Documentation ¶
Overview ¶
Package messages implements Kerberos 5 message types and methods.
Index ¶
- func MarshalTicketSequence(tkts []Ticket) (asn1.RawValue, error)
- type APRep
- type APReq
- type ASRep
- type ASReq
- type EncAPRepPart
- type EncKDCRepPart
- type EncKrbCredPart
- type EncKrbPrivPart
- type EncTicketPart
- type KDCRepFields
- type KDCReqBody
- type KDCReqFields
- type KRBCred
- type KRBError
- type KRBPriv
- type KRBSafe
- type KRBSafeBody
- type KrbCredInfo
- type LastReq
- type TGSRep
- type TGSReq
- type Ticket
- func (t *Ticket) Decrypt(key types.EncryptionKey) error
- func (t *Ticket) DecryptEncPart(keytab *keytab.Keytab, sname *types.PrincipalName) error
- func (t *Ticket) GetPACType(keytab *keytab.Keytab, sname *types.PrincipalName, l *log.Logger) (bool, pac.PACType, error)
- func (t *Ticket) Marshal() ([]byte, error)
- func (t *Ticket) Unmarshal(b []byte) error
- func (t *Ticket) Valid(d time.Duration) (bool, error)
- type TransitedEncoding
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type APRep ¶
type APRep struct { PVNO int `asn1:"explicit,tag:0"` MsgType int `asn1:"explicit,tag:1"` EncPart types.EncryptedData `asn1:"explicit,tag:2"` }
APRep implements RFC 4120 KRB_AP_REP: https://tools.ietf.org/html/rfc4120#section-5.5.2.
type APReq ¶
type APReq struct { PVNO int `asn1:"explicit,tag:0"` MsgType int `asn1:"explicit,tag:1"` APOptions asn1.BitString `asn1:"explicit,tag:2"` Ticket Ticket `asn1:"explicit,tag:3"` EncryptedAuthenticator types.EncryptedData `asn1:"explicit,tag:4"` Authenticator types.Authenticator `asn1:"optional"` }
APReq implements RFC 4120 KRB_AP_REQ: https://tools.ietf.org/html/rfc4120#section-5.5.1.
func NewAPReq ¶
func NewAPReq(tkt Ticket, sessionKey types.EncryptionKey, auth types.Authenticator) (APReq, error)
NewAPReq generates a new KRB_AP_REQ struct.
func (*APReq) DecryptAuthenticator ¶
func (a *APReq) DecryptAuthenticator(sessionKey types.EncryptionKey) error
DecryptAuthenticator decrypts the Authenticator within the AP_REQ. sessionKey may simply be the key within the decrypted EncPart of the ticket within the AP_REQ.
func (*APReq) Verify ¶
func (a *APReq) Verify(kt *keytab.Keytab, d time.Duration, cAddr types.HostAddress, snameOverride *types.PrincipalName) (bool, error)
Verify an AP_REQ using service's keytab, spn and max acceptable clock skew duration. The service ticket encrypted part and authenticator will be decrypted as part of this operation.
type ASRep ¶
type ASRep struct {
KDCRepFields
}
ASRep implements RFC 4120 KRB_AS_REP: https://tools.ietf.org/html/rfc4120#section-5.4.2.
func (*ASRep) DecryptEncPart ¶
func (k *ASRep) DecryptEncPart(c *credentials.Credentials) (types.EncryptionKey, error)
DecryptEncPart decrypts the encrypted part of an AS_REP.
func (*ASRep) Verify ¶
func (k *ASRep) Verify(cfg *config.Config, creds *credentials.Credentials, asReq ASReq) (bool, error)
Verify checks the validity of AS_REP message.
type ASReq ¶
type ASReq struct {
KDCReqFields
}
ASReq implements RFC 4120 KRB_AS_REQ: https://tools.ietf.org/html/rfc4120#section-5.4.1.
func NewASReqForChgPasswd ¶
NewASReqForChgPasswd generates a new KRB_AS_REQ struct for a change password request.
func NewASReqForTGT ¶
NewASReqForTGT generates a new KRB_AS_REQ struct for a TGT request.
type EncAPRepPart ¶
type EncAPRepPart struct { CTime time.Time `asn1:"generalized,explicit,tag:0"` Cusec int `asn1:"explicit,tag:1"` Subkey types.EncryptionKey `asn1:"optional,explicit,tag:2"` SequenceNumber int64 `asn1:"optional,explicit,tag:3"` }
EncAPRepPart is the encrypted part of KRB_AP_REP.
func (*EncAPRepPart) Unmarshal ¶
func (a *EncAPRepPart) Unmarshal(b []byte) error
Unmarshal bytes b into the APRep encrypted part struct.
type EncKDCRepPart ¶
type EncKDCRepPart struct { Key types.EncryptionKey `asn1:"explicit,tag:0"` LastReqs []LastReq `asn1:"explicit,tag:1"` Nonce int `asn1:"explicit,tag:2"` KeyExpiration time.Time `asn1:"generalized,explicit,optional,tag:3"` Flags asn1.BitString `asn1:"explicit,tag:4"` AuthTime time.Time `asn1:"generalized,explicit,tag:5"` StartTime time.Time `asn1:"generalized,explicit,optional,tag:6"` EndTime time.Time `asn1:"generalized,explicit,tag:7"` RenewTill time.Time `asn1:"generalized,explicit,optional,tag:8"` SRealm string `asn1:"generalstring,explicit,tag:9"` SName types.PrincipalName `asn1:"explicit,tag:10"` CAddr []types.HostAddress `asn1:"explicit,optional,tag:11"` EncPAData types.PADataSequence `asn1:"explicit,optional,tag:12"` }
EncKDCRepPart is the encrypted part of KRB_KDC_REP.
func (*EncKDCRepPart) Marshal ¶ added in v8.4.0
func (e *EncKDCRepPart) Marshal() ([]byte, error)
Marshal encrypted part of KRB_KDC_REP.
func (*EncKDCRepPart) Unmarshal ¶
func (e *EncKDCRepPart) Unmarshal(b []byte) error
Unmarshal bytes b into encrypted part of KRB_KDC_REP.
type EncKrbCredPart ¶
type EncKrbCredPart struct { TicketInfo []KrbCredInfo `asn1:"explicit,tag:0"` Nouce int `asn1:"optional,explicit,tag:1"` Timestamp time.Time `asn1:"generalized,optional,explicit,tag:2"` Usec int `asn1:"optional,explicit,tag:3"` SAddress types.HostAddress `asn1:"optional,explicit,tag:4"` RAddress types.HostAddress `asn1:"optional,explicit,tag:5"` }
EncKrbCredPart is the encrypted part of KRB_CRED.
func (*EncKrbCredPart) Unmarshal ¶
func (k *EncKrbCredPart) Unmarshal(b []byte) error
Unmarshal bytes b into the encrypted part of KRB_CRED.
type EncKrbPrivPart ¶
type EncKrbPrivPart struct { UserData []byte `asn1:"explicit,tag:0"` Timestamp time.Time `asn1:"generalized,optional,explicit,tag:1"` Usec int `asn1:"optional,explicit,tag:2"` SequenceNumber int64 `asn1:"optional,explicit,tag:3"` SAddress types.HostAddress `asn1:"explicit,tag:4"` RAddress types.HostAddress `asn1:"optional,explicit,tag:5"` }
EncKrbPrivPart is the encrypted part of KRB_PRIV.
func (*EncKrbPrivPart) Unmarshal ¶
func (k *EncKrbPrivPart) Unmarshal(b []byte) error
Unmarshal bytes b into the EncKrbPrivPart struct.
type EncTicketPart ¶
type EncTicketPart struct { Flags asn1.BitString `asn1:"explicit,tag:0"` Key types.EncryptionKey `asn1:"explicit,tag:1"` CRealm string `asn1:"generalstring,explicit,tag:2"` CName types.PrincipalName `asn1:"explicit,tag:3"` Transited TransitedEncoding `asn1:"explicit,tag:4"` AuthTime time.Time `asn1:"generalized,explicit,tag:5"` StartTime time.Time `asn1:"generalized,explicit,optional,tag:6"` EndTime time.Time `asn1:"generalized,explicit,tag:7"` RenewTill time.Time `asn1:"generalized,explicit,optional,tag:8"` CAddr types.HostAddresses `asn1:"explicit,optional,tag:9"` AuthorizationData types.AuthorizationData `asn1:"explicit,optional,tag:10"` }
EncTicketPart is the encrypted part of the Ticket.
func (*EncTicketPart) Unmarshal ¶
func (t *EncTicketPart) Unmarshal(b []byte) error
Unmarshal bytes b into the EncTicketPart struct.
type KDCRepFields ¶
type KDCRepFields struct { PVNO int MsgType int PAData []types.PAData CRealm string CName types.PrincipalName Ticket Ticket EncPart types.EncryptedData DecryptedEncPart EncKDCRepPart }
KDCRepFields represents the KRB_KDC_REP fields.
type KDCReqBody ¶
type KDCReqBody struct { KDCOptions asn1.BitString `asn1:"explicit,tag:0"` CName types.PrincipalName `asn1:"explicit,optional,tag:1"` Realm string `asn1:"generalstring,explicit,tag:2"` SName types.PrincipalName `asn1:"explicit,optional,tag:3"` From time.Time `asn1:"generalized,explicit,optional,tag:4"` Till time.Time `asn1:"generalized,explicit,tag:5"` RTime time.Time `asn1:"generalized,explicit,optional,tag:6"` Nonce int `asn1:"explicit,tag:7"` EType []int32 `asn1:"explicit,tag:8"` Addresses []types.HostAddress `asn1:"explicit,optional,tag:9"` EncAuthData types.EncryptedData `asn1:"explicit,optional,tag:10"` AdditionalTickets []Ticket `asn1:"explicit,optional,tag:11"` }
KDCReqBody implements the KRB_KDC_REQ request body.
func (*KDCReqBody) Marshal ¶
func (k *KDCReqBody) Marshal() ([]byte, error)
Marshal KRB_KDC_REQ body struct.
func (*KDCReqBody) Unmarshal ¶
func (k *KDCReqBody) Unmarshal(b []byte) error
Unmarshal bytes b into the KRB_KDC_REQ body struct.
type KDCReqFields ¶
type KDCReqFields struct { PVNO int MsgType int PAData types.PADataSequence ReqBody KDCReqBody Renewal bool }
KDCReqFields represents the KRB_KDC_REQ fields.
type KRBCred ¶
type KRBCred struct { PVNO int MsgType int Tickets []Ticket EncPart types.EncryptedData DecryptedEncPart EncKrbCredPart }
KRBCred implements RFC 4120 KRB_CRED: https://tools.ietf.org/html/rfc4120#section-5.8.1.
func (*KRBCred) DecryptEncPart ¶
func (k *KRBCred) DecryptEncPart(key types.EncryptionKey) error
DecryptEncPart decrypts the encrypted part of a KRB_CRED.
type KRBError ¶
type KRBError struct { PVNO int `asn1:"explicit,tag:0"` MsgType int `asn1:"explicit,tag:1"` CTime time.Time `asn1:"generalized,optional,explicit,tag:2"` Cusec int `asn1:"optional,explicit,tag:3"` STime time.Time `asn1:"generalized,explicit,tag:4"` Susec int `asn1:"explicit,tag:5"` ErrorCode int32 `asn1:"explicit,tag:6"` CRealm string `asn1:"generalstring,optional,explicit,tag:7"` CName types.PrincipalName `asn1:"optional,explicit,tag:8"` Realm string `asn1:"generalstring,explicit,tag:9"` SName types.PrincipalName `asn1:"explicit,tag:10"` EText string `asn1:"generalstring,optional,explicit,tag:11"` EData []byte `asn1:"optional,explicit,tag:12"` }
KRBError implements RFC 4120 KRB_ERROR: https://tools.ietf.org/html/rfc4120#section-5.9.1.
func NewKRBError ¶
NewKRBError creates a new KRBError.
type KRBPriv ¶
type KRBPriv struct { PVNO int `asn1:"explicit,tag:0"` MsgType int `asn1:"explicit,tag:1"` EncPart types.EncryptedData `asn1:"explicit,tag:3"` DecryptedEncPart EncKrbPrivPart `asn1:"optional,omitempty"` // Not part of ASN1 bytes so marked as optional so unmarshalling works }
KRBPriv implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.7.1.
func NewKRBPriv ¶
func NewKRBPriv(part EncKrbPrivPart) KRBPriv
NewKRBPriv returns a new KRBPriv type.
func (*KRBPriv) DecryptEncPart ¶
func (k *KRBPriv) DecryptEncPart(key types.EncryptionKey) error
DecryptEncPart decrypts the encrypted part of the KRBPriv message.
func (*KRBPriv) EncryptEncPart ¶
func (k *KRBPriv) EncryptEncPart(key types.EncryptionKey) error
EncryptEncPart encrypts the DecryptedEncPart within the KRBPriv. Use to prepare for marshaling.
type KRBSafe ¶
type KRBSafe struct { PVNO int `asn1:"explicit,tag:0"` MsgType int `asn1:"explicit,tag:1"` SafeBody KRBSafeBody `asn1:"explicit,tag:2"` Cksum types.Checksum `asn1:"explicit,tag:3"` }
KRBSafe implements RFC 4120 KRB_SAFE: https://tools.ietf.org/html/rfc4120#section-5.6.1.
type KRBSafeBody ¶
type KRBSafeBody struct { UserData []byte `asn1:"explicit,tag:0"` Timestamp time.Time `asn1:"generalized,optional,explicit,tag:1"` Usec int `asn1:"optional,explicit,tag:2"` SequenceNumber int64 `asn1:"optional,explicit,tag:3"` SAddress types.HostAddress `asn1:"explicit,tag:4"` RAddress types.HostAddress `asn1:"optional,explicit,tag:5"` }
KRBSafeBody implements the KRB_SAFE_BODY of KRB_SAFE.
type KrbCredInfo ¶
type KrbCredInfo struct { Key types.EncryptionKey `asn1:"explicit,tag:0"` PRealm string `asn1:"generalstring,optional,explicit,tag:1"` PName types.PrincipalName `asn1:"optional,explicit,tag:2"` Flags asn1.BitString `asn1:"optional,explicit,tag:3"` AuthTime time.Time `asn1:"generalized,optional,explicit,tag:4"` StartTime time.Time `asn1:"generalized,optional,explicit,tag:5"` EndTime time.Time `asn1:"generalized,optional,explicit,tag:6"` RenewTill time.Time `asn1:"generalized,optional,explicit,tag:7"` SRealm string `asn1:"optional,explicit,ia5,tag:8"` SName types.PrincipalName `asn1:"optional,explicit,tag:9"` CAddr types.HostAddresses `asn1:"optional,explicit,tag:10"` }
KrbCredInfo is the KRB_CRED_INFO part of KRB_CRED.
type LastReq ¶
type LastReq struct { LRType int32 `asn1:"explicit,tag:0"` LRValue time.Time `asn1:"generalized,explicit,tag:1"` }
LastReq part of KRB_KDC_REP.
type TGSRep ¶
type TGSRep struct {
KDCRepFields
}
TGSRep implements RFC 4120 KRB_TGS_REP: https://tools.ietf.org/html/rfc4120#section-5.4.2.
func (*TGSRep) DecryptEncPart ¶
func (k *TGSRep) DecryptEncPart(key types.EncryptionKey) error
DecryptEncPart decrypts the encrypted part of an TGS_REP.
type TGSReq ¶
type TGSReq struct {
KDCReqFields
}
TGSReq implements RFC 4120 KRB_TGS_REQ: https://tools.ietf.org/html/rfc4120#section-5.4.1.
func NewTGSReq ¶
func NewTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, tgt Ticket, sessionKey types.EncryptionKey, sname types.PrincipalName, renewal bool) (TGSReq, error)
NewTGSReq generates a new KRB_TGS_REQ struct.
func NewUser2UserTGSReq ¶
func NewUser2UserTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, clientTGT Ticket, sessionKey types.EncryptionKey, sname types.PrincipalName, renewal bool, verifyingTGT Ticket) (TGSReq, error)
NewUser2UserTGSReq returns a TGS-REQ suitable for user-to-user authentication (https://tools.ietf.org/html/rfc4120#section-3.7)
type Ticket ¶
type Ticket struct { TktVNO int `asn1:"explicit,tag:0"` Realm string `asn1:"generalstring,explicit,tag:1"` SName types.PrincipalName `asn1:"explicit,tag:2"` EncPart types.EncryptedData `asn1:"explicit,tag:3"` DecryptedEncPart EncTicketPart `asn1:"optional"` // Not part of ASN1 bytes so marked as optional so unmarshalling works }
Ticket implements the Kerberos ticket.
func NewTicket ¶
func NewTicket(cname types.PrincipalName, crealm string, sname types.PrincipalName, srealm string, flags asn1.BitString, sktab *keytab.Keytab, eTypeID int32, kvno int, authTime, startTime, endTime, renewTill time.Time) (Ticket, types.EncryptionKey, error)
NewTicket creates a new Ticket instance.
func (*Ticket) Decrypt ¶
func (t *Ticket) Decrypt(key types.EncryptionKey) error
Decrypt decrypts the encrypted part of the ticket using the key provided.
func (*Ticket) DecryptEncPart ¶
DecryptEncPart decrypts the encrypted part of the ticket. The sname argument can be used to specify which service principal's key should be used to decrypt the ticket. If nil is passed as the sname then the service principal specified within the ticket it used.
func (*Ticket) GetPACType ¶
func (t *Ticket) GetPACType(keytab *keytab.Keytab, sname *types.PrincipalName, l *log.Logger) (bool, pac.PACType, error)
GetPACType returns a Microsoft PAC that has been extracted from the ticket and processed.
type TransitedEncoding ¶
type TransitedEncoding struct { TRType int32 `asn1:"explicit,tag:0"` Contents []byte `asn1:"explicit,tag:1"` }
TransitedEncoding part of the ticket's encrypted part.