fix(sspi): server-side Kerberos fixes (#457)

Author: TheBestTvarynka

Cargo.toml

@@ -44,11 +44,13 @@ sha1 = { version = "0.10", default-features = false }
 sha2 = "0.10"
 num-derive = "0.4"
 num-traits = { version = "0.2", default-features = false }
-picky = { version = "7.0.0-rc.12", default-features = false }
+
+picky = { version = "7.0.0-rc.15", default-features = false }
 picky-asn1 = "0.10"
 picky-asn1-der = "0.5"
 picky-asn1-x509 = "0.14"
-picky-krb = "0.10"
+picky-krb = "0.11"
+
 tokio = "1.45"
 ffi-types = { path = "crates/ffi-types" }
 winscard = { version = "0.2", path = "crates/winscard" }

crates/dpapi/src/client.rs

@@ -213,7 +213,7 @@ async fn get_key<T: Transport>(
     let mut rpc = RpcClient::<T>::connect(
         &connection_options,
         AuthProvider::new(
-            SspiContext::Negotiate(Negotiate::new(negotiate_config.clone()).map_err(AuthError::from)?),
+            SspiContext::Negotiate(Negotiate::new_client(negotiate_config.clone()).map_err(AuthError::from)?),
             Credentials::AuthIdentity(AuthIdentity {
                 username: username.clone(),
                 password: password.clone(),
@@ -246,7 +246,7 @@ async fn get_key<T: Transport>(
     let mut rpc = RpcClient::<T>::connect(
         &connection_options,
         AuthProvider::new(
-            SspiContext::Negotiate(Negotiate::new(negotiate_config).map_err(AuthError::from)?),
+            SspiContext::Negotiate(Negotiate::new_client(negotiate_config).map_err(AuthError::from)?),
             Credentials::AuthIdentity(AuthIdentity { username, password }),
             server,
             network_client,

ffi/src/dpapi/network_client.rs

@@ -9,7 +9,10 @@ use sspi::{Error, ErrorKind, NetworkRequest, Result};
 pub struct SyncNetworkClient;
 
 impl AsyncNetworkClient for SyncNetworkClient {
-    fn send<'a>(&'a mut self, request: &'a NetworkRequest) -> Pin<Box<dyn Future<Output = Result<Vec<u8>>> + 'a>> {
+    fn send<'a>(
+        &'a mut self,
+        request: &'a NetworkRequest,
+    ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>>> + Send + 'a>> {
         let request = request.clone();
         Box::pin(async move {
             tokio::task::spawn_blocking(move || ReqwestNetworkClient.send(&request))

ffi/src/sspi/sec_handle.rs

@@ -230,23 +230,23 @@ pub struct CredentialsHandle {
 fn create_negotiate_context(attributes: &CredentialsAttributes) -> Result<Negotiate> {
     let client_computer_name = attributes.hostname()?;
 
-    if let Some(kdc_url) = attributes.kdc_url() {
+    let negotiate_config = if let Some(kdc_url) = attributes.kdc_url() {
         let kerberos_config = KerberosConfig::new(&kdc_url, client_computer_name.clone());
-        let negotiate_config = NegotiateConfig::new(
+
+        NegotiateConfig::new(
             Box::new(kerberos_config),
             attributes.package_list.clone(),
             client_computer_name,
-        );
-
-        Negotiate::new(negotiate_config)
+        )
     } else {
-        let negotiate_config = NegotiateConfig {
+        NegotiateConfig {
             protocol_config: Box::new(NtlmConfig::new(client_computer_name.clone())),
             package_list: attributes.package_list.clone(),
             client_computer_name,
-        };
-        Negotiate::new(negotiate_config)
-    }
+        }
+    };
+
+    Negotiate::new_client(negotiate_config)
 }
 
 /// Transforms [&mut PCtxtHandle] to [*mut SspiHandle].
@@ -1244,7 +1244,7 @@ pub unsafe extern "system" fn ChangeAccountPasswordA(
                     package_list: None,
                     client_computer_name: try_execute!(hostname()),
                 };
-                SspiContext::Negotiate(try_execute!(Negotiate::new(negotiate_config)))
+                SspiContext::Negotiate(try_execute!(Negotiate::new_client(negotiate_config)))
             },
             kerberos::PKG_NAME => {
                 let krb_config = KerberosConfig{

src/auth_identity.rs

@@ -170,6 +170,14 @@ impl AuthIdentityBuffers {
     pub fn is_empty(&self) -> bool {
         self.user.is_empty()
     }
+
+    pub fn from_utf8(user: &str, domain: &str, password: &str) -> Self {
+        Self {
+            user: utils::string_to_utf16(user),
+            domain: utils::string_to_utf16(domain),
+            password: utils::string_to_utf16(password).into(),
+        }
+    }
 }
 
 impl fmt::Debug for AuthIdentityBuffers {

src/credssp/mod.rs

@@ -61,7 +61,7 @@ macro_rules! try_cred_ssp_server {
                 $ts_request.error_code = Some(construct_error(&error));
 
                 return Err(ServerError {
-                    ts_request: $ts_request,
+                    ts_request: Some(Box::new($ts_request)),
                     error,
                 });
             }
@@ -100,7 +100,7 @@ pub enum ServerState {
 /// Contains `TsRequest` with non-empty `error_code`, and the error which caused the server to fail.
 #[derive(Debug, Clone)]
 pub struct ServerError {
-    pub ts_request: TsRequest,
+    pub ts_request: Option<Box<TsRequest>>,
     pub error: crate::Error,
 }
 
@@ -248,7 +248,7 @@ impl CredSspClient {
                 .expect("CredSsp client mode should never be empty")
             {
                 ClientMode::Negotiate(negotiate_config) => Some(CredSspContext::new(SspiContext::Negotiate(
-                    Negotiate::new(negotiate_config)?,
+                    Negotiate::new_client(negotiate_config)?,
                 ))),
                 ClientMode::Kerberos(kerberos_config) => Some(CredSspContext::new(SspiContext::Kerberos(
                     Kerberos::new_client_from_config(kerberos_config)?,
@@ -437,7 +437,6 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity> + Send> CredSspServe
         })
     }
 
-    #[allow(clippy::result_large_err)]
     #[instrument(fields(state = ?self.state), skip_all)]
     pub fn process(
         &mut self,
@@ -460,7 +459,7 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity> + Send> CredSspServe
                 .expect("CredSsp client mode should never be empty")
             {
                 ServerMode::Negotiate(neg_config) => Some(CredSspContext::new(SspiContext::Negotiate(
-                    try_cred_ssp_server!(Negotiate::new(neg_config), ts_request),
+                    try_cred_ssp_server!(Negotiate::new_server(neg_config), ts_request),
                 ))),
                 ServerMode::Kerberos(kerberos_mode) => {
                     let (kerberos_config, server_properties) = *kerberos_mode;
@@ -630,7 +629,7 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity> + Send> CredSspServe
                 Ok(ServerState::ReplyNeeded(ts_request))
             }
             CredSspState::Final => Err(ServerError {
-                ts_request,
+                ts_request: Some(Box::new(ts_request)),
                 error: Error::new(
                     ErrorKind::UnsupportedFunction,
                     "CredSSP server's 'process' method must not be fired after the 'Finished' state",

src/generator.rs

@@ -5,6 +5,7 @@ use std::task::{Context, Poll, Wake, Waker};
 
 use url::Url;
 
+use crate::credssp::ServerError;
 use crate::network_client::{AsyncNetworkClient, NetworkClient, NetworkProtocol};
 use crate::{AcceptSecurityContextResult, Error, InitializeSecurityContextResult};
 
@@ -139,11 +140,11 @@ fn execute_one_step<OutTy>(task: &mut PinnedFuture<OutTy>) -> Option<OutTy> {
 }
 
 /// Utility types and methods
-impl<'a, YieldTy, ResumeTy, OutTy> Generator<'a, YieldTy, ResumeTy, Result<OutTy, crate::Error>>
+impl<'a, YieldTy, ResumeTy, OutTy> Generator<'a, YieldTy, ResumeTy, Result<OutTy, Error>>
 where
     OutTy: Send + 'a,
 {
-    pub fn resolve_to_result(&mut self) -> Result<OutTy, crate::Error> {
+    pub fn resolve_to_result(&mut self) -> Result<OutTy, Error> {
         let state = self.start();
         match state {
             GeneratorState::Suspended(_) => Err(Error::new(
@@ -162,6 +163,23 @@ where
         self.resolve_to_result().expect(msg)
     }
 }
+
+impl<'a, YieldTy, ResumeTy, OutTy> Generator<'a, YieldTy, ResumeTy, Result<OutTy, ServerError>>
+where
+    OutTy: Send + 'a,
+{
+    pub fn resolve_to_result(&mut self) -> Result<OutTy, ServerError> {
+        let state = self.start();
+        match state {
+            GeneratorState::Suspended(_) => Err(ServerError {
+                ts_request: None,
+                error: Error::new(crate::ErrorKind::UnsupportedFunction, "cannot finish generator"),
+            }),
+            GeneratorState::Completed(res) => res,
+        }
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct NetworkRequest {
     pub protocol: NetworkProtocol,

src/kerberos/client/extractors.rs

@@ -171,6 +171,7 @@ pub fn extract_status_code_from_krb_priv_response(
 }
 
 /// Extracts [ApRep] from the [NegTokenTarg1] .
+#[instrument(ret, level = "trace")]
 pub fn extract_ap_rep_from_neg_token_targ(token: &NegTokenTarg1) -> Result<ApRep> {
     let resp_token = &token
         .0

src/kerberos/config.rs

@@ -4,9 +4,11 @@ use std::str::FromStr;
 use url::Url;
 
 use crate::kdc::detect_kdc_url;
+use crate::kerberos::ServerProperties;
 use crate::negotiate::{NegotiatedProtocol, ProtocolConfig};
 use crate::{Kerberos, Result};
 
+/// Kerberos client configuration.
 #[derive(Clone, Debug)]
 pub struct KerberosConfig {
     /// KDC URL
@@ -29,14 +31,14 @@ pub struct KerberosConfig {
 }
 
 impl ProtocolConfig for KerberosConfig {
-    fn new_client(&self) -> Result<NegotiatedProtocol> {
+    fn new_instance(&self) -> Result<NegotiatedProtocol> {
         Ok(NegotiatedProtocol::Kerberos(Kerberos::new_client_from_config(
-            Clone::clone(self),
+            self.clone(),
         )?))
     }
 
     fn box_clone(&self) -> Box<dyn ProtocolConfig> {
-        Box::new(Clone::clone(self))
+        Box::new(self.clone())
     }
 }
 
@@ -75,3 +77,25 @@ impl KerberosConfig {
         }
     }
 }
+
+/// Kerberos server configuration.
+#[derive(Clone, Debug)]
+pub struct KerberosServerConfig {
+    /// General Kerberos configuration.
+    pub kerberos_config: KerberosConfig,
+    /// Kerberos server specific parameters.
+    pub server_properties: ServerProperties,
+}
+
+impl ProtocolConfig for KerberosServerConfig {
+    fn new_instance(&self) -> Result<NegotiatedProtocol> {
+        Ok(NegotiatedProtocol::Kerberos(Kerberos::new_server_from_config(
+            self.kerberos_config.clone(),
+            self.server_properties.clone(),
+        )?))
+    }
+
+    fn box_clone(&self) -> Box<dyn ProtocolConfig> {
+        Box::new(self.clone())
+    }
+}

src/kerberos/server/extractors.rs

@@ -14,6 +14,7 @@ use picky_krb::messages::{ApReq, TgtReq};
 use crate::{Error, ErrorKind, Result};
 
 /// Extract TGT request and mech types from the first token returned by the Kerberos client.
+#[instrument(ret, level = "trace")]
 pub fn decode_initial_neg_init(data: &[u8]) -> Result<(Option<TgtReq>, MechTypeList)> {
     let token: ApplicationTag0<GssApiNegInit> = picky_asn1_der::from_bytes(data)?;
     let NegTokenInit {