netlogon

package
v1.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 29, 2024 License: MIT Imports: 12 Imported by: 0

Documentation

Overview

package netlogon implements the Netlogon secure channel client security service client as described in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/fb50db72-7f71-478d-a180-12eb0ca3b36b.

This package also contains client-side GSSAPI bindings (InitSecurityContext, Wrap, Unwrap and so on).

Index

Constants

View Source 
const (
	CapR0                     = 1 << (31 - 0)
	CapSecureRPC              = 1 << (31 - 1)
	CapR2                     = 1 << (31 - 2)
	CapR3                     = 1 << (31 - 3)
	CapR4                     = 1 << (31 - 4)
	CapR5                     = 1 << (31 - 5)
	CapR6                     = 1 << (31 - 6)
	CapAES_SHA2               = 1 << (31 - 7)
	CapR8                     = 1 << (31 - 8)
	CapR9                     = 1 << (31 - 9)
	CapRODCPassThrough        = 1 << (31 - 10)
	CapIgnoreNT4EmuADM        = 1 << (31 - 11)
	CapCrossForestTrust       = 1 << (31 - 12)
	CapNetrLogonGetDomainInfo = 1 << (31 - 13)
	CapNetrServerPasswordSet2 = 1 << (31 - 14)
	CapR15                    = 1 << (31 - 15)
	CapTransitiveTrust        = 1 << (31 - 16)
	CapStrongKey              = 1 << (31 - 17)
	CapAvoidSAReplication     = 1 << (31 - 18)
	CapAvoidUAReplication     = 1 << (31 - 19)
	CapConcurrentRPC          = 1 << (31 - 20)
	CapGenericPassthrough     = 1 << (31 - 21)
	CapNetrLogonSendToSam     = 1 << (31 - 22)
	CapRefusePasswdChange     = 1 << (31 - 23)
	CapNetrDatabaseRedo       = 1 << (31 - 24)
	CapNotReqValidationLevel2 = 1 << (31 - 25)
	CapRestartFullSync        = 1 << (31 - 26)
	CapBDCHandlingChangelog   = 1 << (31 - 27)
	CapR28                    = 1 << (31 - 28)
	CapRC4                    = 1 << (31 - 29)
	CapPersistentDBUpdate     = 1 << (31 - 30)
	CapR31                    = 1 << (31 - 31)
)

Variables

View Source 
var (
	MechanismType = gssapi.OID{1, 2, 752, 43, 14, 2}
)

Functions

func ComputeSessionKey 

func ComputeSessionKey(ctx context.Context, caps Cap, cred Credential, client, server []byte) ([]byte, error)

func DeriveKey 

func DeriveKey(ctx context.Context, cred Credential) ([]byte, error)

func IsValidCredential added in v1.0.2 

func IsValidCredential(cred any) bool

Types

type AuthMessage 

type AuthMessage struct {
	// A 32-bit unsigned integer. This value is used to indicate whether
	// the message is a negotiate request message sent from a client to
	// a server, or a negotiate response message sent from the server to
	// the client.
	MessageType MessageType
	// A set of bit flags indicating the principal names carried in the
	// request. A flag is TRUE (or set) if its value is equal to 1
	Flags NegFlag
	// NetBIOS domain name as an OEM_STRING.
	NetBIOSDomainName string
	// NetBIOS computer name as an OEM_STRING.
	NetBIOSComputerName string
	// DNS domain name as a compressed UTF-8 string, as specified in [RFC1035].
	DNSDomainName string
	// DNS host name as a compressed UTF-8 string.
	DNSHostName string
}

The NL_AUTH_MESSAGE structure is a token containing information that is part of the first message in establishing a security context between a client and a server. It is used for establishing the secure session when Netlogon functions as a security support provider (SSP).

func (*AuthMessage) Marshal 

func (m *AuthMessage) Marshal() ([]byte, error)

func (*AuthMessage) Unmarshal 

func (m *AuthMessage) Unmarshal(b []byte) error

type Authentifier 

type Authentifier struct {
	Config *Config
	// contains filtered or unexported fields
}

func (*Authentifier) AuthMessageInit 

func (a *Authentifier) AuthMessageInit(ctx context.Context) ([]byte, error)

func (*Authentifier) AuthMessageReply 

func (a *Authentifier) AuthMessageReply(ctx context.Context, b []byte) ([]byte, error)

func (*Authentifier) MakeInboundSignature 

func (a *Authentifier) MakeInboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)

func (*Authentifier) MakeOutboundSignature 

func (a *Authentifier) MakeOutboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)

func (*Authentifier) OutboundSignatureSize 

func (a *Authentifier) OutboundSignatureSize(ctx context.Context, conf bool) int

func (*Authentifier) SessionKey 

func (a *Authentifier) SessionKey() []byte

func (*Authentifier) UnwrapInboundPayload 

func (a *Authentifier) UnwrapInboundPayload(ctx context.Context, forSign, forSeal [][]byte, sgn []byte) ([]byte, error)

func (*Authentifier) WrapOutboundPayload 

func (a *Authentifier) WrapOutboundPayload(ctx context.Context, forSign, forSeal [][]byte) ([]byte, error)

type Cap 

type Cap uint32

func (Cap) IsSet 

func (c Cap) IsSet(cc Cap) bool

type Config 

type Config struct {
	ServerName      string
	Capabilities    Cap
	Credential      Credential
	ClientChallenge []byte
	ServerChallenge []byte
	IsServer        bool
}

func NewConfig 

func NewConfig() *Config

func (Config) Type 

func (Config) Type() gssapi.OID

type Credential 

type Credential = credential.Credential

The generic credential.

type Mechanism 

type Mechanism struct {
	*Authentifier
}

func (*Mechanism) Accept 

func (m *Mechanism) Accept(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context accept call.

func (Mechanism) DefaultConfig 

func (Mechanism) DefaultConfig(ctx context.Context) (gssapi.MechanismConfig, error)

DefaultConfig function returns the default config.

func (*Mechanism) Init 

func (m *Mechanism) Init(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

func (*Mechanism) MakeSignature 

func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

MakeSignature token.

func (*Mechanism) MakeSignatureEx 

func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

MakeSignature token.

func (Mechanism) New 

func (Mechanism) New(ctx context.Context) (gssapi.Mechanism, error)

New function returns the new mechanism instance from the GSSAPI configuration.

func (Mechanism) Type 

func (Mechanism) Type() gssapi.OID

The mechanism type object identifier.

func (*Mechanism) Unwrap 

func (m *Mechanism) Unwrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

Unwrap token.

func (*Mechanism) UnwrapEx 

func (m *Mechanism) UnwrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

UnwrapEx function accepts the list of encrypted payloads and signature and returns the unencrypted paylaod.

func (*Mechanism) VerifySignature 

func (m *Mechanism) VerifySignature(ctx context.Context, tok *gssapi.MessageToken) error

VerifySignature token.

func (*Mechanism) VerifySignatureEx 

func (m *Mechanism) VerifySignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) error

VerifySignatureEx token.

func (*Mechanism) Wrap 

func (m *Mechanism) Wrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

Wrap token.

func (*Mechanism) WrapEx 

func (m *Mechanism) WrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

WrapEx function accepts the list of unencrypted payloads and returns the encrypted payload and signature.

func (*Mechanism) WrapSizeLimit 

func (m *Mechanism) WrapSizeLimit(ctx context.Context, sz int, conf bool) int

The maximum message size for the given limit. (and flag determining if conf is required).

type MessageType 

type MessageType uint32
const (
	// This is a negotiate request message.
	MessageTypeRequest MessageType = 0x00000000
	// This is a negotiate response message.
	MessageTypeResponse MessageType = 0x00000001
)

type NegFlag 

type NegFlag uint32
const (
	// Buffer contains a NetBIOS domain name as an OEM_STRING.
	NegFlagNetBIOSDomainName NegFlag = 1 << (31 - 31)
	// Buffer contains a NetBIOS computer name as an OEM_STRING.
	NegFlagNetBIOSComputerName NegFlag = 1 << (31 - 30)
	// Buffer contains a DNS domain name as a compressed UTF-8 string,
	// as specified in [RFC1035].
	NegFlagDNSDomainName NegFlag = 1 << (31 - 29)
	// Buffer contains a DNS host name as a compressed UTF-8 string.
	NegFlagDNSHostName NegFlag = 1 << (31 - 28)
	// Buffer contains a NetBIOS computer name as a compressed UTF-8
	// string.
	NegFlagNetBIOSComputerNameUTF8 NegFlag = 1 << (31 - 27)
)

func (NegFlag) IsSet 

func (c NegFlag) IsSet(cc NegFlag) bool

type SecureCredential 

type SecureCredential struct {
	// contains filtered or unexported fields
}

func NewSecureCredential 

func NewSecureCredential(ctx context.Context, cfg *Config) (*SecureCredential, error)

func (*SecureCredential) Encrypt 

func (a *SecureCredential) Encrypt(ctx context.Context, cred []byte) ([]byte, error)

func (*SecureCredential) Next 

func (a *SecureCredential) Next(ctx context.Context, inc uint32) ([]byte, error)

func (*SecureCredential) Verify 

func (a *SecureCredential) Verify(ctx context.Context, inc uint32, cred []byte) error

type SecurityService 

type SecurityService struct {
	Key                    []byte
	InboundSequenceNumber  uint64
	OutboundSequenceNumber uint64
	OutboundCipher         crypto.Cipher
	InboundCipher          crypto.Cipher
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.