feat(ffi): implement DPAPI FFI functions (#380)

Author: PavloMyroniuk

Cargo.lock

@@ -46,6 +46,7 @@ picky-krb = "0.9"
 tokio = "1.43"
 ffi-types = { path = "crates/ffi-types" }
 winscard = { version = "0.2", path = "crates/winscard" }
+dpapi = { version = "0.1.0", path = "crates/dpapi" }
 rsa = { version = "0.9.7", default-features = false }
 windows-sys = "0.59"
 base64 = "0.22"

Cargo.toml

@@ -12,6 +12,9 @@ description = "A Rust implementation of Windows DPAPI"
 [lib]
 name = "dpapi"
 
+[features]
+tsssp = ["sspi/tsssp"]
+
 [dependencies]
 bitflags.workspace = true
 byteorder.workspace = true

crates/dpapi/Cargo.toml

@@ -44,6 +44,8 @@ impl AuthProvider {
             SspiContext::Kerberos(_) => SecurityProvider::GssKerberos,
             SspiContext::Negotiate(_) => SecurityProvider::GssNegotiate,
             SspiContext::Pku2u(_) => Err(AuthError::SecurityProviderNotSupported("PKU2U"))?,
+            #[cfg(feature = "tsssp")]
+            SspiContext::CredSsp(_) => Err(AuthError::SecurityProviderNotSupported("CredSSP"))?,
         };
 
         let builder = AcquireCredentialsHandle::<'_, _, _, WithoutCredentialUse>::new();

crates/dpapi/src/rpc/auth.rs

@@ -24,6 +24,7 @@ pub type Bool = i32;
 ///   unsigned char  Data4[8];
 /// } GUID;
 /// ```
+#[derive(Clone, Copy)]
 #[repr(C)]
 pub struct Guid {
     pub data1: u32,

crates/ffi-types/src/common.rs

@@ -13,11 +13,12 @@ name = "sspi"
 crate-type = ["cdylib"]
 
 [features]
-default = ["aws-lc-rs", "scard"]
-tsssp = ["sspi/tsssp"]
+default = ["aws-lc-rs", "scard", "dpapi"]
+tsssp = ["sspi/tsssp", "dpapi/tsssp"]
 scard = ["sspi/scard", "dep:ffi-types", "dep:winscard", "dep:bitflags", "dep:picky-asn1-x509", "dep:picky"]
 aws-lc-rs = ["sspi/aws-lc-rs"]
 ring = ["sspi/ring"]
+dpapi = ["dep:dpapi", "dep:ffi-types"]
 
 [dependencies]
 cfg-if.workspace = true
@@ -27,6 +28,7 @@ ffi-types = { workspace = true, features = ["winscard"], optional = true }
 picky-asn1-der.workspace = true
 uuid.workspace = true
 winscard = { workspace = true, features = ["std"], optional = true }
+dpapi = { workspace = true, optional = true }
 # logging
 tracing = { workspace = true, default-features = true }
 tracing-subscriber = { workspace = true, features = ["std", "fmt", "local-time", "env-filter"] }

ffi/Cargo.toml

@@ -0,0 +1,43 @@
+#[cfg(not(any(test, miri)))]
+mod inner {
+    pub use dpapi::{n_crypt_protect_secret, n_crypt_unprotect_secret};
+}
+
+#[cfg(any(test, miri))]
+mod inner {
+    //! We have FFI wrappers for DPAPI functions from the [dpapi] crate and we want to test them.
+    //! The DPAPI implementation is complex and makes calls to the RPC and KDC servers.
+    //! Implementing a mock for KDF and RPC servers is too hard and unreasonable. So, we wrote a simple
+    //! high-level mock of [n_crypt_protect_secret] and [n_crypt_unprotect_secret] functions.
+    //!
+    //! **Note**: The goal is to test FFI functions, not the DPAPI implementation correctness.
+    //! The FFI tests should not care about returned data correctness but rather check
+    //! for memory corruptions and memory leaks.
+
+    use sspi::Secret;
+    use uuid::Uuid;
+
+    pub fn n_crypt_unprotect_secret(
+        _blob: &[u8],
+        _server: &str,
+        _username: &str,
+        _password: Secret<String>,
+        _client_computer_name: Option<String>,
+    ) -> dpapi::Result<Secret<Vec<u8>>> {
+        Ok(b"secret-to-encrypt".to_vec().into())
+    }
+
+    pub fn n_crypt_protect_secret(
+        _data: Secret<Vec<u8>>,
+        _sid: String,
+        _root_key_id: Option<Uuid>,
+        _server: &str,
+        _username: &str,
+        _password: Secret<String>,
+        _client_computer_name: Option<String>,
+    ) -> dpapi::Result<Vec<u8>> {
+        Ok(b"DPAPI_blob".to_vec())
+    }
+}
+
+pub use inner::*;

ffi/src/dpapi/api.rs

@@ -0,0 +1,31 @@
+macro_rules! check_null {
+    ($x:expr) => {{
+        if $x.is_null() {
+            // https://learn.microsoft.com/en-us/windows/win32/api/ncryptprotect/nf-ncryptprotect-ncryptprotectsecret#return-value
+            return crate::dpapi::NTE_INVALID_PARAMETER;
+        }
+    }};
+}
+
+macro_rules! try_execute {
+    ($x:expr, $err_value:expr) => {{
+        match $x {
+            Ok(val) => val,
+            Err(err) => {
+                error!(%err, "an error occurred");
+                return $err_value;
+            }
+        }
+    }};
+}
+
+macro_rules! catch_panic {
+    ($($tokens:tt)*) => {{
+        match std::panic::catch_unwind(move || { $($tokens)* }) {
+            Ok(val) => val,
+            Err(_) => {
+                return crate::dpapi::NTE_INTERNAL_ERROR;
+            }
+        }
+    }};
+}