Documentation
¶
Overview ¶
Package gss implements RFC 3645 GSS-TSIG functions. This permits sending signed dynamic DNS update messages to Windows servers that have the zone require "Secure only" updates.
Example client:
import (
"fmt"
"net"
"time"
"github.com/bodgit/tsig"
c "github.com/bodgit/tsig/client"
"github.com/bodgit/tsig/gss"
"github.com/miekg/dns"
)
func main() {
host := "ns.example.com"
g, err := gss.New()
if err != nil {
panic(err)
}
defer g.Close()
// Negotiate a context with the chosen server using the
// current user. See also g.NegotiateContextWithCredentials()
// and g.NegotiateContextWithKeytab() for alternatives
keyname, _, err := g.NegotiateContext(host)
if err != nil {
panic(err)
}
client := c.Client{}
client.Net = "tcp"
client.TsigAlgorithm = map[string]*c.TsigAlgorithm{
tsig.GSS: {
Generate: g.GenerateGSS,
Verify: g.VerifyGSS,
},
}
client.TsigSecret = map[string]string{*keyname: ""}
// Use the DNS client as normal
msg := new(dns.Msg)
msg.SetUpdate(dns.Fqdn("example.com"))
insert, err := dns.NewRR("test.example.com. 300 A 192.0.2.1")
if err != nil {
panic(err)
}
msg.Insert([]dns.RR{insert})
msg.SetTsig(*keyname, tsig.GSS, 300, time.Now().Unix())
rr, _, err := client.Exchange(msg, net.JoinHostPort(host, "53"))
if err != nil {
panic(err)
}
if rr.Rcode != dns.RcodeSuccess {
fmt.Printf("DNS error: %s (%d)\n", dns.RcodeToString[rr.Rcode], rr.Rcode)
}
// Cleanup the context
err = g.DeleteContext(keyname)
if err != nil {
panic(err)
}
}
Under the hood, GSSAPI is used on platforms other than Windows whilst Windows uses native SSPI which has a similar API.
Index ¶
- type GSS
- func (c *GSS) Close() error
- func (c *GSS) DeleteContext(keyname *string) error
- func (c *GSS) GenerateGSS(msg []byte, algorithm, name, secret string) ([]byte, error)
- func (c *GSS) NegotiateContext(host string) (*string, *time.Time, error)
- func (c *GSS) NegotiateContextWithCredentials(host, domain, username, password string) (*string, *time.Time, error)
- func (c *GSS) NegotiateContextWithKeytab(host, domain, username, path string) (*string, *time.Time, error)
- func (c *GSS) VerifyGSS(stripped []byte, t *dns.TSIG, name, secret string) error
- type SequenceState
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type GSS ¶
type GSS struct {
// contains filtered or unexported fields
}
GSS maps the TKEY name to the context that negotiated it as well as any other internal state.
func New ¶
New performs any library initialization necessary. It returns a context handle for any further functions along with any error that occurred.
func (*GSS) Close ¶
Close deletes any active contexts and unloads any underlying libraries as necessary. It returns any error that occurred.
func (*GSS) DeleteContext ¶
DeleteContext deletes the active security context associated with the given TKEY name. It returns any error that occurred.
func (*GSS) GenerateGSS ¶
GenerateGSS generates the TSIG MAC based on the established context. It is intended to be called as an algorithm-specific callback. It is called with the bytes of the DNS message, the algorithm name, the TSIG name (which is the negotiated TKEY for this context) and the secret (which is ignored). It returns the bytes for the TSIG MAC and any error that occurred.
func (*GSS) NegotiateContext ¶
NegotiateContext exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the current user. It returns the negotiated TKEY name, expiration time, and any error that occurred.
func (*GSS) NegotiateContextWithCredentials ¶
func (c *GSS) NegotiateContextWithCredentials(host, domain, username, password string) (*string, *time.Time, error)
NegotiateContextWithCredentials exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the provided credentials. It returns the negotiated TKEY name, expiration time, and any error that occurred.
func (*GSS) NegotiateContextWithKeytab ¶
func (c *GSS) NegotiateContextWithKeytab(host, domain, username, path string) (*string, *time.Time, error)
NegotiateContextWithKeytab exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the provided keytab. It returns the negotiated TKEY name, expiration time, and any error that occurred.
func (*GSS) VerifyGSS ¶
VerifyGSS verifies the TSIG MAC based on the established context. It is intended to be called as an algorithm-specific callback. It is called with the bytes of the DNS message, the TSIG record, the TSIG name (which is the negotiated TKEY for this context) and the secret (which is ignored). It returns any error that occurred.
type SequenceState ¶ added in v0.0.2
type SequenceState struct {
// contains filtered or unexported fields
}
SequenceState tracks previously seen sequence numbers for message replay and/or sequence protection
func NewSequenceState ¶ added in v0.0.2
func NewSequenceState(sequenceNumber uint64, doReplay, doSequence, wide bool) *SequenceState
NewSequenceState returns a new SequenceState seeded with sequenceNumber with doReplay and doSequence controlling replay and sequence protection respectively and wide controlling whether sequence numbers are expected to wrap at a 32- or 64-bit boundary.
func (*SequenceState) Check ¶ added in v0.0.2
func (ss *SequenceState) Check(sequenceNumber uint64) error
Check the next sequence number. Sequence protection requires the sequence number to increase sequentially with no duplicates or out of order delivery. Replay protection relaxes these restrictions to permit limited out of order delivery.
Source Files