TSSSP module

Cargo.toml

@@ -55,6 +55,8 @@ trust-dns-resolver = { version = "0.21.2", optional = true }
 portpicker = { version = "0.1.1", optional = true }
 num-bigint-dig = "0.8.1"
 tracing = { version = "0.1.37" }
+
+[target.'cfg(not(wasm))'.dependencies]
 rustls = { version = "0.20.7", features = ["dangerous_configuration"] }
 
 [target.'cfg(windows)'.dependencies]

ffi/src/sec_winnt_auth_identity.rs

@@ -124,7 +124,7 @@ pub struct CredSspCred {
 }
 
 #[cfg(not(target_os = "windows"))]
-pub unsafe fn unpack_sec_winnt_auth_identity_ex2_a(_p_auth_data: *const c_void) -> Result<AuthIdentityBuffers> {
+pub fn unpack_sec_winnt_auth_identity_ex2_a(_p_auth_data: *const c_void) -> Result<AuthIdentityBuffers> {
     Err(Error::new(
         ErrorKind::UnsupportedFunction,
         "SecWinntIdentityEx2 is not supported on non Windows systems".into(),
@@ -133,17 +133,20 @@ pub unsafe fn unpack_sec_winnt_auth_identity_ex2_a(_p_auth_data: *const c_void)
 
 #[cfg(target_os = "windows")]
 unsafe fn get_sec_winnt_auth_identity_ex2_a_size(p_auth_data: *const c_void) -> u32 {
+    // username length is placed after the first 8 bytes
     let user_len_ptr = (p_auth_data as *const u16).add(4);
     let user_buffer_len = *user_len_ptr as u32;
 
+    // domain length is placed after 16 bytes from the username length
     let domain_len_ptr = user_len_ptr.add(8);
     let domain_buffer_len = *domain_len_ptr as u32;
 
+    // packet credentials length is placed after 16 bytes from the domain length
     let creds_len_ptr = domain_len_ptr.add(8);
     let creds_buffer_len = *creds_len_ptr as u32;
 
     // header size + buffers size
-    64 /* size of SEC_WINNT_AUTH_IDENTITY_EX2 */ + user_buffer_len + domain_buffer_len + creds_buffer_len
+    64 /* size of the SEC_WINNT_AUTH_IDENTITY_EX2 */ + user_buffer_len + domain_buffer_len + creds_buffer_len
 }
 
 #[cfg(target_os = "windows")]
@@ -227,7 +230,7 @@ pub unsafe fn unpack_sec_winnt_auth_identity_ex2_a(p_auth_data: *const c_void) -
 }
 
 #[cfg(not(target_os = "windows"))]
-pub unsafe fn unpack_sec_winnt_auth_identity_ex2_w(_p_auth_data: *const c_void) -> Result<AuthIdentityBuffers> {
+pub fn unpack_sec_winnt_auth_identity_ex2_w(_p_auth_data: *const c_void) -> Result<AuthIdentityBuffers> {
     Err(Error::new(
         ErrorKind::UnsupportedFunction,
         "SecWinntIdentityEx2 is not supported on non Windows systems".into(),

ffi/src/security_tables.rs

@@ -55,7 +55,9 @@ pub struct SecurityFunctionTableA {
     pub VerifySignature: VerifySignatureFn,
     pub FreeContextBuffer: FreeContextBufferFn,
     pub QuerySecurityPackageInfoA: QuerySecurityPackageInfoFnA,
+    // In the Windows sspicli.dll, the `Reserved3` field is used as EncryptFunction
     pub Reserved3: EncryptMessageFn,
+    // In the Windows sspicli.dll, the `Reserved4` field is used as DecryptFunction
     pub Reserved4: DecryptMessageFn,
     pub ExportSecurityContext: ExportSecurityContextFn,
     pub ImportSecurityContextA: ImportSecurityContextFnA,
@@ -94,7 +96,9 @@ pub struct SecurityFunctionTableW {
     pub VerifySignature: VerifySignatureFn,
     pub FreeContextBuffer: FreeContextBufferFn,
     pub QuerySecurityPackageInfoW: QuerySecurityPackageInfoFnW,
+    // In the Windows sspicli.dll, the `Reserved3` field is used as EncryptFunction
     pub Reserved3: EncryptMessageFn,
+    // In the Windows sspicli.dll, the `Reserved4` field is used as DecryptFunction
     pub Reserved4: DecryptMessageFn,
     pub ExportSecurityContext: ExportSecurityContextFn,
     pub ImportSecurityContextW: ImportSecurityContextFnW,

src/credssp/sspi_cred_ssp/mod.rs

@@ -1,3 +1,4 @@
+#[cfg(not(target = "wasm32-unknown-unknown"))]
 mod tls_connection;
 
 use std::sync::Arc;
@@ -8,7 +9,8 @@ use rand::rngs::OsRng;
 use rand::Rng;
 use rustls::{ClientConfig, ClientConnection, Connection, ServerConfig, ServerConnection};
 
-use self::tls_connection::{TlsConnection, TLS_PACKET_HEADER_LEN};
+#[cfg(not(target = "wasm32-unknown-unknown"))]
+use self::tls_connection::{danger, TlsConnection, TLS_PACKET_HEADER_LEN};
 use super::ts_request::NONCE_SIZE;
 use super::{CredSspContext, CredSspMode, EndpointType, SspiContext, TsRequest};
 use crate::builders::EmptyInitializeSecurityContext;
@@ -33,34 +35,6 @@ lazy_static! {
     };
 }
 
-// [Processing Events and Sequencing Rules](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cssp/385a7489-d46b-464c-b224-f7340e308a5c)
-// The CredSSP server does not request the client's X.509 certificate (thus far, the client is anonymous).
-// Also, the CredSSP Protocol does not require the client to have a commonly trusted certification authority root with the CredSSP server.
-//
-// This configuration just accepts any certificate
-pub mod danger {
-    use std::time::SystemTime;
-
-    use rustls::client::{ServerCertVerified, ServerCertVerifier};
-    use rustls::{Certificate, Error, ServerName};
-
-    pub struct NoCertificateVerification;
-
-    impl ServerCertVerifier for NoCertificateVerification {
-        fn verify_server_cert(
-            &self,
-            _end_entity: &Certificate,
-            _intermediates: &[Certificate],
-            _server_name: &ServerName,
-            _scts: &mut dyn Iterator<Item = &[u8]>,
-            _ocsp_response: &[u8],
-            _now: SystemTime,
-        ) -> Result<ServerCertVerified, Error> {
-            Ok(rustls::client::ServerCertVerified::assertion())
-        }
-    }
-}
-
 #[derive(Debug, Clone)]
 enum CredSspState {
     Tls,
@@ -80,50 +54,62 @@ pub struct SspiCredSsp {
 
 impl SspiCredSsp {
     pub fn new_client(sspi_context: SspiContext) -> Result<Self> {
-        // "stub_string" - we don't check the server's certificate validity so we can use any server name
-        let example_com = "stub_string".try_into().unwrap();
-        let client_config = ClientConfig::builder()
-            .with_safe_defaults()
-            .with_custom_certificate_verifier(Arc::new(danger::NoCertificateVerification))
-            .with_no_client_auth();
-        let config = Arc::new(client_config);
-
-        Ok(Self {
-            state: CredSspState::Tls,
-            cred_ssp_context: Box::new(CredSspContext::new(sspi_context)),
-            auth_identity: None,
-            tls_connection: TlsConnection::Rustls(Connection::Client(
-                ClientConnection::new(config, example_com)
-                    .map_err(|err| Error::new(ErrorKind::InternalError, err.to_string()))?,
-            )),
-            nonce: Some(OsRng::default().gen::<[u8; NONCE_SIZE]>()),
-        })
+        cfg_if::cfg_if! {
+            if #[cfg(not(target = "wasm32-unknown-unknown"))] {
+                // "stub_string" - we don't check the server's certificate validity so we can use any server name
+                let example_com = "stub_string".try_into().unwrap();
+                let client_config = ClientConfig::builder()
+                    .with_safe_defaults()
+                    .with_custom_certificate_verifier(Arc::new(danger::NoCertificateVerification))
+                    .with_no_client_auth();
+                let config = Arc::new(client_config);
+
+                Ok(Self {
+                    state: CredSspState::Tls,
+                    cred_ssp_context: Box::new(CredSspContext::new(sspi_context)),
+                    auth_identity: None,
+                    tls_connection: TlsConnection::Rustls(Connection::Client(
+                        ClientConnection::new(config, example_com)
+                            .map_err(|err| Error::new(ErrorKind::InternalError, err.to_string()))?,
+                    )),
+                    nonce: Some(OsRng::default().gen::<[u8; NONCE_SIZE]>()),
+                })
+            } else {
+                Err(Error::new(ErrorKind::Unsupported, "SspiCredSsp is not supported on wasm".into()))
+            }
+        }
     }
 
     /// * `sspi_context` is a security package that will be used for authorization
     /// * `certificates` is a vector of DER-encoded X.509 certificates
     /// * `private_key` is a raw private key. it is DER-encoded ASN.1 in either PKCS#8 or PKCS#1 format.
     pub fn new_server(sspi_context: SspiContext, certificates: Vec<Vec<u8>>, private_key: Vec<u8>) -> Result<Self> {
-        let server_config = ServerConfig::builder()
-            .with_safe_defaults()
-            .with_no_client_auth()
-            .with_single_cert(
-                certificates.into_iter().map(rustls::Certificate).collect(),
-                rustls::PrivateKey(private_key),
-            )
-            .map_err(|err| Error::new(ErrorKind::InternalError, err.to_string()))?;
-        let config = Arc::new(server_config);
-
-        Ok(Self {
-            state: CredSspState::Tls,
-            cred_ssp_context: Box::new(CredSspContext::new(sspi_context)),
-            auth_identity: None,
-            tls_connection: TlsConnection::Rustls(Connection::Server(
-                ServerConnection::new(config).map_err(|err| Error::new(ErrorKind::InternalError, err.to_string()))?,
-            )),
-            // nonce for the server will be in the incoming TsRequest
-            nonce: None,
-        })
+        cfg_if::cfg_if! {
+            if #[cfg(not(target = "wasm32-unknown-unknown"))] {
+                let server_config = ServerConfig::builder()
+                    .with_safe_defaults()
+                    .with_no_client_auth()
+                    .with_single_cert(
+                        certificates.into_iter().map(rustls::Certificate).collect(),
+                        rustls::PrivateKey(private_key),
+                    )
+                    .map_err(|err| Error::new(ErrorKind::InternalError, err.to_string()))?;
+                let config = Arc::new(server_config);
+
+                Ok(Self {
+                    state: CredSspState::Tls,
+                    cred_ssp_context: Box::new(CredSspContext::new(sspi_context)),
+                    auth_identity: None,
+                    tls_connection: TlsConnection::Rustls(Connection::Server(
+                        ServerConnection::new(config).map_err(|err| Error::new(ErrorKind::InternalError, err.to_string()))?,
+                    )),
+                    // nonce for the server will be in the incoming TsRequest
+                    nonce: None,
+                })
+            } else {
+                Err(Error::new(ErrorKind::Unsupported, "SspiCredSsp is not supported on wasm".into()))
+            }
+        }
     }
 
     fn raw_peer_public_key(&mut self) -> Result<Vec<u8>> {

src/credssp/sspi_cred_ssp/tls_connection.rs

@@ -14,6 +14,34 @@ pub const TLS_PACKET_HEADER_LEN: usize = 1 /* ContentType */ + 2 /* ProtocolVers
 // The block size of the AES cipher is 128 bits
 const AES_BLOCK_SIZE: usize = 16;
 
+// [Processing Events and Sequencing Rules](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cssp/385a7489-d46b-464c-b224-f7340e308a5c)
+// The CredSSP server does not request the client's X.509 certificate (thus far, the client is anonymous).
+// Also, the CredSSP Protocol does not require the client to have a commonly trusted certification authority root with the CredSSP server.
+//
+// This configuration just accepts any certificate
+pub mod danger {
+    use std::time::SystemTime;
+
+    use rustls::client::{ServerCertVerified, ServerCertVerifier};
+    use rustls::{Certificate, Error, ServerName};
+
+    pub struct NoCertificateVerification;
+
+    impl ServerCertVerifier for NoCertificateVerification {
+        fn verify_server_cert(
+            &self,
+            _end_entity: &Certificate,
+            _intermediates: &[Certificate],
+            _server_name: &ServerName,
+            _scts: &mut dyn Iterator<Item = &[u8]>,
+            _ocsp_response: &[u8],
+            _now: SystemTime,
+        ) -> Result<ServerCertVerified, Error> {
+            Ok(rustls::client::ServerCertVerified::assertion())
+        }
+    }
+}
+
 #[derive(Debug)]
 pub enum TlsConnection {
     Rustls(Connection),