sasl

package
v0.0.0-...-47a1d48 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 16, 2020 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CalcMaxOutputSize

func CalcMaxOutputSize(mechSsf, maxOutBuf uint32, ct gssapi.ContextToken) uint32

CalcMaxOutputSize uses the determined SSF value and provided max buffer size combined with the encryption key in the token to figure out what the actual max size can be such that the resulting size after encryption will still be within the provided maxOutBuf.

As per the general SASL definitions, if the SSF is <= 0, then we wouldn't be encrypting the buffer, and just return the maxOutBuf that was passed in. If mechSsf > 0, then we grab the key and figure out what size will encrypt to a size smaller than the passed in maxOutBuf while also giving room for the 16 byte token header.

func GetSsf

func GetSsf(ct gssapi.ContextToken) uint32

GetSsf uses the opaque context in the token in order to pull the key and return the Security Strength Factor (ssf) value for the given key.

func NewGSSAPIKrb5Mech

func NewGSSAPIKrb5Mech(cl *client.Client, spn string, saslProps SecurityProps) gssapi.Mechanism

NewGSSAPIKrb5Mech constructs a mechanism for gssapi processing using Kerberos via krb5

func SetQOP

func SetQOP(ct gssapi.ContextToken, qop Qop)

SetQOP will set the desired Qop value into the opaque token value

func VerifyWrapToken

func VerifyWrapToken(ct gssapi.ContextToken, wt gssapi.WrapToken) error

VerifyWrapToken allows calling Verify on the token without having to expose the encryption key that the context token is holding onto.

Types

type Qop

type Qop byte

Qop is a bitmask representing the current Quality of Protection settings

const (
	QopNone Qop = 1 << iota
	QopIntegrity
	QopConf
)

Qop will be some combination of none / integrity / confidential

type SecurityProps

type SecurityProps struct {
	MinSsf        uint32
	MaxSsf        uint32
	MaxBufSize    int32
	UseEncryption bool
}

SecurityProps simply contains settings used for the sasl negotiation.

These are utilized by the gssapi mechanism in order to determine the QOP settings

type Wrapper

type Wrapper interface {
	// InitAuthPayload initializes the local security context and returns a payload
	// for sending the initial token for negotiation.
	InitAuthPayload() ([]byte, error)
	// Step takes the responses from the server (eg. auth challenges) and steps through
	// the authentication and negotiation protocols, returning the next payload response
	// to send to the server as long as the gssapi.Status is gssapi.StatusContinueNeeded.
	// When authentication is complete, the status will be gssapi.StatusComplete. Any other
	// status will come associated with an error
	Step([]byte) ([]byte, gssapi.Status)
	// GetWrappedConn takes the provided connection and wraps it such that anything written
	// to or read from the connection will be put through the wrap/unwrap calls of the
	// sasl authentication based on the negotiated security context.
	GetWrappedConn(net.Conn) net.Conn
}

Wrapper is the primary interface for sasl-gssapi handling.

A wrapper is returned from NewSaslWrapper which will allow performing authentication and then wrapping a desired connection to properly wrap and unwrap messages.

func NewSaslWrapper

func NewSaslWrapper(userSpn, serviceSpn string, props SecurityProps) (Wrapper, error)

NewSaslWrapper takes the provided SPNs and SecurityProps to provide a Wrapper that will perform GSSAPI authentication via kerberos krb5

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL