feat(sspi): implement server-side Kerberos

Cargo.toml

@@ -44,10 +44,13 @@ sha1 = { version = "0.10", default-features = false }
 sha2 = "0.10"
 num-derive = "0.4"
 num-traits = { version = "0.2", default-features = false }
-picky = { version = "7.0.0-rc.12", default-features = false }
+
+picky = { version = "7.0.0-rc.15", default-features = false }
 picky-asn1 = "0.10"
 picky-asn1-der = "0.5"
 picky-asn1-x509 = "0.14"
+picky-krb = "0.11"
+
 tokio = "1.45"
 ffi-types = { path = "crates/ffi-types" }
 winscard = { version = "0.2", path = "crates/winscard" }

crates/dpapi/src/client.rs

@@ -213,7 +213,7 @@ async fn get_key<T: Transport>(
     let mut rpc = RpcClient::<T>::connect(
         &connection_options,
         AuthProvider::new(
-            SspiContext::Negotiate(Negotiate::new(negotiate_config.clone()).map_err(AuthError::from)?),
+            SspiContext::Negotiate(Negotiate::new_client(negotiate_config.clone()).map_err(AuthError::from)?),
             Credentials::AuthIdentity(AuthIdentity {
                 username: username.clone(),
                 password: password.clone(),
@@ -246,7 +246,7 @@ async fn get_key<T: Transport>(
     let mut rpc = RpcClient::<T>::connect(
         &connection_options,
         AuthProvider::new(
-            SspiContext::Negotiate(Negotiate::new(negotiate_config).map_err(AuthError::from)?),
+            SspiContext::Negotiate(Negotiate::new_client(negotiate_config).map_err(AuthError::from)?),
             Credentials::AuthIdentity(AuthIdentity { username, password }),
             server,
             network_client,

crates/dpapi/src/rpc/auth.rs

@@ -247,7 +247,7 @@ impl<'a> AuthProvider<'a> {
             .with_context_requirements(
                 // Warning: do not change these flags if you don't know what you are doing.
                 // The absence or presence of some flags can break the RPC auth. For example,
-                // if you enable the `ClientRequestFlags::USER_TO_USER`, then it will fail.
+                // if you enable the `ClientRequestFlags::USE_SESSION_KEY`, then it will fail.
                 ClientRequestFlags::MUTUAL_AUTH
                     | ClientRequestFlags::INTEGRITY
                     | ClientRequestFlags::USE_DCE_STYLE

examples/server.rs

@@ -9,7 +9,7 @@ use std::net::{TcpListener, TcpStream};
 use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
 use sspi::{
     AuthIdentity, BufferType, CredentialUse, DataRepresentation, EncryptionFlags, Ntlm, SecurityBuffer,
-    SecurityBufferRef, SecurityStatus, ServerRequestFlags, Sspi, Username,
+    SecurityBufferRef, SecurityStatus, ServerRequestFlags, Sspi, SspiImpl, Username,
 };
 
 const IP: &str = "127.0.0.1:8080";
@@ -84,14 +84,14 @@ fn do_authentication(ntlm: &mut Ntlm, identity: &AuthIdentity, mut stream: &mut
     loop {
         read_message(&mut stream, &mut input_buffer[0].buffer)?;
 
-        let result = ntlm
+        let builder = ntlm
             .accept_security_context()
             .with_credentials_handle(&mut acq_cred_result.credentials_handle)
             .with_context_requirements(ServerRequestFlags::ALLOCATE_MEMORY)
             .with_target_data_representation(DataRepresentation::Native)
             .with_input(&mut input_buffer)
-            .with_output(&mut output_buffer)
-            .execute(ntlm)?;
+            .with_output(&mut output_buffer);
+        let result = ntlm.accept_security_context_impl(builder)?.resolve_to_result()?;
 
         if [SecurityStatus::CompleteAndContinue, SecurityStatus::CompleteNeeded].contains(&result.status) {
             println!("Completing the token...");

ffi/src/dpapi/api.rs

@@ -20,8 +20,7 @@ mod inner {
     use dpapi::{CryptProtectSecretArgs, CryptUnprotectSecretArgs, Result};
     use dpapi_transport::{ProxyOptions, Transport};
     use ffi_types::{Dword, LpByte, LpCStr, LpCUuid, LpDword};
-    use sspi::network_client::AsyncNetworkClient;
-    use sspi::{KerberosConfig, Secret};
+    use sspi::Secret;
     use url::Url;
     use uuid::Uuid;
 

ffi/src/dpapi/mod.rs

@@ -182,7 +182,7 @@ pub unsafe extern "system" fn DpapiProtectSecret(
             return NTE_INTERNAL_ERROR;
         }
 
-        // SAFETY: Memory allocation should be safe. Moreover, we check for the null value below.
+        // SAFETY: Memory allocation is safe. Moreover, we check for the null value below.
         let blob_buf = unsafe { libc::malloc(blob_data.len()) as *mut u8 };
         if blob_buf.is_null() {
             error!("Failed to allocate memory for the output DPAPI blob: blob buf pointer is NULL");
@@ -327,7 +327,7 @@ pub unsafe extern "system" fn DpapiUnprotectSecret(
             return NTE_INTERNAL_ERROR;
         }
 
-        // SAFETY: Memory allocation should be safe. Moreover, we check for the null value below.
+        // SAFETY: Memory allocation is safe. Moreover, we check for the null value below.
         let secret_buf = unsafe { libc::malloc(secret_data.as_ref().len()) as *mut u8 };
         if secret_buf.is_null() {
             error!("Failed to allocate memory for the output DPAPI blob: blob buf pointer is NULL.");

ffi/src/dpapi/network_client.rs

@@ -9,7 +9,10 @@ use sspi::{Error, ErrorKind, NetworkRequest, Result};
 pub struct SyncNetworkClient;
 
 impl AsyncNetworkClient for SyncNetworkClient {
-    fn send<'a>(&'a mut self, request: &'a NetworkRequest) -> Pin<Box<dyn Future<Output = Result<Vec<u8>>> + 'a>> {
+    fn send<'a>(
+        &'a mut self,
+        request: &'a NetworkRequest,
+    ) -> Pin<Box<dyn Future<Output = Result<Vec<u8>>> + Send + 'a>> {
         let request = request.clone();
         Box::pin(async move {
             tokio::task::spawn_blocking(move || ReqwestNetworkClient.send(&request))

ffi/src/lib.rs

@@ -1,6 +1,8 @@
 #![allow(clippy::missing_safety_doc)]
 #![allow(clippy::print_stdout)]
 #![allow(non_snake_case)]
+#![deny(unsafe_op_in_unsafe_fn)]
+#![warn(clippy::undocumented_unsafe_blocks)]
 
 #[macro_use]
 extern crate tracing;
@@ -13,6 +15,4 @@ pub mod logging;
 pub mod sspi;
 mod utils;
 #[cfg(feature = "scard")]
-#[deny(unsafe_op_in_unsafe_fn)]
-#[warn(clippy::undocumented_unsafe_blocks)]
 pub mod winscard;