Documentation ¶
Overview ¶
package netlogon implements the Netlogon secure channel client security service client as described in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/fb50db72-7f71-478d-a180-12eb0ca3b36b.
This package also contains client-side GSSAPI bindings (InitSecurityContext, Wrap, Unwrap and so on).
Index ¶
- Constants
- Variables
- func ComputeSessionKey(ctx context.Context, caps Cap, cred Credential, client, server []byte) ([]byte, error)
- func DeriveKey(ctx context.Context, cred Credential) ([]byte, error)
- func IsValidCredential(cred any) bool
- type AuthMessage
- type Authentifier
- func (a *Authentifier) AuthMessageInit(ctx context.Context) ([]byte, error)
- func (a *Authentifier) AuthMessageReply(ctx context.Context, b []byte) ([]byte, error)
- func (a *Authentifier) MakeInboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)
- func (a *Authentifier) MakeOutboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)
- func (a *Authentifier) OutboundSignatureSize(ctx context.Context, conf bool) int
- func (a *Authentifier) SessionKey() []byte
- func (a *Authentifier) UnwrapInboundPayload(ctx context.Context, forSign, forSeal [][]byte, sgn []byte) ([]byte, error)
- func (a *Authentifier) WrapOutboundPayload(ctx context.Context, forSign, forSeal [][]byte) ([]byte, error)
- type Cap
- type Config
- type Credential
- type Mechanism
- func (m *Mechanism) Accept(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)
- func (Mechanism) DefaultConfig(ctx context.Context) (gssapi.MechanismConfig, error)
- func (m *Mechanism) Init(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)
- func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
- func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
- func (Mechanism) New(ctx context.Context) (gssapi.Mechanism, error)
- func (Mechanism) Type() gssapi.OID
- func (m *Mechanism) Unwrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
- func (m *Mechanism) UnwrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
- func (m *Mechanism) VerifySignature(ctx context.Context, tok *gssapi.MessageToken) error
- func (m *Mechanism) VerifySignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) error
- func (m *Mechanism) Wrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
- func (m *Mechanism) WrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
- func (m *Mechanism) WrapSizeLimit(ctx context.Context, sz int, conf bool) int
- type MessageType
- type NegFlag
- type SecureCredential
- type SecurityService
Constants ¶
const ( CapR0 = 1 << (31 - 0) CapSecureRPC = 1 << (31 - 1) CapR2 = 1 << (31 - 2) CapR3 = 1 << (31 - 3) CapR4 = 1 << (31 - 4) CapR5 = 1 << (31 - 5) CapR6 = 1 << (31 - 6) CapAES_SHA2 = 1 << (31 - 7) CapR8 = 1 << (31 - 8) CapR9 = 1 << (31 - 9) CapRODCPassThrough = 1 << (31 - 10) CapIgnoreNT4EmuADM = 1 << (31 - 11) CapCrossForestTrust = 1 << (31 - 12) CapNetrLogonGetDomainInfo = 1 << (31 - 13) CapNetrServerPasswordSet2 = 1 << (31 - 14) CapR15 = 1 << (31 - 15) CapTransitiveTrust = 1 << (31 - 16) CapStrongKey = 1 << (31 - 17) CapAvoidSAReplication = 1 << (31 - 18) CapAvoidUAReplication = 1 << (31 - 19) CapConcurrentRPC = 1 << (31 - 20) CapGenericPassthrough = 1 << (31 - 21) CapNetrLogonSendToSam = 1 << (31 - 22) CapRefusePasswdChange = 1 << (31 - 23) CapNetrDatabaseRedo = 1 << (31 - 24) CapNotReqValidationLevel2 = 1 << (31 - 25) CapRestartFullSync = 1 << (31 - 26) CapBDCHandlingChangelog = 1 << (31 - 27) CapR28 = 1 << (31 - 28) CapRC4 = 1 << (31 - 29) CapPersistentDBUpdate = 1 << (31 - 30) CapR31 = 1 << (31 - 31) )
Variables ¶
var (
MechanismType = gssapi.OID{1, 2, 752, 43, 14, 2}
)
Functions ¶
func ComputeSessionKey ¶
func IsValidCredential ¶ added in v1.0.2
Types ¶
type AuthMessage ¶
type AuthMessage struct { // A 32-bit unsigned integer. This value is used to indicate whether // the message is a negotiate request message sent from a client to // a server, or a negotiate response message sent from the server to // the client. MessageType MessageType // A set of bit flags indicating the principal names carried in the // request. A flag is TRUE (or set) if its value is equal to 1 Flags NegFlag // NetBIOS domain name as an OEM_STRING. NetBIOSDomainName string // NetBIOS computer name as an OEM_STRING. NetBIOSComputerName string // DNS domain name as a compressed UTF-8 string, as specified in [RFC1035]. DNSDomainName string // DNS host name as a compressed UTF-8 string. DNSHostName string }
The NL_AUTH_MESSAGE structure is a token containing information that is part of the first message in establishing a security context between a client and a server. It is used for establishing the secure session when Netlogon functions as a security support provider (SSP).
func (*AuthMessage) Marshal ¶
func (m *AuthMessage) Marshal() ([]byte, error)
func (*AuthMessage) Unmarshal ¶
func (m *AuthMessage) Unmarshal(b []byte) error
type Authentifier ¶
type Authentifier struct { Config *Config // contains filtered or unexported fields }
func (*Authentifier) AuthMessageInit ¶
func (a *Authentifier) AuthMessageInit(ctx context.Context) ([]byte, error)
func (*Authentifier) AuthMessageReply ¶
func (*Authentifier) MakeInboundSignature ¶
func (*Authentifier) MakeOutboundSignature ¶
func (*Authentifier) OutboundSignatureSize ¶
func (a *Authentifier) OutboundSignatureSize(ctx context.Context, conf bool) int
func (*Authentifier) SessionKey ¶
func (a *Authentifier) SessionKey() []byte
func (*Authentifier) UnwrapInboundPayload ¶
func (*Authentifier) WrapOutboundPayload ¶
type Config ¶
type Config struct { ServerName string Capabilities Cap Credential Credential ClientChallenge []byte ServerChallenge []byte IsServer bool }
func (*Config) Copy ¶ added in v1.1.1
func (c *Config) Copy() gssapi.MechanismConfig
type Mechanism ¶
type Mechanism struct {
*Authentifier
}
func (Mechanism) DefaultConfig ¶
DefaultConfig function returns the default config.
func (*Mechanism) MakeSignature ¶
func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
MakeSignature token.
func (*Mechanism) MakeSignatureEx ¶
func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
MakeSignature token.
func (Mechanism) New ¶
New function returns the new mechanism instance from the GSSAPI configuration.
func (*Mechanism) Unwrap ¶
func (m *Mechanism) Unwrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
Unwrap token.
func (*Mechanism) UnwrapEx ¶
func (m *Mechanism) UnwrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
UnwrapEx function accepts the list of encrypted payloads and signature and returns the unencrypted paylaod.
func (*Mechanism) VerifySignature ¶
VerifySignature token.
func (*Mechanism) VerifySignatureEx ¶
VerifySignatureEx token.
func (*Mechanism) Wrap ¶
func (m *Mechanism) Wrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
Wrap token.
func (*Mechanism) WrapEx ¶
func (m *Mechanism) WrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
WrapEx function accepts the list of unencrypted payloads and returns the encrypted payload and signature.
type MessageType ¶
type MessageType uint32
const ( // This is a negotiate request message. MessageTypeRequest MessageType = 0x00000000 // This is a negotiate response message. MessageTypeResponse MessageType = 0x00000001 )
type NegFlag ¶
type NegFlag uint32
const ( // Buffer contains a NetBIOS domain name as an OEM_STRING. NegFlagNetBIOSDomainName NegFlag = 1 << (31 - 31) // Buffer contains a NetBIOS computer name as an OEM_STRING. NegFlagNetBIOSComputerName NegFlag = 1 << (31 - 30) // Buffer contains a DNS domain name as a compressed UTF-8 string, // as specified in [RFC1035]. NegFlagDNSDomainName NegFlag = 1 << (31 - 29) // Buffer contains a DNS host name as a compressed UTF-8 string. NegFlagDNSHostName NegFlag = 1 << (31 - 28) // Buffer contains a NetBIOS computer name as a compressed UTF-8 // string. NegFlagNetBIOSComputerNameUTF8 NegFlag = 1 << (31 - 27) )
type SecureCredential ¶
type SecureCredential struct {
// contains filtered or unexported fields
}
func NewSecureCredential ¶
func NewSecureCredential(ctx context.Context, cfg *Config) (*SecureCredential, error)