feat(credssp): add Negotiate server support

Auth identity not required for inbound use. Also fix an error message Pku2u vs Ntlm. This is required for IronRDP#558. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Devolutions · Oct 24, 2024 · d38a106 · d38a106
1 parent b015d4d
commit d38a106
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 16 deletions.
diff --git a/src/credssp/mod.rs b/src/credssp/mod.rs
@@ -441,15 +441,9 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity>> CredSspServer<C> {
                 .take()
                 .expect("CredSsp client mode should never be empty")
             {
-                ClientMode::Negotiate(_) => {
-                    return Err(ServerError {
-                        ts_request,
-                        error: crate::Error::new(
-                            ErrorKind::UnsupportedFunction,
-                            "Negotiate module is not supported for the CredSsp server",
-                        ),
-                    })
-                }
+                ClientMode::Negotiate(neg_config) => Some(CredSspContext::new(SspiContext::Negotiate(
+                    try_cred_ssp_server!(Negotiate::new(neg_config), ts_request),
+                ))),
                 ClientMode::Kerberos(kerberos_config) => Some(CredSspContext::new(SspiContext::Kerberos(
                     try_cred_ssp_server!(Kerberos::new_server_from_config(kerberos_config), ts_request),
                 ))),

diff --git a/src/negotiate.rs b/src/negotiate.rs
@@ -421,15 +421,19 @@ impl SspiImpl for Negotiate {
                 kerberos.acquire_credentials_handle_impl(builder)?;
             }
             NegotiatedProtocol::Ntlm(ntlm) => {
-                let auth_identity = if let Some(Credentials::AuthIdentity(identity)) = builder.auth_data {
-                    identity
+                let auth_identity = if builder.credential_use == CredentialUse::Outbound {
+                    if let Some(Credentials::AuthIdentity(identity)) = builder.auth_data {
+                        Some(identity)
+                    } else {
+                        return Err(Error::new(
+                            ErrorKind::NoCredentials,
+                            "Auth identity is not provided for the Ntlm",
+                        ));
+                    }
                 } else {
-                    return Err(Error::new(
-                        ErrorKind::NoCredentials,
-                        "Auth identity is not provided for the Pku2u",
-                    ));
+                    None
                 };
-                let new_builder = builder.full_transform(Some(auth_identity));
+                let new_builder = builder.full_transform(auth_identity);
                 new_builder.execute(ntlm)?;
             }
         };