Add: Nasl builtin functions for Kerberos support

This includes:
- krb5_error_code_to_string
- krb5_find_kdc
- krb5_gss_init
- krb5_gss_prepare_context
- krb5_gss_session_key
- krb5_gss_update_context
- krb5_gss_update_context_needs_more
- krb5_gss_update_context_out
- krb5_is_failure
- krb5_is_success

Author: Kraemii

rust/src/nasl/builtin/error.rs

@@ -4,6 +4,8 @@
 
 use thiserror::Error;
 
+#[cfg(feature = "nasl-c-lib")]
+use crate::nasl::builtin::krb5::Krb5Error;
 use crate::nasl::prelude::*;
 use crate::nasl::utils::error::FnErrorKind;
 
@@ -56,6 +58,9 @@ pub enum BuiltinError {
     RawIp(RawIpError),
     #[error("{0}")]
     Preference(String),
+    #[cfg(feature = "nasl-c-lib")]
+    #[error("{0}")]
+    Krb5(Krb5Error),
 }
 
 macro_rules! builtin_error_variant (
@@ -104,3 +109,6 @@ builtin_error_variant!(SnmpError, Snmp);
 
 #[cfg(feature = "nasl-builtin-raw-ip")]
 builtin_error_variant!(RawIpError, RawIp);
+
+#[cfg(feature = "nasl-c-lib")]
+builtin_error_variant!(Krb5Error, Krb5);

rust/src/nasl/builtin/krb5/mod.rs

@@ -0,0 +1,280 @@
+// SPDX-FileCopyrightText: 2026 Greenbone AG
+//
+// SPDX-License-Identifier: GPL-2.0-or-later WITH x11vnc-openssl-exception
+
+#![allow(non_upper_case_globals)]
+#![allow(non_camel_case_types)]
+#![allow(non_snake_case)]
+
+use std::ffi::CStr;
+use std::os;
+use thiserror::Error;
+
+use nasl_c_lib::krb5::{
+    OKrb5Credential, OKrb5ErrorCode, OKrb5ErrorCode_O_KRB5_CONF_NOT_CREATED,
+    OKrb5ErrorCode_O_KRB5_CONF_NOT_FOUND, OKrb5ErrorCode_O_KRB5_EXPECTED_NOT_NULL,
+    OKrb5ErrorCode_O_KRB5_EXPECTED_NULL, OKrb5ErrorCode_O_KRB5_NOMEM,
+    OKrb5ErrorCode_O_KRB5_REALM_NOT_FOUND, OKrb5ErrorCode_O_KRB5_SUCCESS,
+    OKrb5ErrorCode_O_KRB5_TMP_CONF_NOT_CREATED, OKrb5ErrorCode_O_KRB5_TMP_CONF_NOT_MOVED,
+    OKrb5ErrorCode_O_KRB5_UNABLE_TO_WRITE, OKrb5Slice, OKrb5Target, OKrb5User, o_krb5_add_realm,
+    o_krb5_find_kdc, okrb5_gss_init_context,
+};
+use nasl_function_proc_macro::nasl_function;
+
+use crate::{function_set, nasl::FnError};
+
+macro_rules! get_var_or_env {
+    ($var:expr, $env:expr) => {
+        $var.map(|x| x.to_string())
+            .or(std::env::var($env).ok())
+            .ok_or(Krb5Error::Var(
+                stringify!($var).to_string(),
+                $env.to_string(),
+            ))
+    };
+}
+
+fn error_code_to_string(code: OKrb5ErrorCode) -> String {
+    match code {
+        OKrb5ErrorCode_O_KRB5_SUCCESS => "success".to_string(),
+        OKrb5ErrorCode_O_KRB5_CONF_NOT_FOUND => "krb5.conf not found".to_string(),
+        OKrb5ErrorCode_O_KRB5_CONF_NOT_CREATED => "krb5.conf not created".to_string(),
+        OKrb5ErrorCode_O_KRB5_TMP_CONF_NOT_CREATED => "tmp krb5.conf not created".to_string(),
+        OKrb5ErrorCode_O_KRB5_TMP_CONF_NOT_MOVED => "tmp krb5.conf not moved".to_string(),
+        OKrb5ErrorCode_O_KRB5_REALM_NOT_FOUND => "realm not found".to_string(),
+        OKrb5ErrorCode_O_KRB5_EXPECTED_NULL => "expected null".to_string(),
+        OKrb5ErrorCode_O_KRB5_EXPECTED_NOT_NULL => "expected not null".to_string(),
+        OKrb5ErrorCode_O_KRB5_UNABLE_TO_WRITE => "unable to write".to_string(),
+        OKrb5ErrorCode_O_KRB5_NOMEM => "no memory".to_string(),
+        _ => "unknown error code".to_string(),
+    }
+}
+
+fn string_from_okrb5_slice(slice: OKrb5Slice) -> String {
+    unsafe {
+        let bytes = std::slice::from_raw_parts(slice.data as *const u8, slice.len);
+        String::from_utf8_lossy(bytes).into_owned()
+    }
+}
+
+#[derive(Debug, Error)]
+pub enum Krb5Error {
+    #[error("Expected {0} or env variable {1}")]
+    Var(String, String),
+    #[error(
+        "[config_path: '{config_path}', realm: '{realm}', user: '{user}'] => {message} ({code})"
+    )]
+    Credential {
+        config_path: String,
+        realm: String,
+        user: String,
+        message: String,
+        code: OKrb5ErrorCode,
+    },
+}
+
+#[derive(Default)]
+pub struct Krb5 {
+    last_okrb5_result: OKrb5ErrorCode,
+}
+
+impl Krb5 {
+    #[nasl_function]
+    fn krb5_is_failure(&self, code: Option<u32>) -> bool {
+        let code = code.unwrap_or(self.last_okrb5_result);
+        code != OKrb5ErrorCode_O_KRB5_SUCCESS
+    }
+
+    #[nasl_function]
+    fn krb5_is_success(&self, code: Option<u32>) -> bool {
+        let code = code.unwrap_or(self.last_okrb5_result);
+        code == OKrb5ErrorCode_O_KRB5_SUCCESS
+    }
+
+    #[nasl_function]
+    fn krb5_error_code_to_string(&self) -> String {
+        error_code_to_string(self.last_okrb5_result)
+    }
+
+    fn make_credential(
+        config_path: &str,
+        realm: &str,
+        kdc: &str,
+        user: &str,
+        password: &str,
+        host: &str,
+    ) -> OKrb5Credential {
+        OKrb5Credential {
+            config_path: OKrb5Slice {
+                data: config_path.as_ptr() as *mut os::raw::c_void,
+                len: config_path.len(),
+            },
+            realm: OKrb5Slice {
+                data: realm.as_ptr() as *mut os::raw::c_void,
+                len: realm.len(),
+            },
+            kdc: OKrb5Slice {
+                data: kdc.as_ptr() as *mut os::raw::c_void,
+                len: kdc.len(),
+            },
+            user: OKrb5User {
+                user: OKrb5Slice {
+                    data: user.as_ptr() as *mut os::raw::c_void,
+                    len: user.len(),
+                },
+                password: OKrb5Slice {
+                    data: password.as_ptr() as *mut os::raw::c_void,
+                    len: password.len(),
+                },
+            },
+            target: OKrb5Target {
+                host_name: OKrb5Slice {
+                    data: host.as_ptr() as *mut os::raw::c_void,
+                    len: host.len(),
+                },
+                service: OKrb5Slice {
+                    data: std::ptr::null_mut(),
+                    len: 0,
+                },
+                domain: OKrb5Slice {
+                    data: std::ptr::null_mut(),
+                    len: 0,
+                },
+            },
+        }
+    }
+
+    fn build_krb5_credential(
+        &mut self,
+        config_path: Option<&str>,
+        realm: Option<&str>,
+        kdc: Option<&str>,
+        user: Option<&str>,
+        password: Option<&str>,
+        host: Option<&str>,
+    ) -> Result<OKrb5Credential, Krb5Error> {
+        let config_path = config_path
+            .map(|x| x.to_string())
+            .or(std::env::var("KRB5_CONFIG").ok())
+            .unwrap_or("/etc/krb5.conf".to_string());
+
+        let realm = get_var_or_env!(realm, "KRB5_REALM")?;
+        let kdc = get_var_or_env!(kdc, "KRB5_KDC")?;
+        let user = get_var_or_env!(user, "KRB5_USER")?;
+        let password = get_var_or_env!(password, "KRB5_PASSWORD")?;
+        let host = get_var_or_env!(host, "KRB5_TARGET_HOST")?;
+
+        let credential = Self::make_credential(&config_path, &realm, &kdc, &user, &password, &host);
+
+        let mut kdc_ptr: *mut i8 = std::ptr::null_mut();
+        let code = unsafe { o_krb5_find_kdc(&credential, &mut kdc_ptr) };
+
+        match code {
+            OKrb5ErrorCode_O_KRB5_SUCCESS => {
+                if !kdc_ptr.is_null() {
+                    unsafe {
+                        libc::free(kdc_ptr as *mut libc::c_void);
+                    }
+                }
+            }
+            code if code != OKrb5ErrorCode_O_KRB5_REALM_NOT_FOUND
+                && code != OKrb5ErrorCode_O_KRB5_CONF_NOT_FOUND =>
+            {
+                return Err(Krb5Error::Credential {
+                    config_path,
+                    realm,
+                    user,
+                    message: error_code_to_string(code),
+                    code,
+                });
+            }
+            _ => {
+                let code =
+                    unsafe { o_krb5_add_realm(&credential, credential.kdc.data as *const i8) };
+                if code != OKrb5ErrorCode_O_KRB5_SUCCESS {
+                    return Err(Krb5Error::Credential {
+                        config_path,
+                        realm,
+                        user,
+                        message: error_code_to_string(code),
+                        code,
+                    });
+                }
+            }
+        }
+
+        Ok(credential)
+    }
+
+    #[nasl_function(named(config_path, realm, kdc, user, password, host))]
+    fn krb5_find_kdc(
+        &mut self,
+        config_path: Option<&str>,
+        realm: Option<&str>,
+        kdc: Option<&str>,
+        user: Option<&str>,
+        password: Option<&str>,
+        host: Option<&str>,
+    ) -> Result<String, FnError> {
+        let credential =
+            self.build_krb5_credential(config_path, realm, kdc, user, password, host)?;
+        let mut kdc_ptr: *mut i8 = std::ptr::null_mut();
+
+        self.last_okrb5_result = unsafe { o_krb5_find_kdc(&credential, &mut kdc_ptr) };
+
+        if self.last_okrb5_result != OKrb5ErrorCode_O_KRB5_SUCCESS {
+            return Err(Krb5Error::Credential {
+                config_path: string_from_okrb5_slice(credential.config_path),
+                realm: string_from_okrb5_slice(credential.realm),
+                user: string_from_okrb5_slice(credential.user.user),
+                message: error_code_to_string(self.last_okrb5_result),
+                code: self.last_okrb5_result,
+            }
+            .into());
+        }
+
+        if kdc_ptr.is_null() {
+            return Ok(String::new());
+        }
+
+        let result = unsafe {
+            let c_str = CStr::from_ptr(kdc_ptr);
+            let rust_string = c_str.to_string_lossy().into_owned();
+            libc::free(kdc_ptr as *mut libc::c_void);
+            rust_string
+        };
+
+        Ok(result)
+    }
+
+    #[nasl_function]
+    fn krb5_gss_init(&mut self) {
+        let chached_gss_context = unsafe { okrb5_gss_init_context() };
+        if chached_gss_context.is_null() {
+            self.last_okrb5_result = OKrb5ErrorCode_O_KRB5_EXPECTED_NOT_NULL;
+        } else {
+            self.last_okrb5_result = OKrb5ErrorCode_O_KRB5_SUCCESS;
+        }
+    }
+
+    fn krb5_gss_prepare_context() {}
+
+    fn krb5_gss_update_context() {}
+
+    fn krb5_gss_update_context_out() {}
+
+    fn krb5_gss_update_context_needs_more() {}
+
+    fn krb5_gss_session_key() {}
+}
+
+function_set! {
+    Krb5,
+    (
+        (Krb5::krb5_is_failure, "krb5_is_failure"),
+        (Krb5::krb5_is_success, "krb5_is_success"),
+        (Krb5::krb5_error_code_to_string, "krb5_error_code_to_string"),
+        (Krb5::krb5_find_kdc, "krb5_find_kdc"),
+        (Krb5::krb5_gss_init, "krb5_gss_init"),
+    )
+}

rust/src/nasl/builtin/mod.rs

@@ -14,6 +14,8 @@ mod host;
 mod http;
 mod isotime;
 mod knowledge_base;
+#[cfg(feature = "nasl-c-lib")]
+mod krb5;
 pub mod misc;
 pub mod network;
 mod preferences;
@@ -65,6 +67,8 @@ pub fn nasl_std_functions() -> Executor {
         .add_set(snmp::Snmp)
         .add_set(cert::NaslCerts::default());
 
+    #[cfg(feature = "nasl-c-lib")]
+    executor.add_set(krb5::Krb5::default());
     #[cfg(feature = "nasl-builtin-raw-ip")]
     executor.add_set(raw_ip::RawIp);
     #[cfg(feature = "nasl-builtin-raw-ip")]