sspi 0.20.0

A Rust implementation of the Security Support Provider Interface (SSPI) API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

use oid::ObjectIdentifier;
use picky::oids;
use picky_krb::gss_api::{ApplicationTag0, GssApiNegInit, MechTypeList, NegTokenInit};

use crate::ntlm::NtlmConfig;
use crate::{Error, ErrorKind, Negotiate, NegotiatedProtocol, Ntlm};

/// Extract TGT request and mech types from the first token returned by the Kerberos client.
#[instrument(ret, level = "trace")]
pub(super) fn decode_initial_neg_init(data: &[u8]) -> crate::Result<(Option<Vec<u8>>, MechTypeList)> {
    let token: ApplicationTag0<GssApiNegInit> = picky_asn1_der::from_bytes(data)?;
    let NegTokenInit {
        mech_types,
        req_flags: _,
        mech_token,
        mech_list_mic: _,
    } = token.0.neg_token_init.0;

    let mech_types = mech_types
        .0
        .ok_or_else(|| {
            Error::new(
                ErrorKind::InvalidToken,
                "mech_types is missing in GssApiNegInit message",
            )
        })?
        .0;

    let token = mech_token.0.map(|token| token.0.0);

    Ok((token, mech_types))
}

/// Selects the preferred authentication protocol OID based on the provided protocols list, allowed protocols,
/// and available protocols.
///
/// The Kerberos protocol will be selected only if it is allowed in the package list, its OID is present in the mech types,
/// and the internal protocol is configured to Kerberos. We cannot _just_ configure it from env vars as we do it for
/// the client-side Kerberos because the server-side Kerberos requires many configuration fields.
///
/// 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5) is preferred over 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5).
pub(super) fn negotiate_mech_type(
    mech_list: &MechTypeList,
    negotiate: &mut Negotiate,
) -> crate::Result<(ObjectIdentifier, usize)> {
    let ms_krb5 = oids::ms_krb5();
    if let Some(mech_index) = mech_list.0.iter().position(|mech_type| mech_type.0 == ms_krb5)
        && negotiate.package_list.kerberos
        && negotiate.protocol.is_kerberos()
    {
        return Ok((ms_krb5, mech_index));
    }

    let krb5 = oids::krb5();
    if let Some(mech_index) = mech_list.0.iter().position(|mech_type| mech_type.0 == krb5)
        && negotiate.package_list.kerberos
        && negotiate.protocol.is_kerberos()
    {
        return Ok((krb5, mech_index));
    }

    let ntlm_oid = oids::ntlm_ssp();
    if let Some(mech_index) = mech_list.0.iter().position(|mech_type| mech_type.0 == ntlm_oid)
        && negotiate.package_list.ntlm
    {
        if let NegotiatedProtocol::Kerberos(kerberos) = &mut negotiate.protocol {
            // Negotiate is configured to use Kerberos, but only NTLM is possible (fallback to NTLM).
            negotiate.protocol = NegotiatedProtocol::Ntlm(Ntlm::with_config(NtlmConfig {
                client_computer_name: Some(kerberos.config.client_computer_name.clone()),
            }));
        }

        return Ok((ntlm_oid, mech_index));
    }

    Err(Error::new(
        ErrorKind::InvalidToken,
        "no supported authentication protocols found in mech list",
    ))
}