PKU2U protocol implementation

Cargo.toml

@@ -21,12 +21,13 @@ network_client = ["reqwest", "trust-dns-resolver", "portpicker"]
 [dependencies]
 byteorder = "1.2.7"
 bitflags = "1.0"
-rand = "0.6"
+rand = "0.8.5"
 cfg-if = "0.1"
 chrono = "0.4"
 md-5 = "0.9"
 md4 = "0.9"
 sha2 = "0.9"
+sha1 = "0.10"
 hmac = "0.11"
 crypto-mac = "0.11"
 num-derive = "0.2"
@@ -36,19 +37,23 @@ serde = "1.0"
 serde_derive = "1.0"
 url = "2.2.2"
 reqwest = { version = "0.11", features = ["blocking", "rustls-tls", "rustls-tls-native-roots"], optional = true, default-features = false }
-picky-krb = "0.4.0"
-picky-asn1 = { version = "0.5.0", features = ["chrono_conversion"] }
-picky-asn1-der = "0.3.1"
-picky-asn1-x509 = "0.7.0"
+picky = { version = "7.0.0-rc.3" }
+picky-krb = { version = "0.5.0" }
+picky-asn1 = { version = "0.7.0", features = ["chrono_conversion"] }
+picky-asn1-der = { version = "0.4.0" }
+picky-asn1-x509 = { version = "0.9.0", features = ["pkcs7"] }
 oid = "0.2.1"
+uuid = { version = "1.1", features = ["v4"] }
 whoami = "0.5"
 trust-dns-resolver = { version = "0.21.2", optional = true }
 portpicker = { version = "0.1.1", optional = true }
+num-bigint-dig = "0.8.1"
 
 [target.'cfg(windows)'.dependencies]
 winreg = "0.10"
 winapi = { version = "0.3", features = ["sspi", "rpcdce", "impl-default", "timezoneapi", "wincrypt"] }
 windows = { version = "0.39.0", features = [ "Win32_Foundation", "Win32_NetworkManagement_Dns"] }
+windows-sys = { version = "0.42.0", features = ["Win32_Security_Cryptography", "Win32_Foundation"] }
 
 [target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
 async-dnssd = "0.5.0"

ffi/src/credentials_attributes.rs

@@ -1,6 +1,7 @@
-use crate::sspi_data_types::{SecChar, SecWChar};
 use libc::{c_uint, c_ulong, c_ushort};
 
+use crate::sspi_data_types::{SecChar, SecWChar};
+
 pub struct KdcProxySettings {
     pub proxy_server: String,
     #[allow(dead_code)]

ffi/src/sec_handle.rs

@@ -10,8 +10,8 @@ use sspi::internal::SspiImpl;
 use sspi::kerberos::config::KerberosConfig;
 use sspi::kerberos::network_client::reqwest_network_client::ReqwestNetworkClient;
 use sspi::{
-    kerberos, negotiate, ntlm, AuthIdentityBuffers, ClientRequestFlags, DataRepresentation, Error, ErrorKind, Kerberos,
-    Negotiate, NegotiateConfig, Ntlm, Result, Sspi,
+    kerberos, negotiate, ntlm, pku2u, AuthIdentityBuffers, ClientRequestFlags, DataRepresentation, Error, ErrorKind,
+    Kerberos, Negotiate, NegotiateConfig, Ntlm, Pku2u, Pku2uConfig, Result, Sspi,
 };
 #[cfg(windows)]
 use symbol_rename_macro::rename_symbol;
@@ -84,15 +84,25 @@ pub(crate) unsafe fn p_ctxt_handle_to_sspi_context(
             negotiate::PKG_NAME => {
                 if let Some(kdc_url) = attributes.kdc_url() {
                     let kerberos_config = KerberosConfig::from_kdc_url(&kdc_url, Box::new(ReqwestNetworkClient::new()));
-                    let mut negotiate_config = NegotiateConfig::new_with_kerberos(kerberos_config);
-                    negotiate_config.package_list = attributes.package_list.clone();
+                    let negotiate_config =
+                        NegotiateConfig::new(Box::new(kerberos_config), attributes.package_list.clone());
+
                     SspiContext::Negotiate(Negotiate::new(negotiate_config)?)
                 } else {
                     let mut negotiate_config = NegotiateConfig::default();
                     negotiate_config.package_list = attributes.package_list.clone();
                     SspiContext::Negotiate(Negotiate::new(negotiate_config)?)
                 }
             }
+            pku2u::PKG_NAME => {
+                #[cfg(not(target_os = "windows"))]
+                return Err(Error::new(
+                    ErrorKind::InvalidParameter,
+                    "PKU2U is not supported on non-Windows OS yet".into(),
+                ));
+                #[cfg(target_os = "windows")]
+                SspiContext::Pku2u(Pku2u::new_client_from_config(Pku2uConfig::default_client_config()?)?)
+            }
             kerberos::PKG_NAME => {
                 if let Some(kdc_url) = attributes.kdc_url() {
                     SspiContext::Kerberos(Kerberos::new_client_from_config(KerberosConfig::from_kdc_url(

src/crypto/rc4.rs

@@ -109,7 +109,7 @@ mod test {
     fn empty_message() {
         let key = "key".to_string();
         let message = "".to_string();
-        let expected = [];
+        let expected: [u8; 0] = [];
         assert_eq!(Rc4::new(key.as_bytes()).process(message.as_bytes())[..], expected);
     }
 

src/dns.rs

@@ -50,9 +50,9 @@ cfg_if::cfg_if! {
                         if let (Some(namespace), Some(name_server_list)) = (namespace, name_server_list) {
                             let name_servers: Vec<String> = name_server_list.split(';').map(|x| x.to_string()).collect();
                             rules.push(DnsClientNrptRule {
-                                rule_name: rule_name,
-                                namespace: namespace,
-                                name_servers: name_servers
+                                rule_name,
+                                namespace,
+                                name_servers,
                             });
                         }
                     }
@@ -90,7 +90,7 @@ cfg_if::cfg_if! {
         }
 
         pub fn get_name_servers_for_domain(domain: &str) -> Vec<String> {
-            let domain_namespace = if domain.starts_with(".") {
+            let domain_namespace = if domain.starts_with('.') {
                 domain.to_string()
             } else {
                 format!(".{}", &domain)
@@ -102,22 +102,22 @@ cfg_if::cfg_if! {
                 }
             }
 
-            return get_default_name_servers();
+            get_default_name_servers()
         }
 
         pub fn detect_kdc_hosts_from_dns_windows(domain: &str) -> Vec<String> {
             let krb_tcp_name = &format!("_kerberos._tcp.{}", domain);
             let krb_tcp_srv = dns_query_srv_records(krb_tcp_name);
 
             if !krb_tcp_srv.is_empty() {
-                return krb_tcp_srv.iter().map(|x| format!("tcp://{}:88", x).to_owned()).collect()
+                return krb_tcp_srv.iter().map(|x| format!("tcp://{}:88", x)).collect()
             }
 
             let krb_udp_name = &format!("_kerberos._udp.{}", domain);
             let krb_udp_srv = dns_query_srv_records(krb_udp_name);
 
             if !krb_udp_srv.is_empty() {
-                return krb_udp_srv.iter().map(|x| format!("udp://{}:88", x).to_owned()).collect()
+                return krb_udp_srv.iter().map(|x| format!("udp://{}:88", x)).collect()
             }
 
             Vec::new()
@@ -232,7 +232,7 @@ cfg_if::cfg_if! {
         use url::Url;
 
         fn get_trust_dns_name_server_from_url_str(url: &str) -> Option<NameServerConfig> {
-            let url = if !url.contains("://") && url.len() > 0 {
+            let url = if !url.contains("://") && url.is_empty() {
                 format!("udp://{}", url)
             } else {
                 url.to_string()
@@ -241,16 +241,16 @@ cfg_if::cfg_if! {
             if let Ok(url) = Url::parse(&url) {
                 if let Some(url_host) = url.host_str() {
                     let url_port = url.port().unwrap_or(53);
-                    let url_protocol = match url.scheme().to_lowercase().as_str() {
+                    let protocol = match url.scheme().to_lowercase().as_str() {
                         "tcp" => Protocol::Tcp,
                         "udp" => Protocol::Udp,
                         _ => Protocol::Udp,
                     };
                     if let Ok(ip_addr) = IpAddr::from_str(url_host) {
                         let socket_addr = SocketAddr::new(ip_addr, url_port);
                         return Some(NameServerConfig {
-                            socket_addr: socket_addr,
-                            protocol: url_protocol,
+                            socket_addr,
+                            protocol,
                             tls_dns_name: None,
                             trust_nx_responses: false,
                             bind_addr: None

src/kdc.rs

@@ -5,23 +5,26 @@ cfg_if::cfg_if! {
     }
 }
 
-use crate::dns::detect_kdc_hosts_from_dns;
-use crate::krb::Krb5Conf;
-
 use std::env;
+#[cfg(not(target_os = "windows"))]
 use std::path::Path;
 use std::str::FromStr;
+
 use url::Url;
 
+use crate::dns::detect_kdc_hosts_from_dns;
+#[cfg(not(target_os = "windows"))]
+use crate::krb::Krb5Conf;
+
 #[cfg(target_os = "windows")]
 pub fn detect_kdc_hosts_from_system(domain: &str) -> Vec<String> {
     let domain_upper = domain.to_uppercase();
     let hklm = RegKey::predef(HKEY_LOCAL_MACHINE);
     let domains_key_path = "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Domains";
     let domain_key_path = format!("{}\\{}", domains_key_path, &domain_upper);
     if let Ok(domain_key) = hklm.open_subkey(domain_key_path) {
-        let kdc_names: Vec<String> = domain_key.get_value("KdcNames").unwrap_or(Vec::new());
-        kdc_names.iter().map(|x| format!("tcp://{}:88", x).to_owned()).collect()
+        let kdc_names: Vec<String> = domain_key.get_value("KdcNames").unwrap_or_default();
+        kdc_names.iter().map(|x| format!("tcp://{}:88", x)).collect()
     } else {
         Vec::new()
     }
@@ -57,15 +60,13 @@ pub fn detect_kdc_hosts(domain: &str) -> Vec<String> {
         return vec![kdc_url];
     }
 
-    let mut kdc_hosts = detect_kdc_hosts_from_system(domain);
+    let kdc_hosts = detect_kdc_hosts_from_system(domain);
 
     if !kdc_hosts.is_empty() {
         return kdc_hosts;
     }
 
-    kdc_hosts = detect_kdc_hosts_from_dns(domain);
-
-    return kdc_hosts;
+    detect_kdc_hosts_from_dns(domain)
 }
 
 pub fn detect_kdc_host(domain: &str) -> Option<String> {

src/lib.rs

@@ -90,6 +90,7 @@ pub use kdc::{detect_kdc_host, detect_kdc_url};
 pub use crate::sspi::kerberos::config::KerberosConfig;
 pub use crate::sspi::kerberos::{Kerberos, KERBEROS_VERSION, PACKAGE_INFO as KERBEROS_PACKAGE_INFO};
 pub use crate::sspi::negotiate::{Negotiate, NegotiateConfig};
+pub use crate::sspi::pku2u::{self, Pku2u, Pku2uConfig, PACKAGE_INFO as PKU2U_PACKAGE_INFO};
 #[cfg(windows)]
 pub use crate::sspi::winapi;
 pub use crate::sspi::{

src/sspi.rs

@@ -4,6 +4,7 @@ pub mod channel_bindings;
 pub mod internal;
 pub mod kerberos;
 pub mod negotiate;
+pub mod pku2u;
 #[cfg(windows)]
 pub mod winapi;
 
@@ -60,6 +61,7 @@ pub fn query_security_package_info(package_type: SecurityPackageType) -> Result<
         SecurityPackageType::Ntlm => Ok(ntlm::PACKAGE_INFO.clone()),
         SecurityPackageType::Kerberos => Ok(kerberos::PACKAGE_INFO.clone()),
         SecurityPackageType::Negotiate => Ok(negotiate::PACKAGE_INFO.clone()),
+        SecurityPackageType::Pku2u => Ok(pku2u::PACKAGE_INFO.clone()),
         SecurityPackageType::Other(s) => Err(Error::new(
             ErrorKind::Unknown,
             format!("Queried info about unknown package: {:?}", s),
@@ -1071,6 +1073,7 @@ pub enum SecurityPackageType {
     Ntlm,
     Kerberos,
     Negotiate,
+    Pku2u,
     Other(String),
 }
 
@@ -1080,6 +1083,7 @@ impl AsRef<str> for SecurityPackageType {
             SecurityPackageType::Ntlm => ntlm::PKG_NAME,
             SecurityPackageType::Kerberos => kerberos::PKG_NAME,
             SecurityPackageType::Negotiate => negotiate::PKG_NAME,
+            SecurityPackageType::Pku2u => pku2u::PKG_NAME,
             SecurityPackageType::Other(name) => name.as_str(),
         }
     }
@@ -1091,6 +1095,7 @@ impl string::ToString for SecurityPackageType {
             SecurityPackageType::Ntlm => ntlm::PKG_NAME.into(),
             SecurityPackageType::Kerberos => kerberos::PKG_NAME.into(),
             SecurityPackageType::Negotiate => negotiate::PKG_NAME.into(),
+            SecurityPackageType::Pku2u => pku2u::PKG_NAME.into(),
             SecurityPackageType::Other(name) => name.clone(),
         }
     }
@@ -1104,6 +1109,7 @@ impl str::FromStr for SecurityPackageType {
             ntlm::PKG_NAME => Ok(SecurityPackageType::Ntlm),
             kerberos::PKG_NAME => Ok(SecurityPackageType::Kerberos),
             negotiate::PKG_NAME => Ok(SecurityPackageType::Negotiate),
+            pku2u::PKG_NAME => Ok(SecurityPackageType::Pku2u),
             s => Ok(SecurityPackageType::Other(s.to_string())),
         }
     }
@@ -1513,6 +1519,31 @@ impl From<picky_krb::crypto::KerberosCryptoError> for Error {
                 error_type: ErrorKind::InvalidParameter,
                 description: description.to_string(),
             },
+            KerberosCryptoError::SeedBitLen(description) => Self {
+                error_type: ErrorKind::InvalidParameter,
+                description,
+            },
+            KerberosCryptoError::AlgorithmIdentifierData(identifier) => Self {
+                error_type: ErrorKind::InvalidParameter,
+                description: format!("unknown algorithm identifier: {:?}", identifier),
+            },
+        }
+    }
+}
+
+impl From<picky_krb::crypto::diffie_hellman::DiffieHellmanError> for Error {
+    fn from(error: picky_krb::crypto::diffie_hellman::DiffieHellmanError) -> Self {
+        use picky_krb::crypto::diffie_hellman::DiffieHellmanError;
+
+        match error {
+            DiffieHellmanError::BitLen(description) => Self {
+                error_type: ErrorKind::InternalError,
+                description,
+            },
+            error => Self {
+                error_type: ErrorKind::InternalError,
+                description: error.to_string(),
+            },
         }
     }
 }