Documentation
¶
Overview ¶
Package sasl provides the utilities for SASL authentication via gssapi
Index ¶
- func CalcMaxOutputSize(mechSsf, maxOutBuf uint32, ct gssapi.ContextToken) uint32
- func GetSsf(ct gssapi.ContextToken) uint32
- func NewGSSAPIKrb5Mech(cl *client.Client, spn string, saslProps SecurityProps) gssapi.Mechanism
- func SetQOP(ct gssapi.ContextToken, qop Qop)
- func VerifyWrapToken(ct gssapi.ContextToken, wt gssapi.WrapToken) error
- type Qop
- type SecurityProps
- type Wrapper
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CalcMaxOutputSize ¶
func CalcMaxOutputSize(mechSsf, maxOutBuf uint32, ct gssapi.ContextToken) uint32
CalcMaxOutputSize uses the determined SSF value and provided max buffer size combined with the encryption key in the token to figure out what the actual max size can be such that the resulting size after encryption will still be within the provided maxOutBuf.
As per the general SASL definitions, if the SSF is <= 0, then we wouldn't be encrypting the buffer, and just return the maxOutBuf that was passed in. If mechSsf > 0, then we grab the key and figure out what size will encrypt to a size smaller than the passed in maxOutBuf while also giving room for the 16 byte token header.
func GetSsf ¶
func GetSsf(ct gssapi.ContextToken) uint32
GetSsf uses the opaque context in the token in order to pull the key and return the Security Strength Factor (ssf) value for the given key.
func NewGSSAPIKrb5Mech ¶
NewGSSAPIKrb5Mech constructs a mechanism for gssapi processing using Kerberos via krb5
func SetQOP ¶
func SetQOP(ct gssapi.ContextToken, qop Qop)
SetQOP will set the desired Qop value into the opaque token value
func VerifyWrapToken ¶
func VerifyWrapToken(ct gssapi.ContextToken, wt gssapi.WrapToken) error
VerifyWrapToken allows calling Verify on the token without having to expose the encryption key that the context token is holding onto.
Types ¶
type SecurityProps ¶
SecurityProps simply contains settings used for the sasl negotiation.
These are utilized by the gssapi mechanism in order to determine the QOP settings
type Wrapper ¶
type Wrapper interface {
// InitAuthPayload initializes the local security context and returns a payload
// for sending the initial token for negotiation.
InitAuthPayload() ([]byte, error)
// Step takes the responses from the server (eg. auth challenges) and steps through
// the authentication and negotiation protocols, returning the next payload response
// to send to the server as long as the gssapi.Status is gssapi.StatusContinueNeeded.
// When authentication is complete, the status will be gssapi.StatusComplete. Any other
// status will come associated with an error
Step([]byte) ([]byte, gssapi.Status)
// GetWrappedConn takes the provided connection and wraps it such that anything written
// to or read from the connection will be put through the wrap/unwrap calls of the
// sasl authentication based on the negotiated security context.
GetWrappedConn(net.Conn) net.Conn
}
Wrapper is the primary interface for sasl-gssapi handling.
A wrapper is returned from NewSaslWrapper which will allow performing authentication and then wrapping a desired connection to properly wrap and unwrap messages.
func NewSaslWrapper ¶
func NewSaslWrapper(userSpn, serviceSpn string, props SecurityProps) (Wrapper, error)
NewSaslWrapper takes the provided SPNs and SecurityProps to provide a Wrapper that will perform GSSAPI authentication via kerberos krb5
Source Files