Devolutions · CBenoit · Jan 31, 2023 · Dec 16, 2022 · Dec 16, 2022 · Dec 16, 2022
diff --git a/Cargo.toml b/Cargo.toml
@@ -24,6 +24,8 @@ exclude = [
 default = []
 network_client = ["dep:reqwest", "dep:portpicker"]
 dns_resolver = ["dep:trust-dns-resolver"]
+# TSSSP should be used only on Windows as a native CREDSSP replacement
+tsssp = ["dep:rustls"]
 
 [dependencies]
 byteorder = "1.2.7"
@@ -55,9 +57,7 @@ trust-dns-resolver = { version = "0.21.2", optional = true }
 portpicker = { version = "0.1.1", optional = true }
 num-bigint-dig = "0.8.1"
 tracing = { version = "0.1.37" }
-
-[target.'cfg(not(wasm))'.dependencies]
-rustls = { version = "0.20.7", features = ["dangerous_configuration"] }
+rustls = { version = "0.20.7", features = ["dangerous_configuration"], optional = true }
 
 [target.'cfg(windows)'.dependencies]
 winreg = "0.10"

diff --git a/ffi/Cargo.toml b/ffi/Cargo.toml
@@ -14,17 +14,18 @@ crate-type = ["cdylib"]
 
 [features]
 debug_mode = ["dep:tracing", "dep:tracing-subscriber"]
+tsssp = ["sspi/tsssp"]
 
 [dependencies]
 cfg-if = "0.1"
-sspi = { path = "..", features = ["network_client", "dns_resolver"] }
 libc = "0.2"
 num-traits = "0.2"
 whoami = "1.2.3"
 
 # For debugging only
 tracing = { version = "0.1.37", optional = true }
 tracing-subscriber = { version = "0.3.16", features = ["std", "fmt", "local-time", "env-filter"], optional = true }
+sspi = { path = "..", features = ["network_client", "dns_resolver"] }
 
 [target.'cfg(windows)'.dependencies]
 symbol-rename-macro = { path = "./symbol-rename-macro" }

diff --git a/ffi/src/sec_handle.rs b/ffi/src/sec_handle.rs
@@ -5,8 +5,11 @@ use std::slice::from_raw_parts;
 use libc::{c_ulong, c_ulonglong, c_void};
 use num_traits::{FromPrimitive, ToPrimitive};
 use sspi::builders::{ChangePasswordBuilder, EmptyInitializeSecurityContext};
+#[cfg(feature = "tsssp")]
 use sspi::credssp::sspi_cred_ssp::SspiCredSsp;
-use sspi::credssp::{sspi_cred_ssp, SspiContext};
+#[cfg(feature = "tsssp")]
+use sspi::credssp::sspi_cred_ssp;
+use sspi::credssp::SspiContext;
 use sspi::kerberos::config::KerberosConfig;
 use sspi::network_client::reqwest_network_client::{RequestClientFactory, ReqwestNetworkClient};
 use sspi::ntlm::NtlmConfig;
@@ -34,15 +37,14 @@ use crate::credentials_attributes::{
 use crate::sec_buffer::{copy_to_c_sec_buffer, p_sec_buffers_to_security_buffers, PSecBuffer, PSecBufferDesc};
 use crate::sec_pkg_info::{SecNegoInfoA, SecNegoInfoW, SecPkgInfoA, SecPkgInfoW};
 use crate::sec_winnt_auth_identity::{
-    unpack_sec_winnt_auth_identity_ex2_a, unpack_sec_winnt_auth_identity_ex2_w, CredSspCred, SecWinntAuthIdentityA,
-    SecWinntAuthIdentityExA, SecWinntAuthIdentityExW, SecWinntAuthIdentityW, SEC_WINNT_AUTH_IDENTITY_VERSION,
+    auth_data_to_identity_buffers,
 };
 use crate::sspi_data_types::{
     CertTrustStatus, LpStr, LpcWStr, PSecurityString, PTimeStamp, SecChar, SecGetKeyFn, SecPkgContextConnectionInfo,
     SecPkgContextFlags, SecPkgContextSizes, SecPkgContextStreamSizes, SecWChar, SecurityStatus,
 };
 use crate::utils::{
-    c_w_str_to_string, into_raw_ptr, raw_str_into_bytes, raw_w_str_to_bytes, transform_credentials_handle,
+    c_w_str_to_string, into_raw_ptr, transform_credentials_handle,
 };
 
 pub const SECPKG_NEGOTIATION_COMPLETE: u32 = 0;
@@ -160,6 +162,7 @@ pub(crate) unsafe fn p_ctxt_handle_to_sspi_context(
                 }
             }
             ntlm::PKG_NAME => SspiContext::Ntlm(Ntlm::new()),
+            #[cfg(feature = "tsssp")]
             sspi_cred_ssp::PKG_NAME => SspiContext::CredSsp(SspiCredSsp::new_client(SspiContext::Negotiate(
                 create_negotiate_context(attributes)?,
             ))?),
@@ -202,34 +205,9 @@ pub unsafe extern "system" fn AcquireCredentialsHandleA(
         let security_package_name =
             try_execute!(CStr::from_ptr(psz_package).to_str(), ErrorKind::InvalidParameter).to_owned();
 
-        let auth_version = *p_auth_data.cast::<u32>();
         let mut package_list: Option<String> = None;
 
-        let credentials = if security_package_name == sspi_cred_ssp::PKG_NAME {
-            let credssp_cred = p_auth_data.cast::<CredSspCred>().as_ref().unwrap();
-
-            try_execute!(unpack_sec_winnt_auth_identity_ex2_a(credssp_cred.p_spnego_cred))
-        } else if auth_version == SEC_WINNT_AUTH_IDENTITY_VERSION {
-            let auth_data = p_auth_data.cast::<SecWinntAuthIdentityExA>();
-            if !(*auth_data).package_list.is_null() && (*auth_data).package_list_length > 0 {
-                package_list = Some(String::from_utf16_lossy(from_raw_parts(
-                    (*auth_data).package_list as *const u16,
-                    (*auth_data).package_list_length as usize)
-                ));
-            }
-            AuthIdentityBuffers {
-                user: raw_str_into_bytes((*auth_data).user, (*auth_data).user_length as usize * 2),
-                domain: raw_str_into_bytes((*auth_data).domain, (*auth_data).domain_length as usize * 2),
-                password: raw_str_into_bytes((*auth_data).password, (*auth_data).password_length as usize * 2),
-            }
-        } else {
-            let auth_data = p_auth_data.cast::<SecWinntAuthIdentityA>();
-            AuthIdentityBuffers {
-                user: raw_str_into_bytes((*auth_data).user, (*auth_data).user_length as usize * 2),
-                domain: raw_str_into_bytes((*auth_data).domain, (*auth_data).domain_length as usize * 2),
-                password: raw_str_into_bytes((*auth_data).password, (*auth_data).password_length as usize * 2),
-            }
-        };
+        let credentials = try_execute!(auth_data_to_identity_buffers(&security_package_name, p_auth_data, &mut package_list));
 
         (*ph_credential).dw_lower = into_raw_ptr(CredentialsHandle {
             credentials,
@@ -274,37 +252,9 @@ pub unsafe extern "system" fn AcquireCredentialsHandleW(
 
         let security_package_name = c_w_str_to_string(psz_package);
 
-        let auth_version = *p_auth_data.cast::<u32>();
         let mut package_list: Option<String> = None;
 
-        let credentials = if security_package_name == sspi_cred_ssp::PKG_NAME {
-            let credssp_cred = p_auth_data.cast::<CredSspCred>().as_ref().unwrap();
-
-            try_execute!(unpack_sec_winnt_auth_identity_ex2_w(credssp_cred.p_spnego_cred))
-        } else if auth_version == SEC_WINNT_AUTH_IDENTITY_VERSION {
-            let auth_data = p_auth_data.cast::<SecWinntAuthIdentityExW>();
-
-            if !(*auth_data).package_list.is_null() && (*auth_data).package_list_length > 0 {
-                package_list = Some(String::from_utf16_lossy(from_raw_parts(
-                    (*auth_data).package_list as *const u16,
-                    (*auth_data).package_list_length as usize)
-                ));
-            }
-
-            AuthIdentityBuffers {
-                user: raw_w_str_to_bytes((*auth_data).user, (*auth_data).user_length as usize),
-                domain: raw_w_str_to_bytes((*auth_data).domain, (*auth_data).domain_length as usize),
-                password: raw_w_str_to_bytes((*auth_data).password, (*auth_data).password_length as usize),
-            }
-        } else {
-            let auth_data = p_auth_data.cast::<SecWinntAuthIdentityW>();
-
-            AuthIdentityBuffers {
-                user: raw_w_str_to_bytes((*auth_data).user, (*auth_data).user_length as usize),
-                domain: raw_w_str_to_bytes((*auth_data).domain, (*auth_data).domain_length as usize),
-                password: raw_w_str_to_bytes((*auth_data).password, (*auth_data).password_length as usize),
-            }
-        };
+        let credentials = try_execute!(auth_data_to_identity_buffers(&security_package_name, p_auth_data, &mut package_list));
 
         (*ph_credential).dw_lower = into_raw_ptr(CredentialsHandle {
             credentials,

diff --git a/ffi/src/sec_winnt_auth_identity.rs b/ffi/src/sec_winnt_auth_identity.rs
@@ -1,10 +1,12 @@
+use std::slice::from_raw_parts;
+
 use libc::{c_char, c_ushort, c_void};
 use sspi::{AuthIdentityBuffers, Error, ErrorKind, Result};
 #[cfg(windows)]
 use symbol_rename_macro::rename_symbol;
 
 use crate::sspi_data_types::{SecWChar, SecurityStatus};
-use crate::utils::{c_w_str_to_string, into_raw_ptr};
+use crate::utils::{c_w_str_to_string, into_raw_ptr, raw_str_into_bytes};
 
 pub const SEC_WINNT_AUTH_IDENTITY_ANSI: u32 = 0x1;
 pub const SEC_WINNT_AUTH_IDENTITY_UNICODE: u32 = 0x2;
@@ -123,6 +125,39 @@ pub struct CredSspCred {
     pub p_spnego_cred: *const c_void,
 }
 
+pub unsafe fn auth_data_to_identity_buffers(_security_package_name: &str, p_auth_data: *const c_void, package_list: &mut Option<String>) -> Result<AuthIdentityBuffers> {
+    #[cfg(feature = "tsssp")]
+    if _security_package_name == sspi::credssp::sspi_cred_ssp::PKG_NAME {
+        let credssp_cred = p_auth_data.cast::<CredSspCred>().as_ref().unwrap();
+
+        return unpack_sec_winnt_auth_identity_ex2_a(credssp_cred.p_spnego_cred);
+    }
+
+    let auth_version = *p_auth_data.cast::<u32>();
+
+    if auth_version == SEC_WINNT_AUTH_IDENTITY_VERSION {
+        let auth_data = p_auth_data.cast::<SecWinntAuthIdentityExA>();
+        if !(*auth_data).package_list.is_null() && (*auth_data).package_list_length > 0 {
+            *package_list = Some(String::from_utf16_lossy(from_raw_parts(
+                (*auth_data).package_list as *const u16,
+                (*auth_data).package_list_length as usize)
+            ));
+        }
+        Ok(AuthIdentityBuffers {
+            user: raw_str_into_bytes((*auth_data).user, (*auth_data).user_length as usize * 2),
+            domain: raw_str_into_bytes((*auth_data).domain, (*auth_data).domain_length as usize * 2),
+            password: raw_str_into_bytes((*auth_data).password, (*auth_data).password_length as usize * 2),
+        })
+    } else {
+        let auth_data = p_auth_data.cast::<SecWinntAuthIdentityA>();
+        Ok(AuthIdentityBuffers {
+            user: raw_str_into_bytes((*auth_data).user, (*auth_data).user_length as usize * 2),
+            domain: raw_str_into_bytes((*auth_data).domain, (*auth_data).domain_length as usize * 2),
+            password: raw_str_into_bytes((*auth_data).password, (*auth_data).password_length as usize * 2),
+        })
+    }
+}
+
 #[cfg(not(target_os = "windows"))]
 pub fn unpack_sec_winnt_auth_identity_ex2_a(_p_auth_data: *const c_void) -> Result<AuthIdentityBuffers> {
     Err(Error::new(

diff --git a/src/credssp/mod.rs b/src/credssp/mod.rs
@@ -5,6 +5,7 @@ cfg_if::cfg_if! {
         mod ts_request;
     }
 }
+#[cfg(feature = "tsssp")]
 pub mod sspi_cred_ssp;
 
 use std::io;
@@ -17,6 +18,7 @@ use rand::Rng;
 pub use ts_request::TsRequest;
 use ts_request::{NONCE_SIZE, TS_REQUEST_VERSION};
 
+#[cfg(feature = "tsssp")]
 use self::sspi_cred_ssp::SspiCredSsp;
 use crate::builders::{ChangePassword, EmptyInitializeSecurityContext};
 use crate::crypto::compute_sha256;
@@ -558,6 +560,7 @@ pub enum SspiContext {
     Kerberos(Kerberos),
     Negotiate(Negotiate),
     Pku2u(Pku2u),
+    #[cfg(feature = "tsssp")]
     CredSsp(SspiCredSsp),
 }
 
@@ -574,6 +577,7 @@ impl SspiImpl for SspiContext {
             SspiContext::Kerberos(kerberos) => builder.transform(kerberos).execute(),
             SspiContext::Negotiate(negotiate) => builder.transform(negotiate).execute(),
             SspiContext::Pku2u(pku2u) => builder.transform(pku2u).execute(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => builder.transform(credssp).execute(),
         }
     }
@@ -587,6 +591,7 @@ impl SspiImpl for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.initialize_security_context_impl(builder),
             SspiContext::Negotiate(negotiate) => negotiate.initialize_security_context_impl(builder),
             SspiContext::Pku2u(pku2u) => pku2u.initialize_security_context_impl(builder),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.initialize_security_context_impl(builder),
         }
     }
@@ -600,6 +605,7 @@ impl SspiImpl for SspiContext {
             SspiContext::Kerberos(kerberos) => builder.transform(kerberos).execute(),
             SspiContext::Negotiate(negotiate) => builder.transform(negotiate).execute(),
             SspiContext::Pku2u(pku2u) => builder.transform(pku2u).execute(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => builder.transform(credssp).execute(),
         }
     }
@@ -612,6 +618,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.complete_auth_token(token),
             SspiContext::Negotiate(negotiate) => negotiate.complete_auth_token(token),
             SspiContext::Pku2u(pku2u) => pku2u.complete_auth_token(token),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.complete_auth_token(token),
         }
     }
@@ -627,6 +634,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.encrypt_message(flags, message, sequence_number),
             SspiContext::Negotiate(negotiate) => negotiate.encrypt_message(flags, message, sequence_number),
             SspiContext::Pku2u(pku2u) => pku2u.encrypt_message(flags, message, sequence_number),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.encrypt_message(flags, message, sequence_number),
         }
     }
@@ -641,6 +649,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.decrypt_message(message, sequence_number),
             SspiContext::Negotiate(negotiate) => negotiate.decrypt_message(message, sequence_number),
             SspiContext::Pku2u(pku2u) => pku2u.decrypt_message(message, sequence_number),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.decrypt_message(message, sequence_number),
         }
     }
@@ -651,6 +660,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.query_context_sizes(),
             SspiContext::Negotiate(negotiate) => negotiate.query_context_sizes(),
             SspiContext::Pku2u(pku2u) => pku2u.query_context_sizes(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.query_context_sizes(),
         }
     }
@@ -661,6 +671,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.query_context_names(),
             SspiContext::Negotiate(negotiate) => negotiate.query_context_names(),
             SspiContext::Pku2u(pku2u) => pku2u.query_context_names(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.query_context_names(),
         }
     }
@@ -671,6 +682,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.query_context_stream_sizes(),
             SspiContext::Negotiate(negotiate) => negotiate.query_context_stream_sizes(),
             SspiContext::Pku2u(pku2u) => pku2u.query_context_stream_sizes(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.query_context_stream_sizes(),
         }
     }
@@ -681,6 +693,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.query_context_package_info(),
             SspiContext::Negotiate(negotiate) => negotiate.query_context_package_info(),
             SspiContext::Pku2u(pku2u) => pku2u.query_context_package_info(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.query_context_package_info(),
         }
     }
@@ -691,6 +704,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.query_context_cert_trust_status(),
             SspiContext::Negotiate(negotiate) => negotiate.query_context_cert_trust_status(),
             SspiContext::Pku2u(pku2u) => pku2u.query_context_cert_trust_status(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.query_context_cert_trust_status(),
         }
     }
@@ -701,6 +715,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.query_context_remote_cert(),
             SspiContext::Negotiate(negotiate) => negotiate.query_context_remote_cert(),
             SspiContext::Pku2u(pku2u) => pku2u.query_context_remote_cert(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.query_context_remote_cert(),
         }
     }
@@ -711,6 +726,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.query_context_negotiation_package(),
             SspiContext::Negotiate(negotiate) => negotiate.query_context_negotiation_package(),
             SspiContext::Pku2u(pku2u) => pku2u.query_context_negotiation_package(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.query_context_negotiation_package(),
         }
     }
@@ -721,6 +737,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.query_context_connection_info(),
             SspiContext::Negotiate(negotiate) => negotiate.query_context_connection_info(),
             SspiContext::Pku2u(pku2u) => pku2u.query_context_connection_info(),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.query_context_connection_info(),
         }
     }
@@ -731,6 +748,7 @@ impl Sspi for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.change_password(change_password),
             SspiContext::Negotiate(negotiate) => negotiate.change_password(change_password),
             SspiContext::Pku2u(pku2u) => pku2u.change_password(change_password),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.change_password(change_password),
         }
     }
@@ -743,6 +761,7 @@ impl SspiEx for SspiContext {
             SspiContext::Kerberos(kerberos) => kerberos.custom_set_auth_identity(identity),
             SspiContext::Negotiate(negotiate) => negotiate.custom_set_auth_identity(identity),
             SspiContext::Pku2u(pku2u) => pku2u.custom_set_auth_identity(identity),
+            #[cfg(feature = "tsssp")]
             SspiContext::CredSsp(credssp) => credssp.custom_set_auth_identity(identity),
         }
     }