Documentation ¶
Overview ¶
Package gssapi provides a Go interface to the Generic Security Services Application Program Interface.
The package defines an interface that GSS-API mechanism specific code should conform to.
An Initiator (ie. client) uses the Initiate method to start the authentiation process. An Acceptor (ie. server) uses the Accpet method instead. After that, both sides call Continue in a loop, transferring token between themselves using a suitable communication protocol. When IsEstablished returns true, the security context can be used to securely transfer messages or message signatures using Wrap/Unwrap or MakeSignature/VerifySignature.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FlagName ¶
func FlagName(f ContextFlag) string
FlagName returns a human-readable description of a context flag value
func IsRegistered ¶
IsRegistered can be used to find out whether a named mechanism is registered or not
func Register ¶
func Register(name string, f MechFactory)
Register should be called by Mech implementations to enable a mechanism to be used by clients
Types ¶
type ContextFlag ¶
type ContextFlag uint32
const ( ContextFlagDeleg ContextFlag = 1 << iota // delegate credentials, not currently supported ContextFlagMutual // request remote peer authenticates itself ContextFlagReplay // enable replay detection for signed/sealed messages ContextFlagSequence // enable detection of out of sequence signed/sealed messages ContextFlagConf // confidentiality available ContextFlagInteg // integrity available )
GSS-API context flags assigned numbers.
func FlagList ¶
func FlagList(f ContextFlag) (fl []ContextFlag)
FlagList returns a slice of individual flags derived from the composite value f
func (ContextFlag) String ¶
func (f ContextFlag) String() string
type Mech ¶
type Mech interface { // IsEstablished can be used to determine whether the security // context between an Initiator and Acceptor is complete and // is ready to transfer messages between the peers. IsEstablished() bool // ContextFlags returns the security flags negotiated between // the initiator and acceptor. The flags *SHOULD* be checked // before using the context to verify that desired security // requirements have been met. ContextFlags() ContextFlag // PeerName returns a string representing the peer's identity PeerName() string // SSF returns the Security Strength Factor of the channel established // by the security context SSF() uint // WrapSizeLimit returns the maximum possible message size that can // be presented to Wrap() to produce to output token no longer than // requestedOutputSize bytes WrapSizeLimit(requestedOutputSize uint32, confidentiality bool) uint32 // Initiate is used by a GSS-API Initiator to start the // context negotiation process with a remote Acceptor. // serverName is the mechanism specific name of the remote // Acceptor, and flags represent the desired security // properties of the context. Initiate(serviceName string, flags ContextFlag, cb *common.ChannelBinding) (err error) // Accept is used by a GSS-API Acceptor to begin context // negotiation with a remote Initiator. // If provided, serviceName is the mechanism specific identifier // of the local Acceptor Accept(serviceName string) (err error) // Continue is called in a loop by Initiators and Acceptors after // first calling one of Initiate or Accept. // tokenIn represents a token received from the peer // If tokenOut is non-zero, it should be send to the peer Continue(tokenIn []byte) (tokenOut []byte, err error) // Wrap is called by either peer after the context is establighed // to create a token that encapsulates a payload. If confidentially // is required, the payload is encrypted (*sealed*) using a key // negotiated during context establishment. Otherwise, the key // is used to sign the payload which is encapsulated in the clear. // tokenOut should be communicated to the peer which should use Unwrap // on the token. Wrap(tokenIn []byte, confidentiality bool) (tokenOut []byte, err error) // Unwrap is passed a wrap token received from a peer. If the token // provides confidentially, the key negotiated during context establishment // is used to decrypt (*unseal*) the payload. Otherwise, the key is used // to verify the signature that the remote Wrap call calculated for the // payload. // tokenOut is the original payload // isSealed conveys whether the payload was encrypted or not Unwrap(tokenIn []byte) (tokenOut []byte, isSealed bool, err error) // MakeSignature creates a token that includes the signature of the // provided payload but does not include the payload itself. The // output token should be sent to the peer, which should use its copy of // the payload (communicated separately) to verify the signature. MakeSignature(payload []byte) (tokenOut []byte, err error) // VerifySignature is used to check the signature received from a peer // using a local copy of the payloads. VerifySignature(payload []byte, tokenIn []byte) (err error) }
Mech defines the interface to a GSS-API mechanism
type MechFactory ¶
type MechFactory func() Mech