Added control token api.

Author: tyranid

NtApiDotNet/NtApiDotNet.csproj

@@ -557,6 +557,14 @@
     <Compile Include="Win32\SafeHandles\SafeSecWinNtAuthIdentityBuffer.cs" />
     <Compile Include="Win32\Security\Authentication\AuthenticationContextKeyInfo.cs" />
     <Compile Include="Win32\Security\Authentication\BufferAuthenticationCredentials.cs" />
+    <Compile Include="Win32\Security\Authentication\ControlToken.cs" />
+    <Compile Include="Win32\Security\Authentication\Schannel\SchannelAlertControlToken.cs" />
+    <Compile Include="Win32\Security\Authentication\Schannel\SchannelAlertNumber.cs" />
+    <Compile Include="Win32\Security\Authentication\Schannel\SchannelAlertType.cs" />
+    <Compile Include="Win32\Security\Authentication\Schannel\SchannelControlToken.cs" />
+    <Compile Include="Win32\Security\Authentication\Schannel\SchannelSessionControlToken.cs" />
+    <Compile Include="Win32\Security\Authentication\Schannel\SchannelSessionFlags.cs" />
+    <Compile Include="Win32\Security\Authentication\Schannel\SchannelShutdownControlToken.cs" />
     <Compile Include="Win32\Security\Credential\AuthIdentity\SecWinNtAuthIdentity.cs" />
     <Compile Include="Win32\Security\Credential\AuthIdentity\SecWinNtAuthIdentityCreateOptions.cs" />
     <Compile Include="Win32\Security\Credential\AuthIdentity\SecWinNtAuthIdentityEncryptionOptions.cs" />

NtApiDotNet/Win32/Security/Authentication/ClientAuthenticationContext.cs

@@ -552,6 +552,34 @@ public ExportedSecurityContext Export()
             Dispose();
             return context;
         }
+
+        /// <summary>
+        /// Apply a control token.
+        /// </summary>
+        /// <param name="input">The input buffers to apply.</param>
+        public void ApplyControlToken(IEnumerable<SecurityBuffer> input)
+        {
+            if (input is null)
+            {
+                throw new ArgumentNullException(nameof(input));
+            }
+
+            SecurityContextUtils.ApplyControlToken(_context, input, true);
+        }
+
+        /// <summary>
+        /// Apply a control token.
+        /// </summary>
+        /// <param name="token">The control token to apply.</param>
+        public void ApplyControlToken(ControlToken token)
+        {
+            if (token is null)
+            {
+                throw new ArgumentNullException(nameof(token));
+            }
+
+            ApplyControlToken(new[] { token.ToBuffer() });
+        }
         #endregion
 
         #region IDisposable Implementation

NtApiDotNet/Win32/Security/Authentication/ControlToken.cs

@@ -0,0 +1,30 @@
+//  Copyright 2020 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Win32.Security.Buffers;
+
+namespace NtApiDotNet.Win32.Security.Authentication
+{
+    /// <summary>
+    /// Base class for a security control token.
+    /// </summary>
+    public abstract class ControlToken
+    {
+        /// <summary>
+        /// Convert the token into a security buffer.
+        /// </summary>
+        /// <returns>The security buffer.</returns>
+        public abstract SecurityBuffer ToBuffer();
+    }
+}

NtApiDotNet/Win32/Security/Authentication/SChannel/SchannelAlertControlToken.cs

@@ -0,0 +1,46 @@
+//  Copyright 2021 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Utilities.Data;
+
+namespace NtApiDotNet.Win32.Security.Authentication.Schannel
+{
+    /// <summary>
+    /// Class to represent an Schannel alert control token.
+    /// </summary>
+    public sealed class SchannelAlertControlToken : SchannelControlToken
+    {
+        private const int SCHANNEL_ALERT = 2;
+        private readonly SchannelAlertType _type;
+        private readonly SchannelAlertNumber _number;
+
+        /// <summary>
+        /// Constructor
+        /// </summary>
+        /// <param name="type">The alert type.</param>
+        /// <param name="number">The alert number.</param>
+        public SchannelAlertControlToken(SchannelAlertType type, SchannelAlertNumber number)
+        {
+            _type = type;
+            _number = number;
+        }
+
+        private protected override void WriteBuffer(DataWriter writer)
+        {
+            writer.Write(SCHANNEL_ALERT);
+            writer.Write((int)_type);
+            writer.Write((int)_number);
+        }
+    }
+}

NtApiDotNet/Win32/Security/Authentication/SChannel/SchannelAlertNumber.cs

@@ -0,0 +1,53 @@
+//  Copyright 2021 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Utilities.Reflection;
+
+namespace NtApiDotNet.Win32.Security.Authentication.Schannel
+{
+    /// <summary>
+    /// Schannel Alert Number.
+    /// </summary>
+    public enum SchannelAlertNumber
+    {
+#pragma warning disable CS1591 // Missing XML comment for publicly visible type or member
+        [SDKName("TLS1_ALERT_CLOSE_NOTIFY")] CloseNotify = 0, // warning
+        [SDKName("TLS1_ALERT_UNEXPECTED_MESSAGE")] UnexpectedMessage = 10, // error
+        [SDKName("TLS1_ALERT_BAD_RECORD_MAC")] BadRecordMAC = 20, // error
+        [SDKName("TLS1_ALERT_DECRYPTION_FAILED")] DecryptionFailed = 21, // reserved
+        [SDKName("TLS1_ALERT_RECORD_OVERFLOW")] RecordOverflow = 22, // error
+        [SDKName("TLS1_ALERT_DECOMPRESSION_FAIL")] DecompressionFail = 30, // error
+        [SDKName("TLS1_ALERT_HANDSHAKE_FAILURE")] HandshakeFailure = 40, // error
+        [SDKName("TLS1_ALERT_BAD_CERTIFICATE")] BadCertificate = 42, // warning or error
+        [SDKName("TLS1_ALERT_UNSUPPORTED_CERT")] UnsupportedCert = 43, // warning or error
+        [SDKName("TLS1_ALERT_CERTIFICATE_REVOKED")] CertificateRevoked = 44, // warning or error
+        [SDKName("TLS1_ALERT_CERTIFICATE_EXPIRED")] CertificateExpired = 45, // warning or error
+        [SDKName("TLS1_ALERT_CERTIFICATE_UNKNOWN")] CertificateUnknown = 46, // warning or error
+        [SDKName("TLS1_ALERT_ILLEGAL_PARAMETER")] IllegalParameter = 47, // error
+        [SDKName("TLS1_ALERT_UNKNOWN_CA")] UnknownCA = 48, // error
+        [SDKName("TLS1_ALERT_ACCESS_DENIED")] AccessDenied = 49, // error
+        [SDKName("TLS1_ALERT_DECODE_ERROR")] DecodeError = 50, // error
+        [SDKName("TLS1_ALERT_DECRYPT_ERROR")] DecryptError = 51, // error
+        [SDKName("TLS1_ALERT_EXPORT_RESTRICTION")] ExportRestriction = 60, // reserved
+        [SDKName("TLS1_ALERT_PROTOCOL_VERSION")] ProtocolVersion = 70, // error
+        [SDKName("TLS1_ALERT_INSUFFIENT_SECURITY")] InsufficientSecurity = 71, // error
+        [SDKName("TLS1_ALERT_INTERNAL_ERROR")] InternalError = 80, // error
+        [SDKName("TLS1_ALERT_USER_CANCELED")] UserCancelled = 90, // warning or error
+        [SDKName("TLS1_ALERT_NO_RENEGOTIATION")] NoRenogotiation = 100, // warning
+        [SDKName("TLS1_ALERT_UNSUPPORTED_EXT")] UnsupportedExt = 110, // error
+        [SDKName("TLS1_ALERT_UNKNOWN_PSK_IDENTITY")] UnknownPskIdentity = 115, // error
+        [SDKName("TLS1_ALERT_NO_APP_PROTOCOL")] NoAppProtocol = 120, // error
+#pragma warning restore CS1591 // Missing XML comment for publicly visible type or member
+    }
+}

NtApiDotNet/Win32/Security/Authentication/SChannel/SchannelAlertType.cs

@@ -0,0 +1,31 @@
+//  Copyright 2021 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Utilities.Reflection;
+
+namespace NtApiDotNet.Win32.Security.Authentication.Schannel
+{
+    /// <summary>
+    /// Schannel Alert Type.
+    /// </summary>
+    public enum SchannelAlertType
+    {
+#pragma warning disable CS1591 // Missing XML comment for publicly visible type or member
+        [SDKName("TLS1_ALERT_WARNING")]
+        Warning = 1,
+        [SDKName("TLS1_ALERT_FATAL")]
+        Fatal = 2,
+#pragma warning restore CS1591 // Missing XML comment for publicly visible type or member
+    }
+}

NtApiDotNet/Win32/Security/Authentication/SChannel/SchannelControlToken.cs

@@ -0,0 +1,38 @@
+//  Copyright 2021 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Utilities.Data;
+using NtApiDotNet.Win32.Security.Buffers;
+
+namespace NtApiDotNet.Win32.Security.Authentication.Schannel
+{
+    /// <summary>
+    /// Base class for an Schannel Control Token.
+    /// </summary>
+    public abstract class SchannelControlToken : ControlToken
+    {
+        private protected abstract void WriteBuffer(DataWriter writer);
+
+        /// <summary>
+        /// Convert the token into a security buffer.
+        /// </summary>
+        /// <returns>The security buffer.</returns>
+        public override SecurityBuffer ToBuffer()
+        {
+            DataWriter writer = new DataWriter();
+            WriteBuffer(writer);
+            return new SecurityBufferInOut(SecurityBufferType.Token | SecurityBufferType.ReadOnly, writer.ToArray());
+        }
+    }
+}

NtApiDotNet/Win32/Security/Authentication/SChannel/SchannelSessionControlToken.cs

@@ -0,0 +1,42 @@
+//  Copyright 2021 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Utilities.Data;
+
+namespace NtApiDotNet.Win32.Security.Authentication.Schannel
+{
+    /// <summary>
+    /// Class to represent an Schannel shutdown control token.
+    /// </summary>
+    public sealed class SchannelSessionControlToken : SchannelControlToken
+    {
+        private const int SCHANNEL_SESSION = 3;
+        private readonly SchannelSessionFlags _flags;
+
+        /// <summary>
+        /// Constructor.
+        /// </summary>
+        /// <param name="flags">The session flags.</param>
+        public SchannelSessionControlToken(SchannelSessionFlags flags)
+        {
+            _flags = flags;
+        }
+
+        private protected override void WriteBuffer(DataWriter writer)
+        {
+            writer.Write(SCHANNEL_SESSION);
+            writer.Write((int)_flags);
+        }
+    }
+}

NtApiDotNet/Win32/Security/Authentication/SChannel/SchannelSessionFlags.cs

@@ -0,0 +1,31 @@
+//  Copyright 2021 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Utilities.Reflection;
+
+namespace NtApiDotNet.Win32.Security.Authentication.Schannel
+{
+    /// <summary>
+    /// Schannel session flags.
+    /// </summary>
+    public enum SchannelSessionFlags
+    {
+#pragma warning disable CS1591 // Missing XML comment for publicly visible type or member
+        [SDKName("SSL_SESSION_ENABLE_RECONNECTS")]
+        EnableReconnects = 1,
+        [SDKName("SSL_SESSION_DISABLE_RECONNECTS")]
+        DisableReconnects = 2,
+#pragma warning restore CS1591 // Missing XML comment for publicly visible type or member
+    }
+}

NtApiDotNet/Win32/Security/Authentication/SChannel/SchannelShutdownControlToken.cs

@@ -0,0 +1,31 @@
+//  Copyright 2021 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+using NtApiDotNet.Utilities.Data;
+
+namespace NtApiDotNet.Win32.Security.Authentication.Schannel
+{
+    /// <summary>
+    /// Class to represent an Schannel shutdown control token.
+    /// </summary>
+    public sealed class SchannelShutdownControlToken : SchannelControlToken
+    {
+        private const int SCHANNEL_SHUTDOWN = 1;
+
+        private protected override void WriteBuffer(DataWriter writer)
+        {
+            writer.Write(SCHANNEL_SHUTDOWN);
+        }
+    }
+}