fix(dpapi): panic in dpapi due to missing io driver (#586)

philippelatulippe · web-flow · commit d8f121129273 · 2026-01-17T03:31:24.000+09:00
During manual initialization of the tokio runtime, the I/O driver wasn't
enabled, leading to a panic later when performing RPC.

Also:
* Tweaks address parsing to avoid breaking on IPv6 addresses. Although
using DPAPI with only an IP address is unlikely to work, at least now a
better error will be returned, instead of an "invalid port" error.
* Tweaks DPAPI response parsing to read the result code even if the
response has an unexpected lenght.
diff --git a/crates/dpapi-transport/src/connect_options.rs b/crates/dpapi-transport/src/connect_options.rs
@@ -1,8 +1,9 @@
 use std::future::Future;
+use std::net::IpAddr;
 use std::pin::Pin;
 
 use thiserror::Error;
-use url::Url;
+use url::{Host, Url};
 use uuid::Uuid;
 
 /// Type that represents a function for obtaining the session token.
@@ -70,6 +71,13 @@ impl ConnectOptions {
     pub fn new(destination: &str, proxy_options: Option<ProxyOptions>) -> Result<Self> {
         let mut destination = Url::parse(&if destination.contains("://") {
             destination.to_owned()
+        } else if let Ok(ip_attempt) = destination.parse::<IpAddr>() {
+            // Ensure IP address format is valid for URLs
+            let ip_str_valid = match ip_attempt {
+                IpAddr::V4(ipv4_addr) => Host::Ipv4::<String>(ipv4_addr).to_string(),
+                IpAddr::V6(ipv6_addr) => Host::Ipv6::<String>(ipv6_addr).to_string(),
+            };
+            format!("tcp://{ip_str_valid}")
         } else {
             format!("tcp://{destination}")
         })?;
diff --git a/crates/dpapi/src/gkdi.rs b/crates/dpapi/src/gkdi.rs
@@ -39,19 +39,21 @@ pub enum GkdiError {
 
 /// Checks the RPC GetKey Response status (`hresult`) and tries to parse the data into [GroupKeyEnvelope].
 pub fn unpack_response(data: &[u8]) -> Result<GroupKeyEnvelope> {
-    if data.len() < 4 /* key_length */ + 4 /* padding */ + 8 /* referent id */ + 8 /* pointer size */ + 4
-    /* status */
-    {
-        Err(GkdiError::BadResponse("response data length is too small"))?;
-    }
-
-    let (key_buf, mut hresult_buf) = data.split_at(data.len() - size_of::<u32>());
+    let (key_buf, mut hresult_buf) = data
+        .split_at_checked(data.len() - size_of::<u32>())
+        .ok_or(GkdiError::BadResponse("response data length is too small"))?;
 
     let hresult = hresult_buf.read_u32::<LittleEndian>()?;
     if hresult != 0 {
         Err(GkdiError::BadHresult(hresult))?;
     }
 
+    if data.len() < 4 /* key_length */ + 4 /* padding */ + 8 /* referent id */ + 8 /* pointer size */ + 4
+    /* status */
+    {
+        Err(GkdiError::BadResponse("response data length is too small"))?;
+    }
+
     let mut src = ReadCursor::new(key_buf);
 
     let _key_length = src.read_u32();
diff --git a/ffi/src/dpapi/mod.rs b/ffi/src/dpapi/mod.rs
@@ -180,7 +180,7 @@ pub unsafe extern "system" fn DpapiProtectSecret(
         };
         let mut network_client = network_client::SyncNetworkClient;
 
-        let runtime  = try_execute!(Builder::new_current_thread().build(), NTE_INTERNAL_ERROR);
+        let runtime  = try_execute!(Builder::new_current_thread().enable_all().build(), NTE_INTERNAL_ERROR);
         let blob_data = try_execute!(
             runtime.block_on(n_crypt_protect_secret::<NativeTransport>(
                 CryptProtectSecretArgs {
@@ -353,7 +353,7 @@ pub unsafe extern "system" fn DpapiUnprotectSecret(
         };
         let mut network_client = network_client::SyncNetworkClient;
 
-        let runtime  = try_execute!(Builder::new_current_thread().build(), NTE_INTERNAL_ERROR);
+        let runtime  = try_execute!(Builder::new_current_thread().enable_all().build(), NTE_INTERNAL_ERROR);
         let secret_data = try_execute!(
             runtime.block_on(n_crypt_unprotect_secret::<NativeTransport>(
                 CryptUnprotectSecretArgs {
diff --git a/tools/dpapi-cli-client/src/main.rs b/tools/dpapi-cli-client/src/main.rs
@@ -82,7 +82,7 @@ async fn run(data: Dpapi) -> Result<()> {
                 stdin().bytes().collect::<Result<Vec<_>>>()?
             };
 
-            let secret = Box::pin(dpapi::n_crypt_unprotect_secret::<NativeTransport>(
+            let result = Box::pin(dpapi::n_crypt_unprotect_secret::<NativeTransport>(
                 CryptUnprotectSecretArgs {
                     blob: &blob,
                     server: &server,
@@ -94,10 +94,17 @@ async fn run(data: Dpapi) -> Result<()> {
                     kerberos_config: None,
                 },
             ))
-            .await
-            .unwrap();
+            .await;
 
-            stdout().write_all(secret.as_ref())?;
+            match result {
+                Ok(secret) => {
+                    stdout().write_all(secret.as_ref())?;
+                }
+                Err(error) => {
+                    println!("{:?}", error);
+                }
+            }
+            
         }
     }
 
