Documentation ¶
Overview ¶
Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.
Index ¶
- Constants
- Variables
- func NewAuthenticator(creds credentials.Credentials, flags []int) (types.Authenticator, error)
- func UnmarshalNegToken(b []byte) (bool, interface{}, error)
- type ContextFlags
- type MechToken
- type NegTokenInit
- type NegTokenResp
- type NegTokenTarg
- type SPNEGO
- type WrapToken
- func (wt *WrapToken) ComputeAndSetCheckSum(key types.EncryptionKey, keyUsage uint32) error
- func (wt *WrapToken) ComputeCheckSum(key types.EncryptionKey, keyUsage uint32) ([]byte, error)
- func (wt *WrapToken) Marshal() ([]byte, error)
- func (wt *WrapToken) Unmarshal(b []byte, expectFromAcceptor bool) error
- func (wt *WrapToken) VerifyCheckSum(key types.EncryptionKey, keyUsage uint32) (bool, error)
Constants ¶
const ( HdrLen = 16 // Length of the Wrap Token's header FillerByte byte = 0xFF )
From RFC 4121, section 4.2.6.2:
Use of the GSS_Wrap() call yields a token (referred as the Wrap token in this document), which consists of a descriptive header, followed by a body portion that contains either the input user data in plaintext concatenated with the checksum, or the input user data encrypted. The GSS_Wrap() token SHALL have the following format: Octet no Name Description -------------------------------------------------------------- 0..1 TOK_ID Identification field. Tokens emitted by GSS_Wrap() contain the hex value 05 04 expressed in big-endian order in this field. 2 Flags Attributes field, as described in section 4.2.2. 3 Filler Contains the hex value FF. 4..5 EC Contains the "extra count" field, in big- endian order as described in section 4.2.3. 6..7 RRC Contains the "right rotation count" in big- endian order, as described in section 4.2.5. 8..15 SndSeqNum Sequence number field in clear text, expressed in big-endian order. 16..last Data Encrypted data for Wrap tokens with confidentiality, or plaintext data followed by the checksum for Wrap tokens without confidentiality, as described in section 4.2.4.
Quick notes:
- "EC" or "Extra Count" refers to the length of the cheksum.
- "Flags" (complete details in section 4.2.2) is a set of bits:
- if bit 0 is set, it means the token was sent by the acceptor (generally the kerberized service).
- bit 1 indicates that the token's payload is encrypted
- bit 2 indicates if the message is protected using a subkey defined by the acceptor.
- When computing checksums, EC and RRC MUST be set to 0.
- Wrap Tokens are not ASN.1 encoded.
const ( TOK_ID_KRB_AP_REQ = "0100" TOK_ID_KRB_AP_REP = "0200" TOK_ID_KRB_ERROR = "0300" GSS_C_DELEG_FLAG = 1 GSS_C_MUTUAL_FLAG = 2 GSS_C_REPLAY_FLAG = 4 GSS_C_SEQUENCE_FLAG = 8 GSS_C_CONF_FLAG = 16 GSS_C_INTEG_FLAG = 32 )
GSSAPI MechToken IDs and flags.
Variables ¶
var MechTypeOIDKRB5 = asn1.ObjectIdentifier{1, 2, 840, 113554, 1, 2, 2}
MechTypeOIDKRB5 is the MechType OID for Kerberos 5
var MechTypeOIDMSLegacyKRB5 = asn1.ObjectIdentifier{1, 2, 840, 48018, 1, 2, 2}
MechTypeOIDMSLegacyKRB5 is the MechType OID for MS legacy Kerberos 5
var SPNEGO_OID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 2}
SPNEGO_OID is the OID for SPNEGO header type.
Functions ¶
func NewAuthenticator ¶
func NewAuthenticator(creds credentials.Credentials, flags []int) (types.Authenticator, error)
NewAuthenticator creates a new kerberos authenticator for kerberos MechToken
func UnmarshalNegToken ¶
UnmarshalNegToken umarshals and returns either a NegTokenInit or a NegTokenResp.
The boolean indicates if the response is a NegTokenInit. If error is nil and the boolean is false the response is a NegTokenResp.
Types ¶
type ContextFlags ¶
ContextFlags flags for GSSAPI
func NewContextFlags ¶
func NewContextFlags() ContextFlags
NewContextFlags creates a new ContextFlags instance.
type MechToken ¶
type MechToken struct { OID asn1.ObjectIdentifier TokID []byte APReq messages.APReq APRep messages.APRep KRBError messages.KRBError }
MechToken implementation for GSSAPI.
func NewAPREQMechToken ¶
func NewAPREQMechToken(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey, GSSAPIFlags []int, APOptions []int) (MechToken, error)
NewAPREQMechToken creates new Kerberos AP_REQ MechToken.
func (*MechToken) IsKRBError ¶
IsKRBError tests if the MechToken contains an KRB_ERROR.
type NegTokenInit ¶
type NegTokenInit struct { MechTypes []asn1.ObjectIdentifier `asn1:"explicit,tag:0"` ReqFlags ContextFlags `asn1:"explicit,optional,tag:1"` MechToken []byte `asn1:"explicit,optional,tag:2"` MechTokenMIC []byte `asn1:"explicit,optional,tag:3"` }
NegTokenInit implements Negotiation Token of type Init
func NewNegTokenInitKrb5 ¶
func NewNegTokenInitKrb5(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey) (NegTokenInit, error)
NewNegTokenInitKrb5 creates new Init negotiation token for Kerberos 5
func (*NegTokenInit) Marshal ¶
func (n *NegTokenInit) Marshal() ([]byte, error)
Marshal an Init negotiation token
type NegTokenResp ¶
type NegTokenResp struct { NegState asn1.Enumerated `asn1:"explicit,tag:0"` SupportedMech asn1.ObjectIdentifier `asn1:"explicit,optional,tag:1"` ResponseToken []byte `asn1:"explicit,optional,tag:2"` MechListMIC []byte `asn1:"explicit,optional,tag:3"` }
NegTokenResp implements Negotiation Token of type Resp/Targ
func (*NegTokenResp) Marshal ¶
func (n *NegTokenResp) Marshal() ([]byte, error)
Marshal a Resp/Targ negotiation token
type NegTokenTarg ¶
type NegTokenTarg NegTokenResp
NegTokenTarg implements Negotiation Token of type Resp/Targ
type SPNEGO ¶
type SPNEGO struct { Init bool Resp bool NegTokenInit NegTokenInit NegTokenResp NegTokenResp }
SPNEGO header struct
func GetSPNEGOKrbNegTokenInit ¶
func GetSPNEGOKrbNegTokenInit(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey) (SPNEGO, error)
GetSPNEGOKrbNegTokenInit returns an SPNEGO struct containing a NegTokenInit.
type WrapToken ¶ added in v1.5.5
type WrapToken struct { // const GSS Token ID: 0x0504 Flags byte // contains three flags: acceptor, sealed, acceptor subkey // const Filler: 0xFF EC uint16 // checksum length. big-endian RRC uint16 // right rotation count. big-endian SndSeqNum uint64 // sender's sequence number. big-endian Payload []byte // your data! :) CheckSum []byte // authenticated checksum of { payload | header } }
WrapToken represents a GSS API Wrap token, as defined in RFC 4121. It contains the header fields, the payload and the checksum, and provides the logic for converting to/from bytes plus computing and verifying checksums
func NewInitiatorToken ¶
func NewInitiatorToken(payload []byte, key types.EncryptionKey) (*WrapToken, error)
NewInitiatorToken builds a new initiator token (acceptor flag will be set to 0) and computes the authenticated checksum. Other flags are set to 0, and the RRC and sequence number are initialized to 0. Note that in certain circumstances you may need to provide a sequence number that has been defined earlier. This is currently not supported.
func (*WrapToken) ComputeAndSetCheckSum ¶
func (wt *WrapToken) ComputeAndSetCheckSum(key types.EncryptionKey, keyUsage uint32) error
ComputeAndSetCheckSum uses the passed encryption key and key usage to compute the checksum over the payload and the header, and sets the CheckSum field of this WrapToken. If the payload has not been set or the checksum has already been set, an error is returned.
func (*WrapToken) ComputeCheckSum ¶
ComputeCheckSum computes and returns the checksum of this token, computed using the passed key and key usage. Conforms to RFC 4121 in that the checksum will be computed over { body | header }, with the EC and RRC flags zeroed out. In the context of Kerberos Wrap tokens, mostly keyusage GSSAPI_ACCEPTOR_SEAL (=22) and GSSAPI_INITIATOR_SEAL (=24) will be used. Note: This will NOT update the struct's Checksum field.
func (*WrapToken) Marshal ¶ added in v1.5.5
Marshal the WrapToken into a byte slice. The payload should have been set and the checksum computed, otherwise an error is returned.
func (*WrapToken) Unmarshal ¶ added in v1.5.5
Unmarshal bytes into the corresponding WrapToken. If expectFromAcceptor is true, we expect the token to have been emitted by the gss acceptor, and will check the according flag, returning an error if the token does not match the expectation.
func (*WrapToken) VerifyCheckSum ¶
VerifyCheckSum computes the token's checksum with the provided key and usage, and compares it to the checksum present in the token. In case of any failure, (false, Err) is returned, with Err an explanatory error.