Simplifying handling of security buffer descriptors.

Author: tyranid

NtApiDotNet/NtApiDotNet.csproj

@@ -565,6 +565,7 @@
     <Compile Include="Win32\Security\Authentication\Schannel\SchannelSessionControlToken.cs" />
     <Compile Include="Win32\Security\Authentication\Schannel\SchannelSessionFlags.cs" />
     <Compile Include="Win32\Security\Authentication\Schannel\SchannelShutdownControlToken.cs" />
+    <Compile Include="Win32\Security\Buffers\SecurityBufferDescriptor.cs" />
     <Compile Include="Win32\Security\Credential\AuthIdentity\SecWinNtAuthIdentity.cs" />
     <Compile Include="Win32\Security\Credential\AuthIdentity\SecWinNtAuthIdentityCreateOptions.cs" />
     <Compile Include="Win32\Security\Credential\AuthIdentity\SecWinNtAuthIdentityEncryptionOptions.cs" />

NtApiDotNet/Win32/Security/Authentication/AuthenticationPackage.cs

@@ -350,18 +350,12 @@ public IServerAuthenticationContext CreateServer(AuthenticationCredentials crede
         public void ChangeAccountPassword(string domain, string username,
           string old_password, string new_password, bool impersonating = false)
         {
-            var password_info_buffer = new SecurityBufferAllocMem(SecurityBufferType.ChangePassResponse);
-            List<SecurityBuffer> buffers = new List<SecurityBuffer>
+            var change_pass_buffer = new SecurityBufferAllocMem(SecurityBufferType.ChangePassResponse);
+            using (var desc = SecurityBufferDescriptor.Create(change_pass_buffer))
             {
-                password_info_buffer
-            };
-            using (var list = new DisposableList())
-            {
-                var output = buffers.ToBufferList(list);
-                var desc = output.ToDesc(list);
-                SecurityNativeMethods.ChangeAccountPassword(Name, domain, username, 
-                    old_password, new_password, impersonating, 0, desc).CheckResult();
-                buffers.UpdateBuffers(desc);
+                SecurityNativeMethods.ChangeAccountPassword(Name, domain, username,
+                    old_password, new_password, impersonating, 0, desc.Value).CheckResult();
+                desc.UpdateBuffers();
             }
         }
 

NtApiDotNet/Win32/Security/Authentication/SecurityContextUtils.cs

@@ -18,7 +18,6 @@
 using NtApiDotNet.Win32.Security.Native;
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography.X509Certificates;
 
@@ -75,35 +74,6 @@ internal static string GetPackageName(SecHandle context)
             return null;
         }
 
-        internal static List<SecBuffer> ToBufferList(this IEnumerable<SecurityBuffer> buffers, DisposableList list)
-        {
-            return buffers.Select(b => b.ToBuffer(list)).ToList();
-        }
-
-        internal static SecBufferDesc ToDesc(this IEnumerable<SecBuffer> buffers, DisposableList list)
-        {
-            var arr = buffers.ToArray();
-            if (arr.Length == 0)
-                return null;
-            return list.AddResource(new SecBufferDesc(arr));
-        }
-
-        internal static void UpdateBuffers(this IList<SecurityBuffer> buffers, SecBufferDesc desc)
-        {
-            if (desc == null)
-                return;
-            var update_buffers = desc.ToArray();
-            for (int i = 0; i < buffers.Count; ++i)
-            {
-                buffers[i].FromBuffer(update_buffers[i]);
-            }
-        }
-
-        internal static void UpdateBuffers(this IEnumerable<SecurityBuffer> buffers, SecBufferDesc desc)
-        {
-            UpdateBuffers(buffers.ToArray(), desc);
-        }
-
         internal static byte[] MakeSignature(
             SecHandle context,
             int flags,
@@ -115,12 +85,10 @@ internal static byte[] MakeSignature(
             SecurityBufferOut signature_buffer = new SecurityBufferOut(SecurityBufferType.Token, max_sig_size);
             sig_buffers.Add(signature_buffer);
 
-            using (var list = new DisposableList())
+            using (var desc = SecurityBufferDescriptor.Create(sig_buffers))
             {
-                List<SecBuffer> buffers = sig_buffers.ToBufferList(list);
-                SecBufferDesc desc = buffers.ToDesc(list);
-                SecurityNativeMethods.MakeSignature(context, flags, desc, sequence_no).CheckResult();
-                sig_buffers.UpdateBuffers(desc);
+                SecurityNativeMethods.MakeSignature(context, flags, desc.Value, sequence_no).CheckResult();
+                desc.UpdateBuffers();
                 return signature_buffer.ToArray();
             }
         }
@@ -144,11 +112,10 @@ internal static bool VerifySignature(
         {
             List<SecurityBuffer> sig_buffers = new List<SecurityBuffer>(messages);
             sig_buffers.Add(new SecurityBufferInOut(SecurityBufferType.Token | SecurityBufferType.ReadOnly, signature));
-            using (var list = new DisposableList())
+            using (var desc = SecurityBufferDescriptor.Create(sig_buffers))
             {
-                List<SecBuffer> buffers = sig_buffers.ToBufferList(list);
-                SecBufferDesc desc = buffers.ToDesc(list);
-                return SecurityNativeMethods.VerifySignature(context, desc, sequence_no, out int _) == SecStatusCode.SUCCESS;
+                return SecurityNativeMethods.VerifySignature(context, desc.Value, 
+                    sequence_no, out int _) == SecStatusCode.SUCCESS;
             }
         }
 
@@ -218,12 +185,10 @@ internal static void EncryptMessageNoSignature(
                 throw new ArgumentNullException(nameof(messages));
             }
 
-            using (var list = new DisposableList())
+            using (var desc = SecurityBufferDescriptor.Create(messages))
             {
-                var buffers = messages.ToBufferList(list);
-                var desc = buffers.ToDesc(list);
-                SecurityNativeMethods.EncryptMessage(context, flags, desc, sequence_no).CheckResult();
-                messages.UpdateBuffers(desc);
+                SecurityNativeMethods.EncryptMessage(context, flags, desc.Value, sequence_no).CheckResult();
+                desc.UpdateBuffers();
             }
         }
 
@@ -283,12 +248,10 @@ internal static void DecryptMessageNoSignature(
                 throw new ArgumentNullException(nameof(messages));
             }
 
-            using (var list = new DisposableList())
+            using (var desc = SecurityBufferDescriptor.Create(messages))
             {
-                var buffers = messages.ToBufferList(list);
-                var desc = buffers.ToDesc(list);
-                SecurityNativeMethods.DecryptMessage(context, desc, sequence_no, out _).CheckResult();
-                messages.UpdateBuffers(desc);
+                SecurityNativeMethods.DecryptMessage(context, desc.Value, sequence_no, out _).CheckResult();
+                desc.UpdateBuffers();
             }
         }
 
@@ -371,25 +334,20 @@ internal static SecStatusCode InitializeSecurityContext(
             LargeInteger expiry,
             bool throw_on_error)
         {
-            using (DisposableList list = new DisposableList())
+            using (SecurityBufferDescriptor in_buffer_desc = SecurityBufferDescriptor.Create(input), 
+                out_buffer_desc = SecurityBufferDescriptor.Create(output))
             {
-                var input_buffers = input?.ToBufferList(list);
-                var output_buffers = output?.ToBufferList(list);
-
-                var in_buffer_desc = input_buffers.ToDesc(list);
-                var out_buffer_desc = output_buffers.ToDesc(list);
-
                 var result = SecurityNativeMethods.InitializeSecurityContext(credential.CredHandle,
-                    context, target_name, req_attributes, 0, data_rep, in_buffer_desc, 0,
-                    new_context, out_buffer_desc, out ret_attributes, expiry).CheckResult(throw_on_error);
+                    context, target_name, req_attributes, 0, data_rep, in_buffer_desc.Value, 0,
+                    new_context, out_buffer_desc.Value, out ret_attributes, expiry).CheckResult(throw_on_error);
                 if (!result.IsSuccess())
                     return result;
 
                 try
                 {
                     if (result == SecStatusCode.SEC_I_COMPLETE_NEEDED || result == SecStatusCode.SEC_I_COMPLETE_AND_CONTINUE)
                     {
-                        var comp_result = SecurityNativeMethods.CompleteAuthToken(new_context, out_buffer_desc).CheckResult(throw_on_error);
+                        var comp_result = SecurityNativeMethods.CompleteAuthToken(new_context, out_buffer_desc.Value).CheckResult(throw_on_error);
                         if (!comp_result.IsSuccess())
                             return comp_result;
                     }
@@ -398,7 +356,7 @@ internal static SecStatusCode InitializeSecurityContext(
                 {
                     if (result.IsSuccess())
                     {
-                        output?.UpdateBuffers(out_buffer_desc);
+                        out_buffer_desc.UpdateBuffers();
                     }
                 }
 
@@ -418,23 +376,19 @@ internal static SecStatusCode AcceptSecurityContext(
             LargeInteger expiry,
             bool throw_on_error)
         {
-            using (DisposableList list = new DisposableList())
+            using (SecurityBufferDescriptor in_buffer_desc = SecurityBufferDescriptor.Create(input),
+                out_buffer_desc = SecurityBufferDescriptor.Create(output))
             {
-                var input_buffers = input?.ToBufferList(list);
-                var output_buffers = output?.ToBufferList(list);
-
-                var in_buffer_desc = input_buffers.ToDesc(list);
-                var out_buffer_desc = output_buffers.ToDesc(list);
-
                 SecStatusCode result = SecurityNativeMethods.AcceptSecurityContext(credential.CredHandle, context,
-                    in_buffer_desc, req_attributes, data_rep, new_context, out_buffer_desc, out ret_attributes, expiry).CheckResult(throw_on_error);
+                    in_buffer_desc.Value, req_attributes, data_rep, new_context, 
+                    out_buffer_desc.Value, out ret_attributes, expiry).CheckResult(throw_on_error);
                 if (!result.IsSuccess())
                     return result;
                 try
                 {
                     if (result == SecStatusCode.SEC_I_COMPLETE_NEEDED || result == SecStatusCode.SEC_I_COMPLETE_AND_CONTINUE)
                     {
-                        var comp_result = SecurityNativeMethods.CompleteAuthToken(context, out_buffer_desc).CheckResult(throw_on_error);
+                        var comp_result = SecurityNativeMethods.CompleteAuthToken(context, out_buffer_desc.Value).CheckResult(throw_on_error);
                         if (!comp_result.IsSuccess())
                             return comp_result;
                     }
@@ -443,7 +397,7 @@ internal static SecStatusCode AcceptSecurityContext(
                 {
                     if (result.IsSuccess())
                     {
-                        output?.UpdateBuffers(out_buffer_desc);
+                        out_buffer_desc.UpdateBuffers();
                     }
                 }
 
@@ -510,11 +464,9 @@ internal static AuthenticationContextKeyInfo GetKeyInfo(SecHandle context)
 
         internal static SecStatusCode ApplyControlToken(SecHandle context, IEnumerable<SecurityBuffer> input, bool throw_on_error)
         {
-            using (var list = new DisposableList())
+            using (var desc = SecurityBufferDescriptor.Create(input))
             {
-                var buffers = input?.ToBufferList(list);
-                var desc = buffers?.ToDesc(list);
-                return SecurityNativeMethods.ApplyControlToken(context, desc).CheckResult(throw_on_error);
+                return SecurityNativeMethods.ApplyControlToken(context, desc.Value).CheckResult(throw_on_error);
             }
         }
     }

NtApiDotNet/Win32/Security/Buffers/SecurityBufferDescriptor.cs

@@ -0,0 +1,67 @@
+//  Copyright 2022 Google LLC. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Win32.Security.Native;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace NtApiDotNet.Win32.Security.Buffers
+{
+    internal sealed class SecurityBufferDescriptor : IDisposable
+    {
+        private readonly DisposableList _list;
+        private readonly SecurityBuffer[] _buffers;
+        private readonly SecBuffer[] _sec_buffers;
+
+        private SecurityBufferDescriptor(IEnumerable<SecurityBuffer> buffers)
+        {
+            _list = new DisposableList();
+            _buffers = buffers?.ToArray() ?? Array.Empty<SecurityBuffer>();
+            _sec_buffers = _buffers.Select(b => b.ToBuffer(_list)).ToArray();
+            if (_sec_buffers.Length > 0)
+            {
+                Value = _list.AddResource(new SecBufferDesc(_sec_buffers));
+            }
+        }
+
+        public static SecurityBufferDescriptor Create(params SecurityBuffer[] buffers)
+        {
+            return new SecurityBufferDescriptor(buffers);
+        }
+
+        public static SecurityBufferDescriptor Create(IEnumerable<SecurityBuffer> buffers)
+        {
+            return new SecurityBufferDescriptor(buffers);
+        }
+
+        public void Dispose()
+        {
+            _list.Dispose();
+        }
+
+        public void UpdateBuffers()
+        {
+            if (Value == null)
+                return;
+            var update_buffers = Value.ToArray();
+            for (int i = 0; i < _buffers.Length; ++i)
+            {
+                _buffers[i].FromBuffer(update_buffers[i]);
+            }
+        }
+
+        public SecBufferDesc Value { get; }
+    }
+}

NtApiDotNet/Win32/Security/Buffers/SecurityBufferUtils.cs

@@ -24,7 +24,7 @@ namespace NtApiDotNet.Win32.Security.Buffers
     public static class SecurityBufferUtils
     {
         /// <summary>
-        /// Convert a list of buffers data buffers to a byte array.
+        /// Convert a list of data buffers to a byte array.
         /// </summary>
         /// <param name="buffers">List of data security buffers. Only buffers used for input are processed.</param>
         /// <returns>The data buffers as one bytes array.</returns>

NtApiDotNet/Win32/Security/Native/SecBufferDesc.cs

@@ -18,7 +18,6 @@
 
 namespace NtApiDotNet.Win32.Security.Native
 {
-#pragma warning disable 1591
     [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
     internal sealed class SecBufferDesc : IDisposable
     {