Skip to main content

smolder_core/auth/
mod.rs

1//! Authentication providers and protocol helpers.
2
3#[cfg(feature = "kerberos-api")]
4mod kerberos;
5#[cfg(all(unix, feature = "kerberos-gssapi"))]
6mod kerberos_gssapi;
7#[cfg(feature = "kerberos-sspi")]
8mod kerberos_sspi;
9#[cfg(feature = "kerberos-api")]
10mod kerberos_spn;
11mod ntlm;
12mod ntlm_rpc;
13mod ntlm_rpc_bind;
14mod spnego;
15
16use smolder_proto::smb::smb2::NegotiateResponse;
17use thiserror::Error;
18
19#[cfg(feature = "kerberos-api")]
20#[cfg_attr(
21    docsrs,
22    doc(cfg(any(feature = "kerberos", feature = "kerberos-gssapi")))
23)]
24pub use kerberos::{
25    KerberosAuthenticator, KerberosBackendKind, KerberosCredentialSourceKind,
26    KerberosCredentials,
27};
28#[cfg(feature = "kerberos-api")]
29#[cfg_attr(
30    docsrs,
31    doc(cfg(any(feature = "kerberos", feature = "kerberos-gssapi")))
32)]
33pub use kerberos_spn::KerberosTarget;
34pub use ntlm::{NtlmAuthenticator, NtlmCredentials};
35pub use ntlm_rpc::{NtlmRpcPacketIntegrity, NtlmSessionSecurity};
36pub(crate) use ntlm_rpc_bind::NtlmRpcBindHandshake;
37
38#[cfg(all(
39    feature = "kerberos-api",
40    not(feature = "kerberos-sspi"),
41    not(all(unix, feature = "kerberos-gssapi"))
42))]
43compile_error!(
44    "kerberos-api requires either kerberos-sspi or kerberos-gssapi on Unix"
45);
46
47/// SPNEGO mechanism identifiers supported by Smolder authentication helpers.
48#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
49pub enum SpnegoMechanism {
50    /// Microsoft NTLM.
51    Ntlm,
52    /// Kerberos V5.
53    KerberosV5,
54}
55
56/// Authentication errors returned while processing GSS/NTLM tokens.
57#[derive(Debug, Error)]
58pub enum AuthError {
59    /// A token was malformed or violated the expected protocol flow.
60    #[error("invalid authentication token: {0}")]
61    InvalidToken(&'static str),
62    /// The provider was called in an invalid state.
63    #[error("invalid authentication state: {0}")]
64    InvalidState(&'static str),
65    /// The underlying authentication backend returned an error.
66    #[error("authentication backend error: {0}")]
67    Backend(String),
68}
69
70/// Drives a GSS-style authentication exchange for SMB `SESSION_SETUP`.
71pub trait AuthProvider {
72    /// Produces the first security token sent in the initial `SESSION_SETUP`.
73    fn initial_token(&mut self, negotiate: &NegotiateResponse) -> Result<Vec<u8>, AuthError>;
74
75    /// Processes a server security token and returns the next client token.
76    fn next_token(&mut self, incoming: &[u8]) -> Result<Vec<u8>, AuthError>;
77
78    /// Validates any final token returned by the server once authentication succeeds.
79    fn finish(&mut self, _incoming: &[u8]) -> Result<(), AuthError> {
80        Ok(())
81    }
82
83    /// Returns the exported session key, if the mechanism established one.
84    fn session_key(&self) -> Option<&[u8]> {
85        None
86    }
87}