Implementing NegoState.Unix.cs

src/Common/src/Interop/Unix/System.Net.Security.Native/SecuritySafeHandles.cs

@@ -0,0 +1,97 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+using System.Text;
+using Microsoft.Win32.SafeHandles;
+
+namespace System.Net.Security
+{
+    internal sealed class SafeFreeNegoCredentials : SafeFreeCredentials
+    {
+        private SafeGssCredHandle _credential;
+
+        public SafeGssCredHandle GssCredential
+        {
+            get { return _credential; }
+        }
+
+        public SafeFreeNegoCredentials(string username, string password, string domain) : base(IntPtr.Zero, true)
+        {
+            bool ignore = false;
+            _credential = SafeGssCredHandle.Create(username, password, domain);
+            _credential.DangerousAddRef(ref ignore);
+        }
+
+        public override bool IsInvalid
+        {
+            get { return (null == _credential); }
+        }
+
+        protected override bool ReleaseHandle()
+        {
+            _credential.DangerousRelease();
+            _credential = null;
+            return true;
+        }
+    }
+
+    internal sealed class SafeDeleteNegoContext : SafeDeleteContext
+    {
+        private SafeGssNameHandle _targetName;
+        private SafeGssContextHandle _context;
+
+        public SafeGssNameHandle TargetName
+        {
+            get { return _targetName; }
+        }
+
+        public SafeGssContextHandle GssContext
+        {
+            get { return _context; }
+        }
+
+        public SafeDeleteNegoContext(SafeFreeNegoCredentials credential, string targetName)
+            : base(credential)
+        {
+            try
+            {
+                _targetName = SafeGssNameHandle.CreatePrincipal(targetName);
+            }
+            catch
+            {
+                Debug.Assert((null != credential), "Null credential in SafeDeleteNegoContext");
+                Dispose();
+                throw;
+            }
+        }
+
+        public void SetGssContext(SafeGssContextHandle context)
+        {
+            Debug.Assert(!context.IsInvalid, "Invalid context passed to SafeDeleteNegoContext");
+            _context = context;
+        }
+
+        protected override void Dispose(bool disposing)
+        {
+            if (disposing)
+            {
+                if (null != _context)
+                {
+                    _context.Dispose();
+                    _context = null;
+                }
+
+                if (_targetName != null)
+                {
+                    _targetName.Dispose();
+                    _targetName = null;
+                }
+            }
+            base.Dispose(disposing);
+        }
+    }
+}

src/Common/src/Interop/Unix/libssl/SecuritySafeHandles.cs

@@ -56,12 +56,19 @@ protected override bool ReleaseHandle()
     // Implementation of handles dependable on FreeCredentialsHandle
     //
 #if DEBUG
-    internal sealed class SafeFreeCredentials : DebugSafeHandle
+    internal abstract class SafeFreeCredentials : DebugSafeHandle
     {
 #else
-    internal sealed class SafeFreeCredentials : SafeHandle
+    internal abstract class SafeFreeCredentials : SafeHandle
     {
 #endif
+        protected SafeFreeCredentials(IntPtr handle, bool ownsHandle) : base(handle, ownsHandle)
+        {
+        }
+    }
+
+    internal sealed class SafeFreeSslCredentials : SafeFreeCredentials
+    {
         private SafeX509Handle _certHandle;
         private SafeEvpPKeyHandle _certKeyHandle;
         private SslProtocols _protocols = SslProtocols.None;
@@ -87,7 +94,7 @@ internal EncryptionPolicy Policy
             get { return _policy; }
         }
 
-        public SafeFreeCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy)
+        public SafeFreeSslCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy)
             : base(IntPtr.Zero, true)
         {
             Debug.Assert(
@@ -207,14 +214,50 @@ protected override bool ReleaseHandle()
     }
 
 #if DEBUG
-    internal sealed class SafeDeleteContext : DebugSafeHandle
+    internal abstract class SafeDeleteContext : DebugSafeHandle
     {
 #else
-    internal sealed class SafeDeleteContext : SafeHandle
+    internal abstract class SafeDeleteContext : SafeHandle
     {
 #endif
-        private readonly SafeFreeCredentials _credential;
-        private readonly SafeSslHandle _sslContext;
+        private SafeFreeCredentials _credential;
+
+        protected SafeDeleteContext(SafeFreeCredentials credential)
+            : base(IntPtr.Zero, true)
+        {
+            Debug.Assert((null != credential), "Invalid credential passed to SafeDeleteContext");
+
+            // When a credential handle is first associated with the context we keep credential
+            // ref count bumped up to ensure ordered finalization. The credential properties
+            // are used in the SSL/NEGO data structures and should survive the lifetime of
+            // the SSL/NEGO context
+            bool ignore = false;
+            _credential = credential;
+            _credential.DangerousAddRef(ref ignore);
+        }
+
+        public override bool IsInvalid
+        {
+            get { return (null == _credential); }
+        }
+
+        protected override bool ReleaseHandle()
+        {
+            Debug.Assert((null != _credential), "Null credential in SafeDeleteContext");
+            _credential.DangerousRelease();
+            _credential = null;
+            return true;
+        }
+
+        public override string ToString()
+        {
+            return handle.ToString();
+        }
+    }
+
+    internal sealed class SafeDeleteSslContext : SafeDeleteContext
+    {
+        private SafeSslHandle _sslContext;
 
         public SafeSslHandle SslContext
         {
@@ -224,18 +267,10 @@ public SafeSslHandle SslContext
             }
         }
 
-        public SafeDeleteContext(SafeFreeCredentials credential, bool isServer, bool remoteCertRequired)
-            : base(IntPtr.Zero, true)
+        public SafeDeleteSslContext(SafeFreeSslCredentials credential, bool isServer, bool remoteCertRequired)
+            : base(credential)
         {
-            Debug.Assert((null != credential) && !credential.IsInvalid, "Invalid credential used in SafeDeleteContext");
-
-            // When a credential handle is first associated with the context we keep credential
-            // ref count bumped up to ensure ordered finalization. The certificate handle and
-            // key handle are used in the SSL data structures and should survive the lifetime of
-            // the SSL context
-            bool gotCredRef = false;
-            _credential = credential;
-            _credential.DangerousAddRef(ref gotCredRef);
+            Debug.Assert((null != credential) && !credential.IsInvalid, "Invalid credential used in SafeDeleteSslContext");
 
             try
             {
@@ -249,11 +284,8 @@ public SafeDeleteContext(SafeFreeCredentials credential, bool isServer, bool rem
             }
             catch(Exception ex)
             {
-                if (gotCredRef)
-                {
-                    _credential.DangerousRelease();
-                }
                 Debug.Write("Exception Caught. - " + ex);
+                Dispose();
                 throw;
             }
         }
@@ -266,26 +298,23 @@ public override bool IsInvalid
             }
         }
 
-        protected override bool ReleaseHandle()
-        {
-            Debug.Assert((null != _credential) && !_credential.IsInvalid, "Invalid credential saved in SafeDeleteContext");
-            _credential.DangerousRelease();
-            return true;
-        }
-
         protected override void Dispose(bool disposing)
         {
             if (disposing)
             {
-                _sslContext.Dispose();
+                if (null != _sslContext)
+                {
+                    _sslContext.Dispose();
+                    _sslContext = null;
+                }
             }
 
             base.Dispose(disposing);
         }
 
         public override string ToString()
         {
-            return IsInvalid ? String.Empty : handle.ToString();
+            return handle.ToString();
         }
     }
 

src/System.Net.Security/src/Resources/Strings.resx

@@ -432,4 +432,13 @@
   <data name="net_context_buffer_too_small" xml:space="preserve">
     <value>Insufficient buffer space. Required: {0} Actual: {1}.</value>
   </data>
+  <data name="net_nego_channel_binding_not_supported" xml:space="preserve">
+    <value>No support for channel binding on operating systems other than Windows</value>
+  </data>
+  <data name="net_nego_ntlm_not_supported" xml:space="preserve">
+    <value>NTLM is not supported</value>
+  </data>
+  <data name="net_nego_server_not_supported" xml:space="preserve">
+    <value>Server implementation is not supported</value>
+  </data>
 </root>

src/System.Net.Security/src/System.Net.Security.csproj

@@ -241,6 +241,7 @@
 
     <!-- NegotiateStream -->    
     <Compile Include="System\Net\NegotiateStreamPal.Unix.cs" />
+    <Compile Include="System\Net\ContextFlagsAdapterPal.Unix.cs" />
 
     <!-- Interop -->
     <Compile Include="$(CommonPath)\Interop\Unix\Interop.Libraries.cs">
@@ -306,6 +307,24 @@
     <Compile Include="$(CommonPath)\Interop\Unix\System.Net.Security.Native\Interop.Initialization.cs">
       <Link>Common\Interop\Unix\System.Net.Security.Native\Interop.Initialization.cs</Link>
     </Compile>
+    <Compile Include="$(CommonPath)\Interop\Unix\System.Net.Security.Native\Interop.GssApi.cs">
+      <Link>Common\Interop\Unix\System.Net.Security.Native\Interop.GssApi.cs</Link>
+    </Compile>
+    <Compile Include="$(CommonPath)\Interop\Unix\System.Net.Security.Native\Interop.GssApiException.cs"> 
+      <Link>Common\Interop\Unix\System.Net.Security.Native\Interop.GssApiException.cs</Link> 
+    </Compile> 
+    <Compile Include="$(CommonPath)\Interop\Unix\System.Net.Security.Native\Interop.GssBuffer.cs">  
+      <Link>Common\Interop\Unix\System.Net.Security.Native\Interop.GssBuffer.cs</Link>  
+    </Compile>
+    <Compile Include="$(CommonPath)\Interop\Unix\System.Net.Security.Native\SecuritySafeHandles.cs"> 
+       <Link>Common\Interop\Unix\System.Net.Security.Native\SecuritySafeHandles.cs</Link>
+    </Compile> 
+    <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\GssSafeHandles.cs"> 
+       <Link>Common\Microsoft\Win32\SafeHandles\GssSafeHandles.cs</Link> 
+    </Compile> 
+    <Compile Include="$(CommonPath)\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.cs"> 
+      <Link>Common\Interop\Unix\System.Net.Security.Native\Interop.NetSecurityNative.cs</Link> 
+    </Compile>
     <Compile Include="$(CommonPath)\Microsoft\Win32\SafeHandles\SafeX509Handles.Unix.cs">
       <Link>Common\Microsoft\Win32\SafeHandles\SafeX509Handles.Unix.cs</Link>
     </Compile>

src/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs

@@ -113,7 +113,7 @@ internal static X509Certificate2 GetRemoteCertificate(SafeDeleteContext security
                 remoteCertificateStore = new X509Certificate2Collection();
 
                 using (SafeSharedX509StackHandle chainStack =
-                    Interop.OpenSsl.GetPeerCertificateChain(securityContext.SslContext))
+                    Interop.OpenSsl.GetPeerCertificateChain(((SafeDeleteSslContext)securityContext).SslContext))
                 {
                     if (!chainStack.IsInvalid)
                     {
@@ -163,7 +163,7 @@ internal static X509Certificate2 GetRemoteCertificate(SafeDeleteContext security
         //
         internal static string[] GetRequestCertificateAuthorities(SafeDeleteContext securityContext)
         {
-            using (SafeSharedX509NameStackHandle names = Interop.Ssl.SslGetClientCAList(securityContext.SslContext))
+            using (SafeSharedX509NameStackHandle names = Interop.Ssl.SslGetClientCAList(((SafeDeleteSslContext)securityContext).SslContext))
             {
                 if (names.IsInvalid)
                 {
@@ -257,7 +257,7 @@ private static int QueryContextRemoteCertificate(SafeDeleteContext securityConte
             remoteCertContext = null;
             try
             {
-                SafeX509Handle remoteCertificate = Interop.OpenSsl.GetPeerCertificate(securityContext.SslContext);
+                SafeX509Handle remoteCertificate = Interop.OpenSsl.GetPeerCertificate(((SafeDeleteSslContext)securityContext).SslContext);
                 // Note that cert ownership is transferred to SafeFreeCertContext
                 remoteCertContext = new SafeFreeCertContext(remoteCertificate);
                 return 0;

src/System.Net.Security/src/System/Net/ContextFlagsAdapterPal.Unix.cs

@@ -0,0 +1,63 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System;
+
+namespace System.Net
+{
+    internal static class ContextFlagsAdapterPal
+    {
+        private struct ContextFlagMapping
+        {
+            public readonly Interop.NetSecurityNative.GssFlags GssFlags;
+            public readonly ContextFlagsPal ContextFlag;
+
+            public ContextFlagMapping(Interop.NetSecurityNative.GssFlags gssFlag, ContextFlagsPal contextFlag)
+            {
+                GssFlags = gssFlag;
+                ContextFlag = contextFlag;
+            }
+        }
+
+        private static readonly ContextFlagMapping[] s_contextFlagMapping = new[]
+        {
+            // GSS_C_INTEG_FLAG is set if either AcceptIntegrity (used by server) or InitIntegrity (used by client) is set
+            new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_INTEG_FLAG, ContextFlagsPal.AcceptIntegrity | ContextFlagsPal.InitIntegrity),
+            new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_CONF_FLAG, ContextFlagsPal.Confidentiality),
+            new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_IDENTIFY_FLAG, ContextFlagsPal.InitIdentify),
+            new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_MUTUAL_FLAG, ContextFlagsPal.MutualAuth),
+            new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_REPLAY_FLAG, ContextFlagsPal.ReplayDetect),
+            new ContextFlagMapping(Interop.NetSecurityNative.GssFlags.GSS_C_SEQUENCE_FLAG, ContextFlagsPal.SequenceDetect)
+        };
+
+
+        internal static ContextFlagsPal GetContextFlagsPalFromInterop(Interop.NetSecurityNative.GssFlags gssFlags)
+        {
+            ContextFlagsPal flags = ContextFlagsPal.Zero;
+            foreach (ContextFlagMapping mapping in s_contextFlagMapping)
+            {
+                if ((gssFlags & mapping.GssFlags) != 0)
+                {
+                    flags |= mapping.ContextFlag;
+                }
+            }
+
+            return flags;
+        }
+
+        internal static Interop.NetSecurityNative.GssFlags GetInteropFromContextFlagsPal(ContextFlagsPal flags)
+        {
+            Interop.NetSecurityNative.GssFlags gssFlags = (Interop.NetSecurityNative.GssFlags)0;
+            foreach (ContextFlagMapping mapping in s_contextFlagMapping)
+            {
+                if ((flags & mapping.ContextFlag) != 0)
+                {
+                    gssFlags |= mapping.GssFlags;
+                }
+            }
+
+            return gssFlags;
+        }
+    }
+}