migrate the test sources to an appropriate place in the new repo. Contributes to #10041 Contributes to #24707 Contributes to #30150
diff --git a/src/Common/src/Interop/Unix/System.Net.Security.Native/Interop.GssBuffer.cs b/src/Common/src/Interop/Unix/System.Net.Security.Native/Interop.GssBuffer.cs
@@ -12,7 +12,7 @@ internal static partial class Interop
     internal static partial class NetSecurityNative
     {
         [StructLayout(LayoutKind.Sequential)]
-        internal unsafe struct GssBuffer : IDisposable
+        internal struct GssBuffer : IDisposable
         {
             internal ulong _length;
             internal IntPtr _data;
@@ -52,6 +52,10 @@ internal byte[] ToByteArray()
                 return destination;
             }
 
+            internal unsafe ReadOnlySpan<byte> Span => (_data != IntPtr.Zero && _length != 0) ?
+                new ReadOnlySpan<byte>(_data.ToPointer(), checked((int)_length)) :
+                default;
+
             public void Dispose()
             {
                 if (_data != IntPtr.Zero)
diff --git a/src/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.cs b/src/Common/src/Interop/Unix/System.Net.Security.Native/Interop.NetSecurityNative.cs
@@ -48,6 +48,11 @@ internal static extern Status ReleaseName(
             out Status minorStatus,
             ref IntPtr inputName);
 
+        [DllImport(Interop.Libraries.NetSecurityNative, EntryPoint="NetSecurityNative_AcquireAcceptorCred")]
+        internal static extern Status AcquireAcceptorCred(
+            out Status minorStatus,
+            out SafeGssCredHandle outputCredHandle);
+
         [DllImport(Interop.Libraries.NetSecurityNative, EntryPoint="NetSecurityNative_InitiateCredSpNego")]
         internal static extern Status InitiateCredSpNego(
             out Status minorStatus,
@@ -101,11 +106,13 @@ internal static extern Status InitSecContext(
         [DllImport(Interop.Libraries.NetSecurityNative, EntryPoint="NetSecurityNative_AcceptSecContext")]
         internal static extern Status AcceptSecContext(
             out Status minorStatus,
+            SafeGssCredHandle acceptorCredHandle,
             ref SafeGssContextHandle acceptContextHandle,
             byte[] inputBytes,
             int inputLength,
             ref GssBuffer token,
-            out uint retFlags);
+            out uint retFlags,
+            out bool isNtlmUsed);
 
         [DllImport(Interop.Libraries.NetSecurityNative, EntryPoint="NetSecurityNative_DeleteSecContext")]
         internal static extern Status DeleteSecContext(
diff --git a/src/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.cs b/src/Common/src/Microsoft/Win32/SafeHandles/GssSafeHandles.cs
@@ -74,6 +74,21 @@ internal class SafeGssCredHandle : SafeHandle
     {
         private static readonly Lazy<bool> s_IsNtlmInstalled = new Lazy<bool>(InitIsNtlmInstalled);
 
+        public static SafeGssCredHandle CreateAcceptor()
+        {
+            SafeGssCredHandle retHandle = null;
+            Interop.NetSecurityNative.Status status;
+            Interop.NetSecurityNative.Status minorStatus;
+
+            status = Interop.NetSecurityNative.AcquireAcceptorCred(out minorStatus, out retHandle);
+            if (status != Interop.NetSecurityNative.Status.GSS_S_COMPLETE)
+            {
+                throw new Interop.NetSecurityNative.GssApiException(status, minorStatus);
+            }
+
+            return retHandle;
+        }
+
         /// <summary>
         ///  returns the handle for the given credentials.
         ///  The method returns an invalid handle if the username is null or empty.
@@ -110,7 +125,7 @@ public static SafeGssCredHandle Create(string username, string password, bool is
                 if (status != Interop.NetSecurityNative.Status.GSS_S_COMPLETE)
                 {
                     retHandle.Dispose();
-                    throw new Interop.NetSecurityNative.GssApiException(status, minorStatus, null);
+                    throw new Interop.NetSecurityNative.GssApiException(status, minorStatus);
                 }
             }
 
diff --git a/src/Common/src/System/Net/ContextFlagsAdapterPal.Unix.cs b/src/Common/src/System/Net/ContextFlagsAdapterPal.Unix.cs
@@ -23,7 +23,6 @@ public ContextFlagMapping(Interop.NetSecurityNative.GssFlags gssFlag, ContextFla
         private static readonly ContextFlagMapping[] s_contextFlagMapping = new[]
         {
             new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_CONF_FLAG, ContextFlagsPal.Confidentiality),
-            new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_IDENTIFY_FLAG, ContextFlagsPal.InitIdentify),
             new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_MUTUAL_FLAG, ContextFlagsPal.MutualAuth),
             new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_REPLAY_FLAG, ContextFlagsPal.ReplayDetect),
             new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_SEQUENCE_FLAG, ContextFlagsPal.SequenceDetect),
@@ -35,6 +34,20 @@ internal static ContextFlagsPal GetContextFlagsPalFromInterop(Interop.NetSecurit
         {
             ContextFlagsPal flags = ContextFlagsPal.None;
 
+            // GSS_C_IDENTIFY_FLAG is handled separately as its value can either be AcceptIdentify (used by server) or InitIdentify (used by client)
+            if ((gssFlags & Interop.NetSecurityNative.GssFlags.GSS_C_IDENTIFY_FLAG) != 0)
+            {
+                flags |= isServer ? ContextFlagsPal.AcceptIdentify : ContextFlagsPal.InitIdentify;
+            }
+
+            foreach (ContextFlagMapping mapping in s_contextFlagMapping)
+            {
+                if ((gssFlags & mapping.GssFlags) == mapping.GssFlags)
+                {
+                    flags |= mapping.ContextFlag;
+                }
+            }
+
             // GSS_C_INTEG_FLAG is handled separately as its value can either be AcceptIntegrity (used by server) or InitIntegrity (used by client)
             if ((gssFlags & Interop.NetSecurityNative.GssFlags.GSS_C_INTEG_FLAG) != 0)
             {
@@ -56,6 +69,22 @@ internal static Interop.NetSecurityNative.GssFlags GetInteropFromContextFlagsPal
         {
             Interop.NetSecurityNative.GssFlags gssFlags = 0;
 
+            // GSS_C_IDENTIFY_FLAG is set if either AcceptIdentify (used by server) or InitIdentify (used by client) is set
+            if (isServer)
+            {
+                if ((flags & ContextFlagsPal.AcceptIdentify) != 0)
+                {
+                    gssFlags |= Interop.NetSecurityNative.GssFlags.GSS_C_IDENTIFY_FLAG;
+                }
+            }
+            else
+            {
+                if ((flags & ContextFlagsPal.InitIdentify) != 0)
+                {
+                    gssFlags |= Interop.NetSecurityNative.GssFlags.GSS_C_IDENTIFY_FLAG;
+                }
+            }
+
             // GSS_C_INTEG_FLAG is set if either AcceptIntegrity (used by server) or InitIntegrity (used by client) is set
             if (isServer)
             {
diff --git a/src/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs b/src/Common/src/System/Net/Security/NegotiateStreamPal.Unix.cs
@@ -187,10 +187,14 @@ private static bool GssInitSecurityContext(
 
         private static bool GssAcceptSecurityContext(
             ref SafeGssContextHandle context,
+            SafeGssCredHandle credential,
             byte[] buffer,
             out byte[] outputBuffer,
-            out uint outFlags)
+            out uint outFlags,
+            out bool isNtlmUsed)
         {
+            Debug.Assert(credential != null);
+
             bool newContext = false;
             if (context == null)
             {
@@ -205,11 +209,13 @@ private static bool GssAcceptSecurityContext(
             {
                 Interop.NetSecurityNative.Status minorStatus;
                 status = Interop.NetSecurityNative.AcceptSecContext(out minorStatus,
+                                                                    credential,
                                                                     ref context,
                                                                     buffer,
                                                                     buffer?.Length ?? 0,
                                                                     ref token,
-                                                                    out outFlags);
+                                                                    out outFlags,
+                                                                    out isNtlmUsed);
 
                 if ((status != Interop.NetSecurityNative.Status.GSS_S_COMPLETE) &&
                     (status != Interop.NetSecurityNative.Status.GSS_S_CONTINUE_NEEDED))
@@ -249,7 +255,15 @@ Interop.NetSecurityNative.Status status
                     throw new Interop.NetSecurityNative.GssApiException(status, minorStatus);
                 }
 
-                return Encoding.UTF8.GetString(token.ToByteArray());
+                ReadOnlySpan<byte> tokenBytes = token.Span;
+                int length = tokenBytes.Length;
+                if (length > 0 && tokenBytes[length - 1] == '\0')
+                {
+                    // Some GSS-API providers (gss-ntlmssp) include the terminating null with strings, so skip that.
+                    tokenBytes = tokenBytes.Slice(0, length - 1);
+                }
+
+                return Encoding.UTF8.GetString(tokenBytes);
             }
             finally
             {
@@ -274,7 +288,7 @@ private static SecurityStatusPal EstablishSecurityContext(
                 if (NetEventSource.IsEnabled)
                 {
                     string protocol = isNtlmOnly ? "NTLM" : "SPNEGO";
-                    NetEventSource.Info(null, $"requested protocol = {protocol}, target = {targetName}");
+                    NetEventSource.Info(context, $"requested protocol = {protocol}, target = {targetName}");
                 }
 
                 context = new SafeDeleteNegoContext(credential, targetName);
@@ -305,7 +319,7 @@ private static SecurityStatusPal EstablishSecurityContext(
                     if (NetEventSource.IsEnabled)
                     {
                         string protocol = isNtlmOnly ? "NTLM" : isNtlmUsed ? "SPNEGO-NTLM" : "SPNEGO-Kerberos";
-                        NetEventSource.Info(null, $"actual protocol = {protocol}");
+                        NetEventSource.Info(context, $"actual protocol = {protocol}");
                     }
 
                     // Populate protocol used for authentication
@@ -396,9 +410,11 @@ internal static SecurityStatusPal AcceptSecurityContext(
                 SafeGssContextHandle contextHandle = negoContext.GssContext;
                 bool done = GssAcceptSecurityContext(
                    ref contextHandle,
+                   negoContext.AcceptorCredential,
                    incomingBlob,
                    out resultBlob,
-                   out uint outputFlags);
+                   out uint outputFlags,
+                   out bool isNtlmUsed);
 
                 Debug.Assert(resultBlob != null, "Unexpected null buffer returned by GssApi");
                 Debug.Assert(negoContext.GssContext == null || contextHandle == negoContext.GssContext);
@@ -413,9 +429,22 @@ internal static SecurityStatusPal AcceptSecurityContext(
                 contextFlags = ContextFlagsAdapterPal.GetContextFlagsPalFromInterop(
                     (Interop.NetSecurityNative.GssFlags)outputFlags, isServer: true);
 
-                SecurityStatusPalErrorCode errorCode = done ?
-                    (negoContext.IsNtlmUsed && resultBlob.Length > 0 ? SecurityStatusPalErrorCode.OK : SecurityStatusPalErrorCode.CompleteNeeded) :
-                    SecurityStatusPalErrorCode.ContinueNeeded;
+                SecurityStatusPalErrorCode errorCode;
+                if (done)
+                {
+                    if (NetEventSource.IsEnabled)
+                    {
+                        string protocol = isNtlmUsed ? "SPNEGO-NTLM" : "SPNEGO-Kerberos";
+                        NetEventSource.Info(securityContext, $"AcceptSecurityContext: actual protocol = {protocol}");
+                    }
+
+                    negoContext.SetAuthenticationPackage(isNtlmUsed);
+                    errorCode = (isNtlmUsed && resultBlob.Length > 0) ? SecurityStatusPalErrorCode.OK : SecurityStatusPalErrorCode.CompleteNeeded;
+                }
+                else
+                {
+                    errorCode = SecurityStatusPalErrorCode.ContinueNeeded;
+                }
 
                 return new SecurityStatusPal(errorCode);
             }
diff --git a/src/Common/src/System/Net/Security/Unix/SafeDeleteNegoContext.cs b/src/Common/src/System/Net/Security/Unix/SafeDeleteNegoContext.cs
@@ -12,10 +12,20 @@ namespace System.Net.Security
 {
     internal sealed class SafeDeleteNegoContext : SafeDeleteContext
     {
+        private SafeGssCredHandle _acceptorCredential;
         private SafeGssNameHandle _targetName;
         private SafeGssContextHandle _context;
         private bool _isNtlmUsed;
 
+        public SafeGssCredHandle AcceptorCredential
+        {
+            get
+            {
+                _acceptorCredential ??= SafeGssCredHandle.CreateAcceptor();
+                return _acceptorCredential;
+            }
+        }
+
         public SafeGssNameHandle TargetName
         {
             get { return _targetName; }
@@ -78,6 +88,12 @@ protected override void Dispose(bool disposing)
                     _targetName.Dispose();
                     _targetName = null;
                 }
+
+                if (_acceptorCredential != null)
+                {
+                    _acceptorCredential.Dispose();
+                    _acceptorCredential = null;
+                }
             }
             base.Dispose(disposing);
         }
diff --git a/src/Native/Unix/System.Net.Security.Native/pal_gssapi.c b/src/Native/Unix/System.Net.Security.Native/pal_gssapi.c
@@ -299,33 +299,53 @@ uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus,
 }
 
 uint32_t NetSecurityNative_AcceptSecContext(uint32_t* minorStatus,
+                                            GssCredId* acceptorCredHandle,
                                             GssCtxId** contextHandle,
                                             uint8_t* inputBytes,
                                             uint32_t inputLength,
                                             PAL_GssBuffer* outBuffer,
-                                            uint32_t* retFlags)
+                                            uint32_t* retFlags,
+                                            int32_t* isNtlmUsed)
 {
     assert(minorStatus != NULL);
+    assert(acceptorCredHandle != NULL);
     assert(contextHandle != NULL);
     assert(inputBytes != NULL || inputLength == 0);
     assert(outBuffer != NULL);
+    assert(isNtlmUsed != NULL);
     // Note: *contextHandle is null only in the first call and non-null in the subsequent calls
 
     GssBuffer inputToken = {.length = inputLength, .value = inputBytes};
     GssBuffer gssBuffer = {.length = 0, .value = NULL};
 
+    gss_OID mechType = GSS_C_NO_OID;
     uint32_t majorStatus = gss_accept_sec_context(minorStatus,
                                                   contextHandle,
-                                                  GSS_C_NO_CREDENTIAL,
+                                                  acceptorCredHandle,
                                                   &inputToken,
                                                   GSS_C_NO_CHANNEL_BINDINGS,
                                                   NULL,
-                                                  NULL,
+                                                  &mechType,
                                                   &gssBuffer,
                                                   retFlags,
                                                   NULL,
                                                   NULL);
 
+#if HAVE_GSS_SPNEGO_MECHANISM
+    gss_OID ntlmMech = GSS_NTLM_MECHANISM;
+#else
+    gss_OID ntlmMech = &gss_mech_ntlm_OID_desc;
+#endif
+
+    *isNtlmUsed = (gss_oid_equal(mechType, ntlmMech) != 0) ? 1 : 0;
+
+    // The gss_ntlmssp provider doesn't support impersonation or delegation but fails to set the GSS_C_IDENTIFY_FLAG
+    // flag. So, we'll set it here to keep the behavior consistent with Windows platform.
+    if (*isNtlmUsed == 1)
+    {
+        *retFlags |= GSS_C_IDENTIFY_FLAG;
+    }
+
     NetSecurityNative_MoveBuffer(&gssBuffer, outBuffer);
     return majorStatus;
 }
@@ -494,6 +514,19 @@ static uint32_t NetSecurityNative_AcquireCredWithPassword(uint32_t* minorStatus,
     return majorStatus;
 }
 
+uint32_t NetSecurityNative_AcquireAcceptorCred(uint32_t* minorStatus,
+                                               GssCredId** outputCredHandle)
+{
+    return gss_acquire_cred(minorStatus,
+                            GSS_C_NO_NAME,
+                            GSS_C_INDEFINITE,
+                            GSS_C_NO_OID_SET,
+                            GSS_C_ACCEPT,
+                            outputCredHandle,
+                            NULL,
+                            NULL);
+}
+
 uint32_t NetSecurityNative_InitiateCredWithPassword(uint32_t* minorStatus,
                                                     int32_t isNtlm,
                                                     GssName* desiredName,
diff --git a/src/Native/Unix/System.Net.Security.Native/pal_gssapi.h b/src/Native/Unix/System.Net.Security.Native/pal_gssapi.h
@@ -89,6 +89,11 @@ Shims the gss_release_name method.
 */
 DLLEXPORT uint32_t NetSecurityNative_ReleaseName(uint32_t* minorStatus, GssName** inputName);
 
+/*
+Shims the gss_acquire_cred method with GSS_C_ACCEPT.
+*/
+DLLEXPORT uint32_t NetSecurityNative_AcquireAcceptorCred(uint32_t* minorStatus, GssCredId** outputCredHandle);
+
 /*
 Shims the gss_acquire_cred method with SPNEGO oids with  GSS_C_INITIATE.
 */
@@ -133,11 +138,13 @@ DLLEXPORT uint32_t NetSecurityNative_InitSecContextEx(uint32_t* minorStatus,
 Shims the gss_accept_sec_context method.
 */
 DLLEXPORT uint32_t NetSecurityNative_AcceptSecContext(uint32_t* minorStatus,
+                                                      GssCredId* acceptorCredHandle,
                                                       GssCtxId** contextHandle,
                                                       uint8_t* inputBytes,
                                                       uint32_t inputLength,
                                                       PAL_GssBuffer* outBuffer,
-                                                      uint32_t* retFlags);
+                                                      uint32_t* retFlags,
+                                                      int32_t* isNtlmUsed);
 
 /*
 

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ internal static partial class Interop`
`12`	`12`	`internal static partial class NetSecurityNative`
`13`	`13`	`{`
`14`	`14`	`[StructLayout(LayoutKind.Sequential)]`
`15`		`- internal unsafe struct GssBuffer : IDisposable`
	`15`	`+ internal struct GssBuffer : IDisposable`
`16`	`16`	`{`
`17`	`17`	`internal ulong _length;`
`18`	`18`	`internal IntPtr _data;`
`@@ -52,6 +52,10 @@ internal byte[] ToByteArray()`
`52`	`52`	`return destination;`
`53`	`53`	`}`
`54`	`54`
	`55`	`+ internal unsafe ReadOnlySpan<byte> Span => (_data != IntPtr.Zero && _length != 0) ?`
	`56`	`+ new ReadOnlySpan<byte>(_data.ToPointer(), checked((int)_length)) :`
	`57`	`+ default;`
	`58`	`+`
`55`	`59`	`public void Dispose()`
`56`	`60`	`{`
`57`	`61`	`if (_data != IntPtr.Zero)`
Original file line number	Diff line number	Diff line change
`@@ -12,10 +12,20 @@ namespace System.Net.Security`
`12`	`12`	`{`
`13`	`13`	`internal sealed class SafeDeleteNegoContext : SafeDeleteContext`
`14`	`14`	`{`
	`15`	`+ private SafeGssCredHandle _acceptorCredential;`
`15`	`16`	`private SafeGssNameHandle _targetName;`
`16`	`17`	`private SafeGssContextHandle _context;`
`17`	`18`	`private bool _isNtlmUsed;`
`18`	`19`
	`20`	`+ public SafeGssCredHandle AcceptorCredential`
	`21`	`+ {`
	`22`	`+ get`
	`23`	`+ {`
	`24`	`+ _acceptorCredential ??= SafeGssCredHandle.CreateAcceptor();`
	`25`	`+ return _acceptorCredential;`
	`26`	`+ }`
	`27`	`+ }`
	`28`	`+`
`19`	`29`	`public SafeGssNameHandle TargetName`
`20`	`30`	`{`
`21`	`31`	`get { return _targetName; }`
`@@ -78,6 +88,12 @@ protected override void Dispose(bool disposing)`
`78`	`88`	`_targetName.Dispose();`
`79`	`89`	`_targetName = null;`
`80`	`90`	`}`
	`91`	`+`
	`92`	`+ if (_acceptorCredential != null)`
	`93`	`+ {`
	`94`	`+ _acceptorCredential.Dispose();`
	`95`	`+ _acceptorCredential = null;`
	`96`	`+ }`
`81`	`97`	`}`
`82`	`98`	`base.Dispose(disposing);`
`83`	`99`	`}`