messages

package
v8.4.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 25, 2023 License: Apache-2.0 Imports: 24 Imported by: 72

Documentation

Overview

Package messages implements Kerberos 5 message types and methods.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MarshalTicketSequence

func MarshalTicketSequence(tkts []Ticket) (asn1.RawValue, error)

MarshalTicketSequence marshals a slice of Tickets returning an ASN1 raw value containing the ticket sequence.

Types

type APRep

type APRep struct {
	PVNO    int                 `asn1:"explicit,tag:0"`
	MsgType int                 `asn1:"explicit,tag:1"`
	EncPart types.EncryptedData `asn1:"explicit,tag:2"`
}

APRep implements RFC 4120 KRB_AP_REP: https://tools.ietf.org/html/rfc4120#section-5.5.2.

func (*APRep) Unmarshal

func (a *APRep) Unmarshal(b []byte) error

Unmarshal bytes b into the APRep struct.

type APReq

type APReq struct {
	PVNO                   int                 `asn1:"explicit,tag:0"`
	MsgType                int                 `asn1:"explicit,tag:1"`
	APOptions              asn1.BitString      `asn1:"explicit,tag:2"`
	Ticket                 Ticket              `asn1:"explicit,tag:3"`
	EncryptedAuthenticator types.EncryptedData `asn1:"explicit,tag:4"`
	Authenticator          types.Authenticator `asn1:"optional"`
}

APReq implements RFC 4120 KRB_AP_REQ: https://tools.ietf.org/html/rfc4120#section-5.5.1.

func NewAPReq

func NewAPReq(tkt Ticket, sessionKey types.EncryptionKey, auth types.Authenticator) (APReq, error)

NewAPReq generates a new KRB_AP_REQ struct.

func (*APReq) DecryptAuthenticator

func (a *APReq) DecryptAuthenticator(sessionKey types.EncryptionKey) error

DecryptAuthenticator decrypts the Authenticator within the AP_REQ. sessionKey may simply be the key within the decrypted EncPart of the ticket within the AP_REQ.

func (*APReq) Marshal

func (a *APReq) Marshal() ([]byte, error)

Marshal APReq struct.

func (*APReq) Unmarshal

func (a *APReq) Unmarshal(b []byte) error

Unmarshal bytes b into the APReq struct.

func (*APReq) Verify

func (a *APReq) Verify(kt *keytab.Keytab, d time.Duration, cAddr types.HostAddress, snameOverride *types.PrincipalName) (bool, error)

Verify an AP_REQ using service's keytab, spn and max acceptable clock skew duration. The service ticket encrypted part and authenticator will be decrypted as part of this operation.

type ASRep

type ASRep struct {
	KDCRepFields
}

ASRep implements RFC 4120 KRB_AS_REP: https://tools.ietf.org/html/rfc4120#section-5.4.2.

func (*ASRep) DecryptEncPart

func (k *ASRep) DecryptEncPart(c *credentials.Credentials) (types.EncryptionKey, error)

DecryptEncPart decrypts the encrypted part of an AS_REP.

func (*ASRep) Marshal added in v8.4.0

func (k *ASRep) Marshal() ([]byte, error)

Marshal ASRep struct.

func (*ASRep) Unmarshal

func (k *ASRep) Unmarshal(b []byte) error

Unmarshal bytes b into the ASRep struct.

func (*ASRep) Verify

func (k *ASRep) Verify(cfg *config.Config, creds *credentials.Credentials, asReq ASReq) (bool, error)

Verify checks the validity of AS_REP message.

type ASReq

type ASReq struct {
	KDCReqFields
}

ASReq implements RFC 4120 KRB_AS_REQ: https://tools.ietf.org/html/rfc4120#section-5.4.1.

func NewASReq

func NewASReq(realm string, c *config.Config, cname, sname types.PrincipalName) (ASReq, error)

NewASReq generates a new KRB_AS_REQ struct for a given SNAME.

func NewASReqForChgPasswd

func NewASReqForChgPasswd(realm string, c *config.Config, cname types.PrincipalName) (ASReq, error)

NewASReqForChgPasswd generates a new KRB_AS_REQ struct for a change password request.

func NewASReqForTGT

func NewASReqForTGT(realm string, c *config.Config, cname types.PrincipalName) (ASReq, error)

NewASReqForTGT generates a new KRB_AS_REQ struct for a TGT request.

func (*ASReq) Marshal

func (k *ASReq) Marshal() ([]byte, error)

Marshal ASReq struct.

func (*ASReq) Unmarshal

func (k *ASReq) Unmarshal(b []byte) error

Unmarshal bytes b into the ASReq struct.

type EncAPRepPart

type EncAPRepPart struct {
	CTime          time.Time           `asn1:"generalized,explicit,tag:0"`
	Cusec          int                 `asn1:"explicit,tag:1"`
	Subkey         types.EncryptionKey `asn1:"optional,explicit,tag:2"`
	SequenceNumber int64               `asn1:"optional,explicit,tag:3"`
}

EncAPRepPart is the encrypted part of KRB_AP_REP.

func (*EncAPRepPart) Unmarshal

func (a *EncAPRepPart) Unmarshal(b []byte) error

Unmarshal bytes b into the APRep encrypted part struct.

type EncKDCRepPart

type EncKDCRepPart struct {
	Key           types.EncryptionKey  `asn1:"explicit,tag:0"`
	LastReqs      []LastReq            `asn1:"explicit,tag:1"`
	Nonce         int                  `asn1:"explicit,tag:2"`
	KeyExpiration time.Time            `asn1:"generalized,explicit,optional,tag:3"`
	Flags         asn1.BitString       `asn1:"explicit,tag:4"`
	AuthTime      time.Time            `asn1:"generalized,explicit,tag:5"`
	StartTime     time.Time            `asn1:"generalized,explicit,optional,tag:6"`
	EndTime       time.Time            `asn1:"generalized,explicit,tag:7"`
	RenewTill     time.Time            `asn1:"generalized,explicit,optional,tag:8"`
	SRealm        string               `asn1:"generalstring,explicit,tag:9"`
	SName         types.PrincipalName  `asn1:"explicit,tag:10"`
	CAddr         []types.HostAddress  `asn1:"explicit,optional,tag:11"`
	EncPAData     types.PADataSequence `asn1:"explicit,optional,tag:12"`
}

EncKDCRepPart is the encrypted part of KRB_KDC_REP.

func (*EncKDCRepPart) Marshal added in v8.4.0

func (e *EncKDCRepPart) Marshal() ([]byte, error)

Marshal encrypted part of KRB_KDC_REP.

func (*EncKDCRepPart) Unmarshal

func (e *EncKDCRepPart) Unmarshal(b []byte) error

Unmarshal bytes b into encrypted part of KRB_KDC_REP.

type EncKrbCredPart

type EncKrbCredPart struct {
	TicketInfo []KrbCredInfo     `asn1:"explicit,tag:0"`
	Nouce      int               `asn1:"optional,explicit,tag:1"`
	Timestamp  time.Time         `asn1:"generalized,optional,explicit,tag:2"`
	Usec       int               `asn1:"optional,explicit,tag:3"`
	SAddress   types.HostAddress `asn1:"optional,explicit,tag:4"`
	RAddress   types.HostAddress `asn1:"optional,explicit,tag:5"`
}

EncKrbCredPart is the encrypted part of KRB_CRED.

func (*EncKrbCredPart) Unmarshal

func (k *EncKrbCredPart) Unmarshal(b []byte) error

Unmarshal bytes b into the encrypted part of KRB_CRED.

type EncKrbPrivPart

type EncKrbPrivPart struct {
	UserData       []byte            `asn1:"explicit,tag:0"`
	Timestamp      time.Time         `asn1:"generalized,optional,explicit,tag:1"`
	Usec           int               `asn1:"optional,explicit,tag:2"`
	SequenceNumber int64             `asn1:"optional,explicit,tag:3"`
	SAddress       types.HostAddress `asn1:"explicit,tag:4"`
	RAddress       types.HostAddress `asn1:"optional,explicit,tag:5"`
}

EncKrbPrivPart is the encrypted part of KRB_PRIV.

func (*EncKrbPrivPart) Unmarshal

func (k *EncKrbPrivPart) Unmarshal(b []byte) error

Unmarshal bytes b into the EncKrbPrivPart struct.

type EncTicketPart

type EncTicketPart struct {
	Flags             asn1.BitString          `asn1:"explicit,tag:0"`
	Key               types.EncryptionKey     `asn1:"explicit,tag:1"`
	CRealm            string                  `asn1:"generalstring,explicit,tag:2"`
	CName             types.PrincipalName     `asn1:"explicit,tag:3"`
	Transited         TransitedEncoding       `asn1:"explicit,tag:4"`
	AuthTime          time.Time               `asn1:"generalized,explicit,tag:5"`
	StartTime         time.Time               `asn1:"generalized,explicit,optional,tag:6"`
	EndTime           time.Time               `asn1:"generalized,explicit,tag:7"`
	RenewTill         time.Time               `asn1:"generalized,explicit,optional,tag:8"`
	CAddr             types.HostAddresses     `asn1:"explicit,optional,tag:9"`
	AuthorizationData types.AuthorizationData `asn1:"explicit,optional,tag:10"`
}

EncTicketPart is the encrypted part of the Ticket.

func (*EncTicketPart) Unmarshal

func (t *EncTicketPart) Unmarshal(b []byte) error

Unmarshal bytes b into the EncTicketPart struct.

type KDCRepFields

type KDCRepFields struct {
	PVNO             int
	MsgType          int
	PAData           []types.PAData
	CRealm           string
	CName            types.PrincipalName
	Ticket           Ticket
	EncPart          types.EncryptedData
	DecryptedEncPart EncKDCRepPart
}

KDCRepFields represents the KRB_KDC_REP fields.

type KDCReqBody

type KDCReqBody struct {
	KDCOptions        asn1.BitString      `asn1:"explicit,tag:0"`
	CName             types.PrincipalName `asn1:"explicit,optional,tag:1"`
	Realm             string              `asn1:"generalstring,explicit,tag:2"`
	SName             types.PrincipalName `asn1:"explicit,optional,tag:3"`
	From              time.Time           `asn1:"generalized,explicit,optional,tag:4"`
	Till              time.Time           `asn1:"generalized,explicit,tag:5"`
	RTime             time.Time           `asn1:"generalized,explicit,optional,tag:6"`
	Nonce             int                 `asn1:"explicit,tag:7"`
	EType             []int32             `asn1:"explicit,tag:8"`
	Addresses         []types.HostAddress `asn1:"explicit,optional,tag:9"`
	EncAuthData       types.EncryptedData `asn1:"explicit,optional,tag:10"`
	AdditionalTickets []Ticket            `asn1:"explicit,optional,tag:11"`
}

KDCReqBody implements the KRB_KDC_REQ request body.

func (*KDCReqBody) Marshal

func (k *KDCReqBody) Marshal() ([]byte, error)

Marshal KRB_KDC_REQ body struct.

func (*KDCReqBody) Unmarshal

func (k *KDCReqBody) Unmarshal(b []byte) error

Unmarshal bytes b into the KRB_KDC_REQ body struct.

type KDCReqFields

type KDCReqFields struct {
	PVNO    int
	MsgType int
	PAData  types.PADataSequence
	ReqBody KDCReqBody
	Renewal bool
}

KDCReqFields represents the KRB_KDC_REQ fields.

type KRBCred

type KRBCred struct {
	PVNO             int
	MsgType          int
	Tickets          []Ticket
	EncPart          types.EncryptedData
	DecryptedEncPart EncKrbCredPart
}

KRBCred implements RFC 4120 KRB_CRED: https://tools.ietf.org/html/rfc4120#section-5.8.1.

func (*KRBCred) DecryptEncPart

func (k *KRBCred) DecryptEncPart(key types.EncryptionKey) error

DecryptEncPart decrypts the encrypted part of a KRB_CRED.

func (*KRBCred) Unmarshal

func (k *KRBCred) Unmarshal(b []byte) error

Unmarshal bytes b into the KRBCred struct.

type KRBError

type KRBError struct {
	PVNO      int                 `asn1:"explicit,tag:0"`
	MsgType   int                 `asn1:"explicit,tag:1"`
	CTime     time.Time           `asn1:"generalized,optional,explicit,tag:2"`
	Cusec     int                 `asn1:"optional,explicit,tag:3"`
	STime     time.Time           `asn1:"generalized,explicit,tag:4"`
	Susec     int                 `asn1:"explicit,tag:5"`
	ErrorCode int32               `asn1:"explicit,tag:6"`
	CRealm    string              `asn1:"generalstring,optional,explicit,tag:7"`
	CName     types.PrincipalName `asn1:"optional,explicit,tag:8"`
	Realm     string              `asn1:"generalstring,explicit,tag:9"`
	SName     types.PrincipalName `asn1:"explicit,tag:10"`
	EText     string              `asn1:"generalstring,optional,explicit,tag:11"`
	EData     []byte              `asn1:"optional,explicit,tag:12"`
}

KRBError implements RFC 4120 KRB_ERROR: https://tools.ietf.org/html/rfc4120#section-5.9.1.

func NewKRBError

func NewKRBError(sname types.PrincipalName, realm string, code int32, etext string) KRBError

NewKRBError creates a new KRBError.

func (KRBError) Error

func (k KRBError) Error() string

Error method implementing error interface on KRBError struct.

func (*KRBError) Marshal added in v8.4.0

func (k *KRBError) Marshal() ([]byte, error)

Marshal a KRBError into bytes.

func (*KRBError) Unmarshal

func (k *KRBError) Unmarshal(b []byte) error

Unmarshal bytes b into the KRBError struct.

type KRBPriv

type KRBPriv struct {
	PVNO             int                 `asn1:"explicit,tag:0"`
	MsgType          int                 `asn1:"explicit,tag:1"`
	EncPart          types.EncryptedData `asn1:"explicit,tag:3"`
	DecryptedEncPart EncKrbPrivPart      `asn1:"optional,omitempty"` // Not part of ASN1 bytes so marked as optional so unmarshalling works
}

KRBPriv implements RFC 4120 type: https://tools.ietf.org/html/rfc4120#section-5.7.1.

func NewKRBPriv

func NewKRBPriv(part EncKrbPrivPart) KRBPriv

NewKRBPriv returns a new KRBPriv type.

func (*KRBPriv) DecryptEncPart

func (k *KRBPriv) DecryptEncPart(key types.EncryptionKey) error

DecryptEncPart decrypts the encrypted part of the KRBPriv message.

func (*KRBPriv) EncryptEncPart

func (k *KRBPriv) EncryptEncPart(key types.EncryptionKey) error

EncryptEncPart encrypts the DecryptedEncPart within the KRBPriv. Use to prepare for marshaling.

func (*KRBPriv) Marshal

func (k *KRBPriv) Marshal() ([]byte, error)

Marshal the KRBPriv.

func (*KRBPriv) Unmarshal

func (k *KRBPriv) Unmarshal(b []byte) error

Unmarshal bytes b into the KRBPriv struct.

type KRBSafe

type KRBSafe struct {
	PVNO     int            `asn1:"explicit,tag:0"`
	MsgType  int            `asn1:"explicit,tag:1"`
	SafeBody KRBSafeBody    `asn1:"explicit,tag:2"`
	Cksum    types.Checksum `asn1:"explicit,tag:3"`
}

KRBSafe implements RFC 4120 KRB_SAFE: https://tools.ietf.org/html/rfc4120#section-5.6.1.

func (*KRBSafe) Unmarshal

func (s *KRBSafe) Unmarshal(b []byte) error

Unmarshal bytes b into the KRBSafe struct.

type KRBSafeBody

type KRBSafeBody struct {
	UserData       []byte            `asn1:"explicit,tag:0"`
	Timestamp      time.Time         `asn1:"generalized,optional,explicit,tag:1"`
	Usec           int               `asn1:"optional,explicit,tag:2"`
	SequenceNumber int64             `asn1:"optional,explicit,tag:3"`
	SAddress       types.HostAddress `asn1:"explicit,tag:4"`
	RAddress       types.HostAddress `asn1:"optional,explicit,tag:5"`
}

KRBSafeBody implements the KRB_SAFE_BODY of KRB_SAFE.

type KrbCredInfo

type KrbCredInfo struct {
	Key       types.EncryptionKey `asn1:"explicit,tag:0"`
	PRealm    string              `asn1:"generalstring,optional,explicit,tag:1"`
	PName     types.PrincipalName `asn1:"optional,explicit,tag:2"`
	Flags     asn1.BitString      `asn1:"optional,explicit,tag:3"`
	AuthTime  time.Time           `asn1:"generalized,optional,explicit,tag:4"`
	StartTime time.Time           `asn1:"generalized,optional,explicit,tag:5"`
	EndTime   time.Time           `asn1:"generalized,optional,explicit,tag:6"`
	RenewTill time.Time           `asn1:"generalized,optional,explicit,tag:7"`
	SRealm    string              `asn1:"optional,explicit,ia5,tag:8"`
	SName     types.PrincipalName `asn1:"optional,explicit,tag:9"`
	CAddr     types.HostAddresses `asn1:"optional,explicit,tag:10"`
}

KrbCredInfo is the KRB_CRED_INFO part of KRB_CRED.

type LastReq

type LastReq struct {
	LRType  int32     `asn1:"explicit,tag:0"`
	LRValue time.Time `asn1:"generalized,explicit,tag:1"`
}

LastReq part of KRB_KDC_REP.

type TGSRep

type TGSRep struct {
	KDCRepFields
}

TGSRep implements RFC 4120 KRB_TGS_REP: https://tools.ietf.org/html/rfc4120#section-5.4.2.

func (*TGSRep) DecryptEncPart

func (k *TGSRep) DecryptEncPart(key types.EncryptionKey) error

DecryptEncPart decrypts the encrypted part of an TGS_REP.

func (*TGSRep) Marshal added in v8.4.0

func (k *TGSRep) Marshal() ([]byte, error)

Marshal TGSRep struct.

func (*TGSRep) Unmarshal

func (k *TGSRep) Unmarshal(b []byte) error

Unmarshal bytes b into the TGSRep struct.

func (*TGSRep) Verify

func (k *TGSRep) Verify(cfg *config.Config, tgsReq TGSReq) (bool, error)

Verify checks the validity of the TGS_REP message.

type TGSReq

type TGSReq struct {
	KDCReqFields
}

TGSReq implements RFC 4120 KRB_TGS_REQ: https://tools.ietf.org/html/rfc4120#section-5.4.1.

func NewTGSReq

func NewTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, tgt Ticket, sessionKey types.EncryptionKey, sname types.PrincipalName, renewal bool) (TGSReq, error)

NewTGSReq generates a new KRB_TGS_REQ struct.

func NewUser2UserTGSReq

func NewUser2UserTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, clientTGT Ticket, sessionKey types.EncryptionKey, sname types.PrincipalName, renewal bool, verifyingTGT Ticket) (TGSReq, error)

NewUser2UserTGSReq returns a TGS-REQ suitable for user-to-user authentication (https://tools.ietf.org/html/rfc4120#section-3.7)

func (*TGSReq) Marshal

func (k *TGSReq) Marshal() ([]byte, error)

Marshal TGSReq struct.

func (*TGSReq) Unmarshal

func (k *TGSReq) Unmarshal(b []byte) error

Unmarshal bytes b into the TGSReq struct.

type Ticket

type Ticket struct {
	TktVNO           int                 `asn1:"explicit,tag:0"`
	Realm            string              `asn1:"generalstring,explicit,tag:1"`
	SName            types.PrincipalName `asn1:"explicit,tag:2"`
	EncPart          types.EncryptedData `asn1:"explicit,tag:3"`
	DecryptedEncPart EncTicketPart       `asn1:"optional"` // Not part of ASN1 bytes so marked as optional so unmarshalling works
}

Ticket implements the Kerberos ticket.

func NewTicket

func NewTicket(cname types.PrincipalName, crealm string, sname types.PrincipalName, srealm string, flags asn1.BitString, sktab *keytab.Keytab, eTypeID int32, kvno int, authTime, startTime, endTime, renewTill time.Time) (Ticket, types.EncryptionKey, error)

NewTicket creates a new Ticket instance.

func (*Ticket) Decrypt

func (t *Ticket) Decrypt(key types.EncryptionKey) error

Decrypt decrypts the encrypted part of the ticket using the key provided.

func (*Ticket) DecryptEncPart

func (t *Ticket) DecryptEncPart(keytab *keytab.Keytab, sname *types.PrincipalName) error

DecryptEncPart decrypts the encrypted part of the ticket. The sname argument can be used to specify which service principal's key should be used to decrypt the ticket. If nil is passed as the sname then the service principal specified within the ticket it used.

func (*Ticket) GetPACType

func (t *Ticket) GetPACType(keytab *keytab.Keytab, sname *types.PrincipalName, l *log.Logger) (bool, pac.PACType, error)

GetPACType returns a Microsoft PAC that has been extracted from the ticket and processed.

func (*Ticket) Marshal

func (t *Ticket) Marshal() ([]byte, error)

Marshal the Ticket.

func (*Ticket) Unmarshal

func (t *Ticket) Unmarshal(b []byte) error

Unmarshal bytes b into a Ticket struct.

func (*Ticket) Valid

func (t *Ticket) Valid(d time.Duration) (bool, error)

Valid checks it the ticket is currently valid. Max duration passed endtime passed in as argument.

type TransitedEncoding

type TransitedEncoding struct {
	TRType   int32  `asn1:"explicit,tag:0"`
	Contents []byte `asn1:"explicit,tag:1"`
}

TransitedEncoding part of the ticket's encrypted part.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL