fix: Kerberos smart logon fixes (#147)

Devolutions · Aug 29, 2023 · 95f4d2d · 95f4d2d
1 parent 5ede955
commit 95f4d2d
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/src/cert_utils.rs b/src/cert_utils.rs
@@ -266,12 +266,12 @@ pub unsafe fn finalize_smart_card_info(cert_serial_number: &[u8]) -> Result<Smar
             }
         }
 
-        CryptReleaseContext(crypt_context_handle, 0);
-
         index += 1;
         is_first = false;
     }
 
+    CryptReleaseContext(crypt_context_handle, 0);
+
     Err(Error::new(ErrorKind::InternalError, "Cannot get smart card info"))
 }
 

diff --git a/src/credssp/sspi_cred_ssp/mod.rs b/src/credssp/sspi_cred_ssp/mod.rs
@@ -356,7 +356,7 @@ impl SspiImpl for SspiCredSsp {
                         .with_credentials_handle(builder.credentials_handle.take().ok_or_else(|| {
                             Error::new(ErrorKind::WrongCredentialHandle, "credentials handle is not present")
                         })?)
-                        .with_context_requirements(ClientRequestFlags::empty())
+                        .with_context_requirements(builder.context_requirements)
                         .with_target_data_representation(DataRepresentation::Native);
                 if let Some(target_name) = &builder.target_name {
                     inner_builder = inner_builder.with_target_name(target_name);

diff --git a/src/negotiate.rs b/src/negotiate.rs
@@ -481,6 +481,23 @@ impl SspiImpl for Negotiate {
             }
         }
 
+        #[cfg(feature = "scard")]
+        if let Some(Some(CredentialsBuffers::SmartCard(identity))) = builder.credentials_handle {
+            if let NegotiatedProtocol::Ntlm(_) = &self.protocol {
+                let username = crate::utils::bytes_to_utf16_string(&identity.username);
+                let host = detect_kdc_url(&get_client_principal_realm(&username, ""))
+                    .ok_or_else(|| Error::new(ErrorKind::NoAuthenticatingAuthority, "can not detect KDC url"))?;
+                info!("Negotiate: try Kerberos");
+
+                self.protocol =
+                    NegotiatedProtocol::Kerberos(Kerberos::new_client_from_config(crate::KerberosConfig {
+                        url: Some(host),
+                        network_client: self.network_client_factory.network_client(),
+                        hostname: Some(self.hostname.clone()),
+                    })?);
+            }
+        }
+
         if let NegotiatedProtocol::Kerberos(kerberos) = &mut self.protocol {
             match kerberos.initialize_security_context_impl(builder) {
                 Result::Err(Error {