Code:
/ Dotnetfx_Win7_3.5.1 / Dotnetfx_Win7_3.5.1 / 3.5.1 / DEVDIV / depot / DevDiv / releases / whidbey / NetFXspW7 / ndp / fx / src / Net / System / Net / Mail / SmtpNegotiateAuthenticationModule.cs / 2 / SmtpNegotiateAuthenticationModule.cs
//------------------------------------------------------------------------------
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
//-----------------------------------------------------------------------------
namespace System.Net.Mail
{
using System;
using System.Collections;
using System.IO;
using System.Net;
using System.Security.Permissions;
using System.ComponentModel;
using System.Security.Authentication.ExtendedProtection;
internal class SmtpNegotiateAuthenticationModule : ISmtpAuthenticationModule
{
Hashtable sessions = new Hashtable();
internal SmtpNegotiateAuthenticationModule()
{
}
#region ISmtpAuthenticationModule Members
// Security this method will access NetworkCredential properties that demand UnmanagedCode and Environment Permission
[EnvironmentPermission(SecurityAction.Assert, Unrestricted=true)]
[SecurityPermission(SecurityAction.Assert, Flags=SecurityPermissionFlag.UnmanagedCode)]
public Authorization Authenticate(string challenge, NetworkCredential credential, object sessionCookie, string spn, ChannelBinding channelBindingToken)
{
if(Logging.On)Logging.Enter(Logging.Web, this, "Authenticate", null);
try {
lock (this.sessions)
{
NTAuthentication clientContext = this.sessions[sessionCookie] as NTAuthentication;
if (clientContext == null)
{
if(credential == null){
return null;
}
this.sessions[sessionCookie] =
clientContext =
new NTAuthentication(false, "Negotiate", credential, spn,
ContextFlags.Connection | ContextFlags.InitIntegrity, channelBindingToken);
}
byte[] byteResp;
string resp = null;
if (!clientContext.IsCompleted) {
// If auth is not yet completed keep producing
// challenge responses with GetOutgoingBlob
SecurityStatus statusCode;
byte[] decodedChallenge = null;
if (challenge != null) {
decodedChallenge =
Convert.FromBase64String(challenge);
}
byteResp = clientContext.GetOutgoingBlob(
decodedChallenge,
false,
out statusCode);
// Note sure why this is here...keeping it.
if (clientContext.IsCompleted && byteResp == null) {
resp = "\r\n";
}
if (byteResp != null) {
resp = Convert.ToBase64String(byteResp);
}
} else {
// If auth completed and still have a challenge then
// server may be doing "correct" form of GSSAPI SASL.
// Validate incoming and produce outgoing SASL security
// layer negotiate message.
resp = GetSecurityLayerOutgoingBlob(
challenge,
clientContext);
}
return new Authorization(resp, clientContext.IsCompleted);
}
}
finally {
if(Logging.On)Logging.Exit(Logging.Web, this, "Authenticate", null);
}
}
public string AuthenticationType
{
get
{
return "gssapi";
}
}
public void CloseContext(object sessionCookie) {
NTAuthentication clientContext = null;
lock (sessions) {
clientContext = sessions[sessionCookie] as NTAuthentication;
if (clientContext != null) {
sessions.Remove(sessionCookie);
}
}
if (clientContext != null) {
clientContext.CloseContext();
}
}
#endregion
// Function for SASL security layer negotiation after
// authorization completes.
//
// Returns null for failure, Base64 encoded string on
// success.
private string GetSecurityLayerOutgoingBlob(
string challenge,
NTAuthentication clientContext) {
// must have a security layer challenge
if (challenge == null)
return null;
// "unwrap" challenge
byte[] input = Convert.FromBase64String(challenge);
int len;
try {
len = clientContext.VerifySignature(input, 0, input.Length);
}
catch (Win32Exception) {
// any decrypt failure is an auth failure
return null;
}
// Per RFC 2222 Section 7.2.2:
// the client should then expect the server to issue a
// token in a subsequent challenge. The client passes
// this token to GSS_Unwrap and interprets the first
// octet of cleartext as a bit-mask specifying the
// security layers supported by the server and the
// second through fourth octets as the maximum size
// output_message to send to the server.
// Section 7.2.3
// The security layer and their corresponding bit-masks
// are as follows:
// 1 No security layer
// 2 Integrity protection
// Sender calls GSS_Wrap with conf_flag set to FALSE
// 4 Privacy protection
// Sender calls GSS_Wrap with conf_flag set to TRUE
//
// Exchange 2007 and our client only support
// "No security layer". Therefore verify first byte is value 1
// and the 2nd-4th bytes are value zero since token size is not
// applicable when there is no security layer.
if (len < 4 || // expect 4 bytes
input[0] != 1 || // first value 1
input[1] != 0 || // rest value 0
input[2] != 0 ||
input[3] != 0) {
return null;
}
// Continuing with RFC 2222 section 7.2.2:
// The client then constructs data, with the first octet
// containing the bit-mask specifying the selected security
// layer, the second through fourth octets containing in
// network byte order the maximum size output_message the client
// is able to receive, and the remaining octets containing the
// authorization identity.
//
// So now this contructs the "wrapped" response. The response is
// payload is identical to the received server payload and the
// "authorization identity" is not supplied as it is unnecessary.
// let MakeSignature figure out length of output
byte[] output = null;
try {
len = clientContext.MakeSignature(input, 0, 4, ref output);
}
catch (Win32Exception) {
// any decrypt failure is an auth failure
return null;
}
// return Base64 encoded string of signed payload
return Convert.ToBase64String(output, 0, len);
}
}
}
// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
//------------------------------------------------------------------------------
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
//-----------------------------------------------------------------------------
namespace System.Net.Mail
{
using System;
using System.Collections;
using System.IO;
using System.Net;
using System.Security.Permissions;
using System.ComponentModel;
using System.Security.Authentication.ExtendedProtection;
internal class SmtpNegotiateAuthenticationModule : ISmtpAuthenticationModule
{
Hashtable sessions = new Hashtable();
internal SmtpNegotiateAuthenticationModule()
{
}
#region ISmtpAuthenticationModule Members
// Security this method will access NetworkCredential properties that demand UnmanagedCode and Environment Permission
[EnvironmentPermission(SecurityAction.Assert, Unrestricted=true)]
[SecurityPermission(SecurityAction.Assert, Flags=SecurityPermissionFlag.UnmanagedCode)]
public Authorization Authenticate(string challenge, NetworkCredential credential, object sessionCookie, string spn, ChannelBinding channelBindingToken)
{
if(Logging.On)Logging.Enter(Logging.Web, this, "Authenticate", null);
try {
lock (this.sessions)
{
NTAuthentication clientContext = this.sessions[sessionCookie] as NTAuthentication;
if (clientContext == null)
{
if(credential == null){
return null;
}
this.sessions[sessionCookie] =
clientContext =
new NTAuthentication(false, "Negotiate", credential, spn,
ContextFlags.Connection | ContextFlags.InitIntegrity, channelBindingToken);
}
byte[] byteResp;
string resp = null;
if (!clientContext.IsCompleted) {
// If auth is not yet completed keep producing
// challenge responses with GetOutgoingBlob
SecurityStatus statusCode;
byte[] decodedChallenge = null;
if (challenge != null) {
decodedChallenge =
Convert.FromBase64String(challenge);
}
byteResp = clientContext.GetOutgoingBlob(
decodedChallenge,
false,
out statusCode);
// Note sure why this is here...keeping it.
if (clientContext.IsCompleted && byteResp == null) {
resp = "\r\n";
}
if (byteResp != null) {
resp = Convert.ToBase64String(byteResp);
}
} else {
// If auth completed and still have a challenge then
// server may be doing "correct" form of GSSAPI SASL.
// Validate incoming and produce outgoing SASL security
// layer negotiate message.
resp = GetSecurityLayerOutgoingBlob(
challenge,
clientContext);
}
return new Authorization(resp, clientContext.IsCompleted);
}
}
finally {
if(Logging.On)Logging.Exit(Logging.Web, this, "Authenticate", null);
}
}
public string AuthenticationType
{
get
{
return "gssapi";
}
}
public void CloseContext(object sessionCookie) {
NTAuthentication clientContext = null;
lock (sessions) {
clientContext = sessions[sessionCookie] as NTAuthentication;
if (clientContext != null) {
sessions.Remove(sessionCookie);
}
}
if (clientContext != null) {
clientContext.CloseContext();
}
}
#endregion
// Function for SASL security layer negotiation after
// authorization completes.
//
// Returns null for failure, Base64 encoded string on
// success.
private string GetSecurityLayerOutgoingBlob(
string challenge,
NTAuthentication clientContext) {
// must have a security layer challenge
if (challenge == null)
return null;
// "unwrap" challenge
byte[] input = Convert.FromBase64String(challenge);
int len;
try {
len = clientContext.VerifySignature(input, 0, input.Length);
}
catch (Win32Exception) {
// any decrypt failure is an auth failure
return null;
}
// Per RFC 2222 Section 7.2.2:
// the client should then expect the server to issue a
// token in a subsequent challenge. The client passes
// this token to GSS_Unwrap and interprets the first
// octet of cleartext as a bit-mask specifying the
// security layers supported by the server and the
// second through fourth octets as the maximum size
// output_message to send to the server.
// Section 7.2.3
// The security layer and their corresponding bit-masks
// are as follows:
// 1 No security layer
// 2 Integrity protection
// Sender calls GSS_Wrap with conf_flag set to FALSE
// 4 Privacy protection
// Sender calls GSS_Wrap with conf_flag set to TRUE
//
// Exchange 2007 and our client only support
// "No security layer". Therefore verify first byte is value 1
// and the 2nd-4th bytes are value zero since token size is not
// applicable when there is no security layer.
if (len < 4 || // expect 4 bytes
input[0] != 1 || // first value 1
input[1] != 0 || // rest value 0
input[2] != 0 ||
input[3] != 0) {
return null;
}
// Continuing with RFC 2222 section 7.2.2:
// The client then constructs data, with the first octet
// containing the bit-mask specifying the selected security
// layer, the second through fourth octets containing in
// network byte order the maximum size output_message the client
// is able to receive, and the remaining octets containing the
// authorization identity.
//
// So now this contructs the "wrapped" response. The response is
// payload is identical to the received server payload and the
// "authorization identity" is not supplied as it is unnecessary.
// let MakeSignature figure out length of output
byte[] output = null;
try {
len = clientContext.MakeSignature(input, 0, 4, ref output);
}
catch (Win32Exception) {
// any decrypt failure is an auth failure
return null;
}
// return Base64 encoded string of signed payload
return Convert.ToBase64String(output, 0, len);
}
}
}
// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- OLEDB_Util.cs
- AspCompat.cs
- CompilerResults.cs
- TextServicesCompartmentContext.cs
- KeyedHashAlgorithm.cs
- PKCS1MaskGenerationMethod.cs
- HttpCachePolicyWrapper.cs
- ToolStripDropDownMenu.cs
- GetWinFXPath.cs
- Wildcard.cs
- CharEntityEncoderFallback.cs
- DataGrid.cs
- XmlSchemaGroupRef.cs
- WmlTextBoxAdapter.cs
- ExpandSegmentCollection.cs
- Int32CAMarshaler.cs
- PathStreamGeometryContext.cs
- User.cs
- DomainUpDown.cs
- SimpleHandlerFactory.cs
- WpfPayload.cs
- ConstructorBuilder.cs
- PrinterUnitConvert.cs
- LayoutUtils.cs
- WindowCollection.cs
- SiteOfOriginPart.cs
- PolicyException.cs
- XmlNavigatorFilter.cs
- RequestContext.cs
- TreeView.cs
- BuildTopDownAttribute.cs
- Image.cs
- ControlType.cs
- TimerElapsedEvenArgs.cs
- ListViewGroup.cs
- SecurityContext.cs
- ActivityBuilder.cs
- PrintPreviewControl.cs
- DataRecordObjectView.cs
- formatter.cs
- CodeExporter.cs
- DetailsViewAutoFormat.cs
- TraceHandlerErrorFormatter.cs
- IODescriptionAttribute.cs
- ConvertersCollection.cs
- State.cs
- ViewCellSlot.cs
- PackageDigitalSignature.cs
- WmlObjectListAdapter.cs
- UpdatePanelControlTrigger.cs
- CheckableControlBaseAdapter.cs
- MasterPageBuildProvider.cs
- TimeoutException.cs
- MessageSecurityVersionConverter.cs
- DeferrableContent.cs
- ErrorRuntimeConfig.cs
- ReadOnlyNameValueCollection.cs
- COM2Properties.cs
- StandardTransformFactory.cs
- WebServiceTypeData.cs
- SafeArrayTypeMismatchException.cs
- PolicyFactory.cs
- SqlXml.cs
- externdll.cs
- SqlBinder.cs
- WebDescriptionAttribute.cs
- RankException.cs
- SqlTrackingQuery.cs
- XmlSerializerNamespaces.cs
- TemplateField.cs
- HostSecurityManager.cs
- Literal.cs
- AdPostCacheSubstitution.cs
- AuthenticationModuleElementCollection.cs
- ServiceEndpointElementCollection.cs
- CompoundFileIOPermission.cs
- CSharpCodeProvider.cs
- EdmItemError.cs
- SqlDataSourceDesigner.cs
- EmptyReadOnlyDictionaryInternal.cs
- SchemaMapping.cs
- Calendar.cs
- ProfileWorkflowElement.cs
- UnsafeNativeMethods.cs
- _DigestClient.cs
- EntityDataSourceColumn.cs
- HttpListenerContext.cs
- Vector3dCollection.cs
- TablePattern.cs
- SqlTrackingService.cs
- DateTimeValueSerializerContext.cs
- GregorianCalendar.cs
- DoubleLinkList.cs
- DrawListViewItemEventArgs.cs
- UserNameSecurityTokenProvider.cs
- PopupEventArgs.cs
- FixedStringLookup.cs
- ProxyAttribute.cs
- Figure.cs
- ArgumentException.cs