Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kerberos smart card logon implementation #145

Merged
merged 26 commits into from
Aug 28, 2023
Merged

Kerberos smart card logon implementation #145

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
d9aed48
feat(sspi): move generate_pa_datas_for_as_req and generate_signer_inf…
TheBestTvarynka Jul 18, 2023
6c71071
feat(pku2u): make check_if_empty macros exportable
TheBestTvarynka Jul 21, 2023
7f26a7b
feat(pku2u & pk_init): move pk-init related funtions into the pk_init…
TheBestTvarynka Jul 21, 2023
21a35ee
feat(kerberos): move pa_data generation into a separate module
TheBestTvarynka Jul 21, 2023
c931e95
feat(kerberos): add smart card credentials handling. refactor kerberos
TheBestTvarynka Jul 21, 2023
9187da3
feat(sspi): pk_init: improved pa-data structures generation;
TheBestTvarynka Jul 27, 2023
cced73c
feat(sspi): pku2u: generators: improve client dh parameter;
TheBestTvarynka Jul 27, 2023
5b1c23c
fix(sspi): kerberos: pa-data: session key extraction
TheBestTvarynka Jul 27, 2023
d29eb46
feat(sspi): kerberos: extractors: improve enc params extraction;
TheBestTvarynka Jul 27, 2023
27822c5
fix(sspi): pku2u: pa-data generation according to the changes in opti…
TheBestTvarynka Jul 27, 2023
83553e1
fix(sspi): kerberos: pa-data and session key generation
TheBestTvarynka Jul 27, 2023
0e8a4cb
feat(sspi): small refactoring. add more comments
TheBestTvarynka Jul 27, 2023
89bb963
feat(sspi): format code
TheBestTvarynka Jul 27, 2023
81a8abc
feat: improve conditional compilation with scard feature
TheBestTvarynka Jul 27, 2023
1b4ee9c
feat(pku2u): add more logs;
TheBestTvarynka Aug 9, 2023
a863737
feat(kerberos): fix authenticator generation. add more logs. remove g…
TheBestTvarynka Aug 9, 2023
8dae1c4
feat(sspi): pku2u: format code;
TheBestTvarynka Aug 13, 2023
ccb4068
feat(sspi): kerberos: format code. fix some clippy warnings;
TheBestTvarynka Aug 13, 2023
947266c
fix(sspi): kerberos: smart card object creation;
TheBestTvarynka Aug 14, 2023
db56624
feat(sspi): kerebros: fix clippy warnings;
TheBestTvarynka Aug 15, 2023
0736285
feat(sspi): pku2u: fix clippy warnings;
TheBestTvarynka Aug 15, 2023
cc12b0e
feat(sspi): pk_init: fix clippy warnings;
TheBestTvarynka Aug 15, 2023
8eea5ee
feat(sspi): pku2u: small refactoring;
TheBestTvarynka Aug 15, 2023
d1d2360
feat(sspi): kerberos: small refactoring. remove unneeded logs. improv…
TheBestTvarynka Aug 15, 2023
26ae03b
feat(sspi): remove unneeded PaDatas cloning
TheBestTvarynka Aug 28, 2023
468d74d
feat(sspi): set ClientRequestFlags::MUTUAL_AUTH flag in SspiCredSsp
TheBestTvarynka Aug 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/builders/accept_sec_context.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,8 @@ impl<
}

impl<'b, 'a: 'b, AuthData, CredsHandle> FilledAcceptSecurityContext<'a, AuthData, CredsHandle> {
/// Transforms the builder into new one with the other `AuthData` and `CredsHandle` types.
/// Useful when we need to pass the builder into the security package with other `AuthData` and `CredsHandle` types.
pub(crate) fn full_transform<CredsHandle2, AuthData2>(
self,
inner: SspiPackage<'a, CredsHandle2, AuthData2>,
Expand Down
2 changes: 2 additions & 0 deletions src/builders/acq_cred_handle.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,8 @@ where
}

impl<'b, 'a: 'b, CredsHandle, AuthData> FilledAcquireCredentialsHandle<'a, CredsHandle, AuthData> {
/// Transforms the builder into new one with the other `AuthData` and `CredsHandle` types.
/// Useful when we need to pass the builder into the security package with other `AuthData` and `CredsHandle` types.
pub(crate) fn full_transform<NewCredsHandle, NewAuthData>(
self,
inner: SspiPackage<'a, NewCredsHandle, NewAuthData>,
Expand Down
4 changes: 4 additions & 0 deletions src/builders/init_sec_context.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,10 @@ impl<
&mut self.credentials_handle
}

pub fn credentials_handle(&mut self) -> &Option<&'a mut CredsHandle> {
&self.credentials_handle
}

pub fn new() -> Self {
Self {
phantom_creds_use_set: PhantomData,
Expand Down
1 change: 0 additions & 1 deletion src/cert_utils.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ unsafe fn find_raw_cert_by_thumbprint(thumbprint: &[u8], cert_store: *mut c_void

while !certificate.is_null() {
let cert_der = from_raw_parts((*certificate).pbCertEncoded, (*certificate).cbCertEncoded as usize);

let mut sha1 = Sha1::new();
sha1.update(cert_der);
let cert_thumbprint = sha1.finalize().to_vec();
Expand Down
4 changes: 2 additions & 2 deletions src/credssp/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -610,7 +610,7 @@ impl SspiImpl for SspiContext {
} else {
return Err(Error::new(
ErrorKind::NoCredentials,
"Auth identity is not provided for the Pku2u",
"Auth identity is not provided for the Ntlm",
));
};
builder
Expand Down Expand Up @@ -691,7 +691,7 @@ impl SspiImpl for SspiContext {
} else {
return Err(Error::new(
ErrorKind::NoCredentials,
"Auth identity is not provided for the Pku2u",
"Auth identity is not provided for the Ntlm",
));
};
builder.full_transform(ntlm, Some(&mut Some(auth_identity))).execute()
Expand Down
7 changes: 3 additions & 4 deletions src/kerberos/client/extractors.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,8 @@ pub fn extract_session_key_from_tgs_rep(
.decrypt(session_key, TGS_REP_ENC_SESSION_KEY, &tgs_rep.0.enc_part.0.cipher.0 .0)
.map_err(|e| Error::new(ErrorKind::InternalError, format!("{:?}", e)))?;

trace!(?enc_data, "Plain TgsRep::EncData");

let enc_as_rep_part: EncTgsRepPart = picky_asn1_der::from_bytes(&enc_data)?;

Ok(enc_as_rep_part.0.key.0.key_value.0.to_vec())
Expand Down Expand Up @@ -104,10 +106,7 @@ pub fn extract_encryption_params_from_as_rep(as_rep: &AsRep) -> Result<(u8, Stri
.ok_or_else(|| Error::new(ErrorKind::InternalError, "Missing salt in EtypeInto2Entry"))?,
))
}
None => Err(Error::new(
ErrorKind::NoPaData,
format!("Missing PaData: PA_ETYPE_INFO2 ({:0x?})", PA_ETYPE_INFO2_TYPE),
)),
None => Ok((*as_rep.0.enc_part.0.etype.0 .0.first().unwrap(), Default::default())),
}
}

Expand Down
2 changes: 1 addition & 1 deletion src/kerberos/client/generators.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ pub fn generate_as_req_kdc_body(options: &GenerateAsReqOptions) -> Result<KdcReq
}

#[instrument(level = "debug", ret, skip_all)]
pub fn generate_as_req(pa_datas: &[PaData], kdc_req_body: KdcReqBody) -> AsReq {
pub fn generate_as_req(pa_datas: Vec<PaData>, kdc_req_body: KdcReqBody) -> AsReq {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What motivates this change? Maybe a to_owned or to_vec can be removed somewhere below.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For every Kerberos AS exchange, we are using the pa_data::AsReqPaDataOptions::generate method to create needed PaDatas. They are never reused in our code. We generate new ones for every AS exchange. So, I changed this function signature to accept the owned PaDatas.

yes, .to_owned() can be removed below. I forgot about it during the refactoring.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed unneeded .to_owned()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good!

AsReq::from(KdcReq {
pvno: ExplicitContextTag1::from(IntegerAsn1::from(vec![KERBEROS_VERSION])),
msg_type: ExplicitContextTag2::from(IntegerAsn1::from(vec![AS_REQ_MSG_TYPE])),
Expand Down
Loading