test(sspi): add client-server smoke test (#407)

TheBestTvarynka · web-flow · commit 193f92a0fd73 · 2025-03-27T11:54:27.000-04:00
diff --git a/src/credssp/mod.rs b/src/credssp/mod.rs
@@ -125,7 +125,7 @@ impl EarlyUserAuthResult {
         EarlyUserAuthResult::from_u32(result).ok_or_else(|| {
             io::Error::new(
                 io::ErrorKind::InvalidData,
-                format!("Got invalid Early User Authorization Result: {:x}", result),
+                format!("got invalid Early User Authorization Result: {:x}", result),
             )
         })
     }
@@ -345,7 +345,7 @@ impl CredSspClient {
                 let pub_key_auth = ts_request.pub_key_auth.take().ok_or_else(|| {
                     crate::Error::new(
                         crate::ErrorKind::InvalidToken,
-                        String::from("Expected an encrypted public key"),
+                        String::from("expected an encrypted public key"),
                     )
                 })?;
                 let peer_version = self
@@ -480,7 +480,7 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity>> CredSspServer<C> {
                     ts_request.auth_info.take().ok_or_else(|| {
                         crate::Error::new(
                             crate::ErrorKind::InvalidToken,
-                            String::from("Expected an encrypted ts credentials"),
+                            String::from("expected an encrypted ts credentials"),
                         )
                     }),
                     ts_request
@@ -558,13 +558,13 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity>> CredSspServer<C> {
                             ts_request.pub_key_auth.take().ok_or_else(|| {
                                 crate::Error::new(
                                     crate::ErrorKind::InvalidToken,
-                                    String::from("Expected an encrypted public key"),
+                                    String::from("expected an encrypted public key"),
                                 )
                             }),
                             ts_request
                         );
                         let peer_version = self.context.as_ref().unwrap().peer_version.expect(
-                            "An decrypt public key server function cannot be fired without any incoming TSRequest",
+                            "an decrypt public key server function cannot be fired without any incoming TSRequest",
                         );
                         try_cred_ssp_server!(
                             self.context.as_mut().unwrap().decrypt_public_key(
@@ -641,16 +641,18 @@ impl SspiImpl for SspiContext {
     ) -> crate::Result<AcquireCredentialsHandleResult<Self::CredentialsHandle>> {
         Ok(match self {
             SspiContext::Ntlm(ntlm) => {
-                let auth_identity = if let Some(Credentials::AuthIdentity(identity)) = builder.auth_data {
-                    identity
-                } else {
-                    return Err(Error::new(
-                        ErrorKind::NoCredentials,
-                        "Auth identity is not provided for the Ntlm",
-                    ));
+                let auth_identity = match builder.auth_data {
+                    Some(Credentials::AuthIdentity(identity)) => Some(identity),
+                    Some(_) => {
+                        return Err(Error::new(
+                            ErrorKind::UnknownCredentials,
+                            "only password-based auth is supported in NTLM",
+                        ))
+                    }
+                    None => None,
                 };
                 builder
-                    .full_transform(Some(auth_identity))
+                    .full_transform(auth_identity)
                     .execute(ntlm)?
                     .transform_credentials_handle(&|a: Option<AuthIdentityBuffers>| {
                         a.map(CredentialsBuffers::AuthIdentity)
@@ -664,7 +666,7 @@ impl SspiImpl for SspiContext {
                 } else {
                     return Err(Error::new(
                         ErrorKind::NoCredentials,
-                        "Auth identity is not provided for the Pku2u",
+                        "auth identity is not provided for the Pku2u",
                     ));
                 };
                 builder
@@ -686,16 +688,23 @@ impl SspiImpl for SspiContext {
     ) -> crate::Result<AcceptSecurityContextResult> {
         match self {
             SspiContext::Ntlm(ntlm) => {
-                let auth_identity =
-                    if let Some(Some(CredentialsBuffers::AuthIdentity(identity))) = builder.credentials_handle {
-                        identity.clone()
-                    } else {
+                let mut auth_identity = match builder.credentials_handle {
+                    Some(Some(CredentialsBuffers::AuthIdentity(identity))) => Some(identity.clone()),
+                    Some(Some(_)) => {
+                        return Err(Error::new(
+                            ErrorKind::UnknownCredentials,
+                            "only password-based auth is supported in NTLM",
+                        ))
+                    }
+                    Some(None) => None,
+                    None => {
                         return Err(Error::new(
                             ErrorKind::NoCredentials,
-                            "Auth identity is not provided for the Ntlm",
-                        ));
-                    };
-                builder.full_transform(Some(&mut Some(auth_identity))).execute(ntlm)
+                            "credentials handle is not provided for the NTLM",
+                        ))
+                    }
+                };
+                builder.full_transform(Some(&mut auth_identity)).execute(ntlm)
             }
             SspiContext::Kerberos(kerberos) => builder.transform().execute(kerberos),
             SspiContext::Negotiate(negotiate) => builder.transform().execute(negotiate),
@@ -706,7 +715,7 @@ impl SspiImpl for SspiContext {
                     } else {
                         return Err(Error::new(
                             ErrorKind::NoCredentials,
-                            "Auth identity is not provided for the Pku2u",
+                            "auth identity is not provided for the Pku2u",
                         ));
                     };
                 builder.full_transform(Some(&mut Some(auth_identity))).execute(pku2u)
@@ -738,7 +747,7 @@ impl<'a> SspiContext {
             SspiContext::Negotiate(negotiate) => negotiate.change_password(yield_point, change_password).await,
             _ => Err(crate::Error::new(
                 ErrorKind::UnsupportedFunction,
-                "Change password not supported for this protocol",
+                "change password not supported for this protocol",
             )),
         }
     }
@@ -983,15 +992,15 @@ impl SspiEx for SspiContext {
             SspiContext::Ntlm(ntlm) => ntlm.custom_set_auth_identity(identity.auth_identity().ok_or_else(|| {
                 Error::new(
                     ErrorKind::IncompleteCredentials,
-                    "Provided credentials are not password-based",
+                    "provided credentials are not password-based",
                 )
             })?),
             SspiContext::Kerberos(kerberos) => kerberos.custom_set_auth_identity(identity),
             SspiContext::Negotiate(negotiate) => negotiate.custom_set_auth_identity(identity),
             SspiContext::Pku2u(pku2u) => pku2u.custom_set_auth_identity(identity.auth_identity().ok_or_else(|| {
                 Error::new(
                     ErrorKind::IncompleteCredentials,
-                    "Provided credentials are not password-based",
+                    "provided credentials are not password-based",
                 )
             })?),
             #[cfg(feature = "tsssp")]
@@ -1133,7 +1142,7 @@ impl CredSspContext {
 
             return Err(crate::Error::new(
                 crate::ErrorKind::MessageAltered,
-                String::from("Could not verify a public key echo"),
+                String::from("could not verify a public key echo"),
             ));
         }
 
@@ -1159,7 +1168,7 @@ impl CredSspContext {
 
             return Err(crate::Error::new(
                 crate::ErrorKind::MessageAltered,
-                String::from("Could not verify a public key hash"),
+                String::from("could not verify a public key hash"),
             ));
         }
 
diff --git a/tests/sspi/client_server/credssp.rs b/tests/sspi/client_server/credssp.rs
@@ -0,0 +1,83 @@
+use std::mem;
+
+use sspi::credssp::{ClientMode, ClientState, CredSspClient, CredSspMode, CredSspServer, ServerState, TsRequest};
+use sspi::ntlm::NtlmConfig;
+use sspi::{AuthIdentity, Credentials, Secret, Username};
+
+use crate::common::CredentialsProxyImpl;
+
+#[test]
+fn run_credssp() {
+    let auth_identity = AuthIdentity {
+        username: Username::parse("test_user").unwrap(),
+        password: Secret::from("test_password".to_owned()),
+    };
+    let credentials = Credentials::AuthIdentity(auth_identity.clone());
+    let public_key = [
+        48, 130, 2, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 2, 15, 0, 48, 130, 2, 10, 2,
+        130, 2, 1, 0, 153, 85, 210, 206, 231, 176, 16, 84, 146, 20, 255, 201, 74, 62, 122, 183, 157, 210, 202, 111, 17,
+        50, 30, 181, 14, 13, 193, 242, 152, 41, 178, 93, 237, 151, 133, 122, 29, 233, 73, 139, 182, 23, 93, 149, 119,
+        56, 5, 156, 180, 217, 84, 109, 88, 242, 117, 103, 167, 173, 81, 14, 171, 69, 18, 6, 149, 163, 35, 39, 128, 183,
+        73, 157, 200, 229, 17, 156, 115, 197, 187, 141, 211, 156, 148, 207, 94, 14, 119, 210, 166, 59, 242, 214, 224,
+        159, 51, 41, 55, 78, 250, 170, 175, 133, 213, 24, 173, 39, 234, 10, 216, 60, 238, 204, 157, 149, 186, 144, 203,
+        231, 241, 239, 41, 118, 35, 14, 245, 183, 29, 229, 209, 198, 182, 174, 34, 66, 146, 20, 214, 109, 119, 19, 8,
+        207, 231, 222, 119, 155, 192, 76, 15, 221, 210, 78, 132, 112, 33, 213, 87, 153, 25, 38, 190, 161, 178, 130,
+        108, 140, 75, 75, 22, 74, 28, 0, 164, 72, 103, 14, 57, 202, 58, 91, 94, 235, 177, 68, 209, 252, 254, 173, 97,
+        101, 156, 128, 139, 58, 140, 226, 73, 26, 232, 234, 178, 220, 193, 89, 196, 236, 89, 173, 235, 92, 39, 13, 1,
+        0, 93, 43, 252, 89, 236, 123, 140, 108, 144, 215, 171, 46, 211, 144, 236, 202, 59, 87, 177, 225, 162, 70, 144,
+        109, 113, 237, 2, 152, 115, 52, 166, 112, 249, 30, 53, 62, 239, 228, 226, 97, 56, 246, 27, 64, 43, 153, 195,
+        79, 176, 38, 178, 188, 192, 207, 0, 179, 255, 17, 173, 250, 152, 140, 8, 198, 9, 2, 50, 151, 16, 176, 125, 175,
+        161, 118, 185, 166, 34, 217, 189, 160, 27, 145, 91, 113, 71, 71, 220, 4, 195, 210, 242, 185, 14, 108, 61, 61,
+        5, 45, 27, 38, 56, 245, 49, 55, 196, 230, 22, 8, 155, 27, 3, 79, 252, 108, 199, 189, 29, 98, 220, 118, 212, 5,
+        0, 129, 59, 110, 131, 188, 159, 249, 56, 37, 69, 106, 185, 215, 38, 54, 36, 196, 28, 39, 81, 27, 255, 249, 155,
+        197, 237, 125, 92, 147, 108, 248, 238, 115, 101, 170, 27, 203, 193, 180, 33, 146, 208, 216, 113, 174, 158, 84,
+        100, 32, 200, 49, 30, 28, 31, 112, 247, 68, 190, 181, 247, 54, 117, 131, 215, 100, 13, 170, 52, 12, 137, 61,
+        253, 114, 120, 116, 124, 238, 3, 234, 95, 242, 208, 224, 96, 132, 150, 152, 186, 81, 85, 50, 179, 216, 191,
+        125, 25, 148, 232, 235, 234, 193, 150, 186, 41, 18, 38, 220, 144, 104, 97, 127, 215, 215, 49, 92, 81, 21, 232,
+        67, 145, 164, 179, 156, 220, 175, 154, 70, 144, 218, 31, 106, 84, 78, 218, 238, 15, 29, 207, 34, 33, 68, 121,
+        213, 114, 203, 80, 32, 42, 224, 115, 86, 161, 42, 78, 246, 183, 203, 213, 198, 110, 71, 22, 137, 164, 4, 163,
+        206, 239, 57, 197, 112, 179, 191, 160, 5, 2, 3, 1, 0, 1,
+    ];
+
+    let mut client = CredSspClient::new(
+        public_key.to_vec(),
+        credentials.clone(),
+        CredSspMode::WithCredentials,
+        ClientMode::Ntlm(NtlmConfig {
+            client_computer_name: Some("DESKTOP-3D83IAN.example.com".to_owned()),
+        }),
+        "TERMSRV/DESKTOP-8F33RFH.example.com".to_owned(),
+    )
+    .unwrap();
+    let mut server = CredSspServer::new(
+        public_key.to_vec(),
+        CredentialsProxyImpl::new(&auth_identity),
+        ClientMode::Ntlm(NtlmConfig {
+            client_computer_name: Some("DESKTOP-3D83IAN.example.com".to_owned()),
+        }),
+    )
+    .unwrap();
+
+    let mut ts_request = TsRequest::default();
+
+    for _ in 0..3 {
+        ts_request = match client
+            .process(mem::take(&mut ts_request))
+            .resolve_with_default_network_client()
+            .unwrap()
+        {
+            ClientState::ReplyNeeded(ts_request) => ts_request,
+            ClientState::FinalMessage(ts_request) => ts_request,
+        };
+
+        match server.process(ts_request).unwrap() {
+            ServerState::ReplyNeeded(server_ts_request) => ts_request = server_ts_request,
+            ServerState::Finished(received_auth_identity) => {
+                assert_eq!(auth_identity, received_auth_identity);
+                return;
+            }
+        };
+    }
+
+    panic!("CredSSP authentication should not exceed 3 steps")
+}
diff --git a/tests/sspi/client_server/mod.rs b/tests/sspi/client_server/mod.rs
@@ -0,0 +1,4 @@
+mod credssp;
+mod ntlm;
+
+// TODO(@TheBestTvarynka): add Kerberos test when the Kerberos server-side is implemented.
diff --git a/tests/sspi/client_server/ntlm.rs b/tests/sspi/client_server/ntlm.rs
@@ -0,0 +1,114 @@
+use sspi::builders::{AcquireCredentialsHandle, WithoutCredentialUse};
+use sspi::credssp::SspiContext;
+use sspi::ntlm::NtlmConfig;
+use sspi::{
+    AcquireCredentialsHandleResult, AuthIdentity, BufferType, ClientRequestFlags, CredentialUse, Credentials,
+    DataRepresentation, EncryptionFlags, InitializeSecurityContextResult, Ntlm, Secret, SecurityBuffer,
+    SecurityBufferRef, SecurityStatus, ServerRequestFlags, Sspi, Username,
+};
+
+fn test_ntlm_encryption(client: &mut SspiContext, server: &mut SspiContext) {
+    let plain_message = b"Devolutions/sspi-rs";
+
+    let mut token = [0; 1024];
+    let mut data = plain_message.to_vec();
+
+    let mut message = vec![
+        SecurityBufferRef::token_buf(token.as_mut_slice()),
+        SecurityBufferRef::data_buf(data.as_mut_slice()),
+    ];
+
+    client
+        .encrypt_message(EncryptionFlags::empty(), &mut message, 0)
+        .unwrap();
+    server.decrypt_message(&mut message, 0).unwrap();
+
+    assert_eq!(plain_message, message[1].data());
+}
+
+fn run_ntlm(config: NtlmConfig) {
+    let credentials = Credentials::AuthIdentity(AuthIdentity {
+        username: Username::parse("test_user").unwrap(),
+        password: Secret::from("test_password".to_owned()),
+    });
+    let target_name = "TERMSRV/DESKTOP-8F33RFH.example.com";
+
+    let mut client = SspiContext::Ntlm(Ntlm::with_config(config.clone()));
+    let mut server = SspiContext::Ntlm(Ntlm::with_config(config));
+
+    let builder = AcquireCredentialsHandle::<'_, _, _, WithoutCredentialUse>::new();
+    let AcquireCredentialsHandleResult {
+        credentials_handle: mut client_credentials_handle,
+        ..
+    } = builder
+        .with_auth_data(&credentials)
+        .with_credential_use(CredentialUse::Outbound)
+        .execute(&mut client)
+        .unwrap();
+
+    let builder = AcquireCredentialsHandle::<'_, _, _, WithoutCredentialUse>::new();
+    let AcquireCredentialsHandleResult {
+        credentials_handle: mut server_credentials_handle,
+        ..
+    } = builder
+        .with_auth_data(&credentials)
+        .with_credential_use(CredentialUse::Inbound)
+        .execute(&mut server)
+        .unwrap();
+
+    let mut input_token = [SecurityBuffer::new(Vec::new(), BufferType::Token)];
+    let mut output_token = [SecurityBuffer::new(Vec::new(), BufferType::Token)];
+
+    for _ in 0..3 {
+        let mut builder = client
+            .initialize_security_context()
+            .with_credentials_handle(&mut client_credentials_handle)
+            .with_context_requirements(
+                ClientRequestFlags::MUTUAL_AUTH
+                    | ClientRequestFlags::USE_SESSION_KEY
+                    | ClientRequestFlags::INTEGRITY
+                    | ClientRequestFlags::CONFIDENTIALITY,
+            )
+            .with_target_data_representation(DataRepresentation::Native)
+            .with_target_name(target_name)
+            .with_input(&mut input_token)
+            .with_output(&mut output_token);
+        let InitializeSecurityContextResult { status, .. } =
+            client.initialize_security_context_sync(&mut builder).unwrap();
+
+        input_token[0].buffer.clear();
+
+        server
+            .accept_security_context()
+            .with_credentials_handle(&mut server_credentials_handle)
+            .with_context_requirements(ServerRequestFlags::empty())
+            .with_target_data_representation(DataRepresentation::Native)
+            .with_input(&mut output_token)
+            .with_output(&mut input_token)
+            .execute(&mut server)
+            .unwrap();
+
+        output_token[0].buffer.clear();
+
+        if status == SecurityStatus::Ok {
+            test_ntlm_encryption(&mut client, &mut server);
+            return;
+        }
+    }
+
+    panic!("NTLM authentication should not exceed 3 steps")
+}
+
+#[test]
+fn ntlm_with_computer_name() {
+    run_ntlm(NtlmConfig {
+        client_computer_name: Some("DESKTOP-3D83IAN.example.com".to_owned()),
+    });
+}
+
+#[test]
+fn ntlm_without_computer_name() {
+    run_ntlm(NtlmConfig {
+        client_computer_name: None,
+    });
+}
diff --git a/tests/sspi/common.rs b/tests/sspi/common.rs
@@ -25,7 +25,7 @@ impl<'a> CredentialsProxyImpl<'a> {
     }
 }
 
-impl<'a> credssp::CredentialsProxy for CredentialsProxyImpl<'a> {
+impl credssp::CredentialsProxy for CredentialsProxyImpl<'_> {
     type AuthenticationData = AuthIdentity;
 
     fn auth_data_by_user(&mut self, username: &Username) -> io::Result<Self::AuthenticationData> {
diff --git a/tests/sspi/main.rs b/tests/sspi/main.rs
@@ -0,0 +1,3 @@
+mod client_server;
+mod common;
+mod ntlm;
diff --git a/tests/sspi/ntlm.rs b/tests/sspi/ntlm.rs
@@ -1,11 +1,10 @@
-pub mod common;
+use sspi::Ntlm;
 
-use common::{
+use crate::common::{
     check_messages_encryption, create_client_credentials_handle, create_server_credentials_handle,
     process_authentication_without_complete, set_identity_and_try_complete_authentication, try_complete_authentication,
     CredentialsProxyImpl, CREDENTIALS,
 };
-use sspi::Ntlm;
 
 #[test]
 fn successful_ntlm_authentication_with_client_auth_data() {

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ impl<'a> CredentialsProxyImpl<'a> {`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
`28`		`-impl<'a> credssp::CredentialsProxy for CredentialsProxyImpl<'a> {`
	`28`	`+impl credssp::CredentialsProxy for CredentialsProxyImpl<'_> {`
`29`	`29`	`type AuthenticationData = AuthIdentity;`
`30`	`30`
`31`	`31`	`fn auth_data_by_user(&mut self, username: &Username) -> io::Result<Self::AuthenticationData> {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+mod client_server;`
	`2`	`+mod common;`
	`3`	`+mod ntlm;`