feat(sspi): server-side Kebreros implementation (#440)

Author: TheBestTvarynka

Cargo.lock

@@ -48,6 +48,7 @@ picky = { version = "7.0.0-rc.12", default-features = false }
 picky-asn1 = "0.10"
 picky-asn1-der = "0.5"
 picky-asn1-x509 = "0.14"
+picky-krb = "0.10"
 tokio = "1.45"
 ffi-types = { path = "crates/ffi-types" }
 winscard = { version = "0.2", path = "crates/winscard" }

Cargo.toml

@@ -9,7 +9,7 @@ use std::net::{TcpListener, TcpStream};
 use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
 use sspi::{
     AuthIdentity, BufferType, CredentialUse, DataRepresentation, EncryptionFlags, Ntlm, SecurityBuffer,
-    SecurityBufferRef, SecurityStatus, ServerRequestFlags, Sspi, Username,
+    SecurityBufferRef, SecurityStatus, ServerRequestFlags, Sspi, SspiImpl, Username,
 };
 
 const IP: &str = "127.0.0.1:8080";
@@ -84,14 +84,14 @@ fn do_authentication(ntlm: &mut Ntlm, identity: &AuthIdentity, mut stream: &mut
     loop {
         read_message(&mut stream, &mut input_buffer[0].buffer)?;
 
-        let result = ntlm
+        let builder = ntlm
             .accept_security_context()
             .with_credentials_handle(&mut acq_cred_result.credentials_handle)
             .with_context_requirements(ServerRequestFlags::ALLOCATE_MEMORY)
             .with_target_data_representation(DataRepresentation::Native)
             .with_input(&mut input_buffer)
-            .with_output(&mut output_buffer)
-            .execute(ntlm)?;
+            .with_output(&mut output_buffer);
+        let result = ntlm.accept_security_context_impl(builder)?.resolve_to_result()?;
 
         if [SecurityStatus::CompleteAndContinue, SecurityStatus::CompleteNeeded].contains(&result.status) {
             println!("Completing the token...");

examples/server.rs

@@ -4,7 +4,7 @@ use libc::{c_ulonglong, c_void};
 use num_traits::cast::{FromPrimitive, ToPrimitive};
 use sspi::{
     BufferType, DataRepresentation, DecryptionFlags, EncryptionFlags, Error, ErrorKind, SecurityBuffer,
-    SecurityBufferRef, SecurityBufferType, ServerRequestFlags, Sspi,
+    SecurityBufferRef, SecurityBufferType, ServerRequestFlags, Sspi, SspiImpl,
 };
 #[cfg(windows)]
 use symbol_rename_macro::rename_symbol;
@@ -100,13 +100,14 @@ pub unsafe extern "system" fn AcceptSecurityContext(
 
         let mut output_tokens = vec![SecurityBuffer::new(Vec::with_capacity(1024), BufferType::Token)];
 
-        let result_status = sspi_context.accept_security_context()
-            .with_credentials_handle(&mut Some(auth_data))
+        let mut auth_data = Some(auth_data);
+        let builder = sspi_context.accept_security_context()
+            .with_credentials_handle(&mut auth_data)
             .with_context_requirements(ServerRequestFlags::from_bits(f_context_req.try_into().unwrap()).unwrap())
             .with_target_data_representation(DataRepresentation::from_u32(target_data_rep.try_into().unwrap()).unwrap())
             .with_input(&mut input_tokens)
-            .with_output(&mut output_tokens)
-            .execute(sspi_context);
+            .with_output(&mut output_tokens);
+        let result_status = try_execute!(sspi_context.accept_security_context_impl(builder)).resolve_with_default_network_client();
 
         // SAFETY: `p_output` is not null. We've checked this above.
         try_execute!(unsafe { copy_to_c_sec_buffer((*p_output).p_buffers, &output_tokens, false) });

ffi/src/sspi/common.rs

@@ -126,9 +126,10 @@ impl SspiImpl for SspiHandle {
 
     fn accept_security_context_impl(
         &mut self,
-        builder: sspi::builders::FilledAcceptSecurityContext<'_, Self::CredentialsHandle>,
-    ) -> Result<sspi::AcceptSecurityContextResult> {
-        self.sspi_context.lock()?.accept_security_context_impl(builder)
+        builder: sspi::builders::FilledAcceptSecurityContext<Self::CredentialsHandle>,
+    ) -> Result<sspi::generator::GeneratorAcceptSecurityContext> {
+        let mut context = self.sspi_context.lock()?;
+        Ok(context.accept_security_context_sync(builder).into())
     }
 }
 

ffi/src/sspi/sec_handle.rs

@@ -6,6 +6,7 @@ use super::{
     ToAssign, WithContextRequirements, WithCredentialsHandle, WithOutput, WithTargetDataRepresentation,
     WithoutContextRequirements, WithoutCredentialsHandle, WithoutOutput, WithoutTargetDataRepresentation,
 };
+use crate::generator::GeneratorAcceptSecurityContext;
 use crate::{DataRepresentation, SecurityBuffer, SecurityStatus, ServerRequestFlags, ServerResponseFlags, SspiPackage};
 
 pub type EmptyAcceptSecurityContext<'a, C> = AcceptSecurityContext<
@@ -252,24 +253,8 @@ impl<'a, CredsHandle> FilledAcceptSecurityContext<'a, CredsHandle> {
     /// Executes the SSPI function that the builder represents.
     pub fn execute<AuthData>(
         self,
-        inner: SspiPackage<'_, CredsHandle, AuthData>,
-    ) -> crate::Result<AcceptSecurityContextResult> {
+        inner: SspiPackage<'a, CredsHandle, AuthData>,
+    ) -> crate::Result<GeneratorAcceptSecurityContext<'a>> {
         inner.accept_security_context_impl(self)
     }
-
-    pub(crate) fn transform(self) -> FilledAcceptSecurityContext<'a, CredsHandle> {
-        AcceptSecurityContext {
-            phantom_creds_use_set: PhantomData,
-            phantom_context_req_set: PhantomData,
-            phantom_data_repr_set: PhantomData,
-            phantom_output_set: PhantomData,
-
-            credentials_handle: self.credentials_handle,
-            context_requirements: self.context_requirements,
-            target_data_representation: self.target_data_representation,
-
-            output: self.output,
-            input: self.input,
-        }
-    }
 }