| static private CacheCredential ( SafeFreeCredentials creds, byte thumbPrint, SchProtocols allowedProtocols ) : void | ||
| creds | SafeFreeCredentials | |
| thumbPrint | byte | |
| allowedProtocols | SchProtocols | |
| return | void | |
internal static void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SchProtocols allowedProtocols)
{
GlobalLog.Assert(creds != null, "CacheCredential|creds == null");
if (creds.IsInvalid)
{
GlobalLog.Print("CacheCredential() Refused to cache an Invalid Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
return;
}
object key = new SslCredKey(thumbPrint, allowedProtocols);
SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed || cached._Target.IsInvalid)
{
lock(s_CachedCreds)
{
cached = s_CachedCreds[key] as SafeCredentialReference;
if (cached == null || cached.IsClosed)
{
cached = SafeCredentialReference.CreateReference(creds);
if (cached == null)
{
// Means the handle got closed in between, return it back and let caller deal with the issue.
return;
}
s_CachedCreds[key] = cached;
GlobalLog.Print("CacheCredential() Caching New Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count);
//
// A simplest way of preventing infinite cache grows.
//
// Security relief (DoS):
// A number of active creds is never greater than a number of _outstanding_
// security sessions, i.e. ssl connections.
// So we will try to shrink cache to the number of active creds once in a while.
//
// Just to make clear we won't shrink cache in the case when NO new handles are coming to it.
//
if ((s_CachedCreds.Count%c_CheckExpiredModulo) == 0)
{
DictionaryEntry[] toRemoveAttempt = new DictionaryEntry[s_CachedCreds.Count];
s_CachedCreds.CopyTo(toRemoveAttempt, 0);
for(int i = 0; i < toRemoveAttempt.Length; ++i)
{
cached = toRemoveAttempt[i].Value as SafeCredentialReference;
if (cached != null)
{
creds = cached._Target;
cached.Close();
if (!creds.IsClosed && !creds.IsInvalid && (cached = SafeCredentialReference.CreateReference(creds)) != null)
s_CachedCreds[toRemoveAttempt[i].Key] = cached;
else
s_CachedCreds.Remove(toRemoveAttempt[i].Key);
}
}
GlobalLog.Print("Scavenged cache, New Cache Count = " + s_CachedCreds.Count);
}
}
else
{
GlobalLog.Print("CacheCredential() (locked retry) Found already cached Handle = " + cached._Target.ToString());
}
}
}
else
{
GlobalLog.Print("CacheCredential() Ignoring incoming handle = " + creds.ToString() + " since found already cached Handle = " + cached._Target.ToString());
}
}
} private SecurityStatus GenerateToken(byte[] input, int offset, int count, ref byte[] output)
{
if ((offset < 0) || (offset > ((input == null) ? 0 : input.Length)))
{
throw new ArgumentOutOfRangeException("offset");
}
if ((count < 0) || (count > ((input == null) ? 0 : (input.Length - offset))))
{
throw new ArgumentOutOfRangeException("count");
}
SecurityBuffer inputBuffer = null;
SecurityBuffer[] inputBuffers = null;
if (input != null)
{
inputBuffer = new SecurityBuffer(input, offset, count, BufferType.Token);
inputBuffers = new SecurityBuffer[] { inputBuffer, new SecurityBuffer(null, 0, 0, BufferType.Empty) };
}
SecurityBuffer outputBuffer = new SecurityBuffer(null, BufferType.Token);
int num = 0;
bool flag = false;
byte[] thumbPrint = null;
try
{
do
{
thumbPrint = null;
if (this.m_RefreshCredentialNeeded)
{
flag = this.m_ServerMode ? this.AcquireServerCredentials(ref thumbPrint) : this.AcquireClientCredentials(ref thumbPrint);
}
if (this.m_ServerMode)
{
num = SSPIWrapper.AcceptSecurityContext(GlobalSSPI.SSPISecureChannel, ref this.m_CredentialsHandle, ref this.m_SecurityContext, (ContextFlags.AcceptStream | ContextFlags.AllocateMemory | ContextFlags.Confidentiality | ContextFlags.SequenceDetect | ContextFlags.ReplayDetect) | (this.m_RemoteCertRequired ? ContextFlags.MutualAuth : ContextFlags.Zero), Endianness.Native, inputBuffer, outputBuffer, ref this.m_Attributes);
}
else if (inputBuffer == null)
{
num = SSPIWrapper.InitializeSecurityContext(GlobalSSPI.SSPISecureChannel, ref this.m_CredentialsHandle, ref this.m_SecurityContext, this.m_Destination, ContextFlags.AcceptIdentify | ContextFlags.AllocateMemory | ContextFlags.Confidentiality | ContextFlags.SequenceDetect | ContextFlags.ReplayDetect, Endianness.Native, inputBuffer, outputBuffer, ref this.m_Attributes);
}
else
{
num = SSPIWrapper.InitializeSecurityContext(GlobalSSPI.SSPISecureChannel, this.m_CredentialsHandle, ref this.m_SecurityContext, this.m_Destination, ContextFlags.AcceptIdentify | ContextFlags.AllocateMemory | ContextFlags.Confidentiality | ContextFlags.SequenceDetect | ContextFlags.ReplayDetect, Endianness.Native, inputBuffers, outputBuffer, ref this.m_Attributes);
}
}while (flag && (this.m_CredentialsHandle == null));
}
finally
{
if (this.m_RefreshCredentialNeeded)
{
this.m_RefreshCredentialNeeded = false;
if (this.m_CredentialsHandle != null)
{
this.m_CredentialsHandle.Close();
}
if ((!flag && (this.m_SecurityContext != null)) && (!this.m_SecurityContext.IsInvalid && !this.m_CredentialsHandle.IsInvalid))
{
SslSessionsCache.CacheCredential(this.m_CredentialsHandle, thumbPrint, this.m_ProtocolFlags, this.m_EncryptionPolicy);
}
}
}
output = outputBuffer.token;
return((SecurityStatus)num);
}
