gssapi

package
v5.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 31, 2018 License: Apache-2.0 Imports: 14 Imported by: 11

Documentation

Overview

Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.

Index

Constants

View Source 
const (
	HdrLen          = 16 // Length of the Wrap Token's header
	FillerByte byte = 0xFF
)

From RFC 4121, section 4.2.6.2: 

Use of the GSS_Wrap() call yields a token (referred as the Wrap token
in this document), which consists of a descriptive header, followed
by a body portion that contains either the input user data in
plaintext concatenated with the checksum, or the input user data
encrypted.  The GSS_Wrap() token SHALL have the following format:

      Octet no   Name        Description
      --------------------------------------------------------------
       0..1     TOK_ID    Identification field.  Tokens emitted by
                          GSS_Wrap() contain the hex value 05 04
                          expressed in big-endian order in this
                          field.
       2        Flags     Attributes field, as described in section
                          4.2.2.
       3        Filler    Contains the hex value FF.
       4..5     EC        Contains the "extra count" field, in big-
                          endian order as described in section 4.2.3.
       6..7     RRC       Contains the "right rotation count" in big-
                          endian order, as described in section
                          4.2.5.
       8..15    SndSeqNum   Sequence number field in clear text,
                          expressed in big-endian order.
       16..last Data      Encrypted data for Wrap tokens with
                          confidentiality, or plaintext data followed
                          by the checksum for Wrap tokens without
                          confidentiality, as described in section
                          4.2.4.

Quick notes:

  • "EC" or "Extra Count" refers to the length of the cheksum.
  • "Flags" (complete details in section 4.2.2) is a set of bits:
  • if bit 0 is set, it means the token was sent by the acceptor (generally the kerberized service).
  • bit 1 indicates that the token's payload is encrypted
  • bit 2 indicates if the message is protected using a subkey defined by the acceptor.
  • When computing checksums, EC and RRC MUST be set to 0.
  • Wrap Tokens are not ASN.1 encoded.
View Source 
const (
	TOK_ID_KRB_AP_REQ = "0100"
	TOK_ID_KRB_AP_REP = "0200"
	TOK_ID_KRB_ERROR  = "0300"

	GSS_C_DELEG_FLAG    = 1
	GSS_C_MUTUAL_FLAG   = 2
	GSS_C_REPLAY_FLAG   = 4
	GSS_C_SEQUENCE_FLAG = 8
	GSS_C_CONF_FLAG     = 16
	GSS_C_INTEG_FLAG    = 32
)

GSSAPI MechToken IDs and flags.

Variables

View Source 
var MechTypeOIDKRB5 = asn1.ObjectIdentifier{1, 2, 840, 113554, 1, 2, 2}

MechTypeOIDKRB5 is the MechType OID for Kerberos 5

View Source 
var MechTypeOIDMSLegacyKRB5 = asn1.ObjectIdentifier{1, 2, 840, 48018, 1, 2, 2}

MechTypeOIDMSLegacyKRB5 is the MechType OID for MS legacy Kerberos 5

View Source 
var SPNEGO_OID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 2}

SPNEGO_OID is the OID for SPNEGO header type.

Functions

func NewAuthenticator 

func NewAuthenticator(creds credentials.Credentials, flags []int) (types.Authenticator, error)

NewAuthenticator creates a new kerberos authenticator for kerberos MechToken

func UnmarshalNegToken 

func UnmarshalNegToken(b []byte) (bool, interface{}, error)

UnmarshalNegToken umarshals and returns either a NegTokenInit or a NegTokenResp.

The boolean indicates if the response is a NegTokenInit. If error is nil and the boolean is false the response is a NegTokenResp.

Types

type ContextFlags 

type ContextFlags asn1.BitString

ContextFlags flags for GSSAPI

func NewContextFlags 

func NewContextFlags() ContextFlags

NewContextFlags creates a new ContextFlags instance.

type MechToken 

type MechToken struct {
	OID      asn1.ObjectIdentifier
	TokID    []byte
	APReq    messages.APReq
	APRep    messages.APRep
	KRBError messages.KRBError
}

MechToken implementation for GSSAPI.

func NewAPREQMechToken 

func NewAPREQMechToken(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey, GSSAPIFlags []int, APOptions []int) (MechToken, error)

NewAPREQMechToken creates new Kerberos AP_REQ MechToken.

func (*MechToken) IsAPRep 

func (m *MechToken) IsAPRep() bool

IsAPRep tests if the MechToken contains an AP_REP.

func (*MechToken) IsAPReq 

func (m *MechToken) IsAPReq() bool

IsAPReq tests if the MechToken contains an AP_REQ.

func (*MechToken) IsKRBError 

func (m *MechToken) IsKRBError() bool

IsKRBError tests if the MechToken contains an KRB_ERROR.

func (*MechToken) Marshal 

func (m *MechToken) Marshal() ([]byte, error)

Marshal a MechToken into a slice of bytes.

func (*MechToken) Unmarshal 

func (m *MechToken) Unmarshal(b []byte) error

Unmarshal a MechToken.

type NegTokenInit 

type NegTokenInit struct {
	MechTypes    []asn1.ObjectIdentifier `asn1:"explicit,tag:0"`
	ReqFlags     ContextFlags            `asn1:"explicit,optional,tag:1"`
	MechToken    []byte                  `asn1:"explicit,optional,tag:2"`
	MechTokenMIC []byte                  `asn1:"explicit,optional,tag:3"`
}

NegTokenInit implements Negotiation Token of type Init

func NewNegTokenInitKrb5 

func NewNegTokenInitKrb5(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey) (NegTokenInit, error)

NewNegTokenInitKrb5 creates new Init negotiation token for Kerberos 5

func (*NegTokenInit) Marshal 

func (n *NegTokenInit) Marshal() ([]byte, error)

Marshal an Init negotiation token

type NegTokenResp 

type NegTokenResp struct {
	NegState      asn1.Enumerated       `asn1:"explicit,tag:0"`
	SupportedMech asn1.ObjectIdentifier `asn1:"explicit,optional,tag:1"`
	ResponseToken []byte                `asn1:"explicit,optional,tag:2"`
	MechListMIC   []byte                `asn1:"explicit,optional,tag:3"`
}

NegTokenResp implements Negotiation Token of type Resp/Targ

func (*NegTokenResp) Marshal 

func (n *NegTokenResp) Marshal() ([]byte, error)

Marshal a Resp/Targ negotiation token

type NegTokenTarg 

type NegTokenTarg NegTokenResp

NegTokenTarg implements Negotiation Token of type Resp/Targ

type SPNEGO 

type SPNEGO struct {
	Init         bool
	Resp         bool
	NegTokenInit NegTokenInit
	NegTokenResp NegTokenResp
}

SPNEGO header struct

func GetSPNEGOKrbNegTokenInit 

func GetSPNEGOKrbNegTokenInit(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey) (SPNEGO, error)

GetSPNEGOKrbNegTokenInit returns an SPNEGO struct containing a NegTokenInit.

func (*SPNEGO) Marshal 

func (s *SPNEGO) Marshal() ([]byte, error)

Marshal SPNEGO negotiation token

func (*SPNEGO) Unmarshal 

func (s *SPNEGO) Unmarshal(b []byte) error

Unmarshal SPNEGO negotiation token

type WrapToken 

type WrapToken struct {
	// const GSS Token ID: 0x0504
	Flags byte // contains three flags: acceptor, sealed, acceptor subkey
	// const Filler: 0xFF
	EC        uint16 // checksum length. big-endian
	RRC       uint16 // right rotation count. big-endian
	SndSeqNum uint64 // sender's sequence number. big-endian
	Payload   []byte // your data! :)
	CheckSum  []byte // authenticated checksum of { payload | header }
}

WrapToken represents a GSS API Wrap token, as defined in RFC 4121. It contains the header fields, the payload and the checksum, and provides the logic for converting to/from bytes plus computing and verifying checksums

func NewInitiatorToken 

func NewInitiatorToken(payload []byte, key types.EncryptionKey) (*WrapToken, error)

NewInitiatorToken builds a new initiator token (acceptor flag will be set to 0) and computes the authenticated checksum. Other flags are set to 0, and the RRC and sequence number are initialized to 0. Note that in certain circumstances you may need to provide a sequence number that has been defined earlier. This is currently not supported.

func (*WrapToken) ComputeAndSetCheckSum 

func (wt *WrapToken) ComputeAndSetCheckSum(key types.EncryptionKey, keyUsage uint32) error

ComputeAndSetCheckSum uses the passed encryption key and key usage to compute the checksum over the payload and the header, and sets the CheckSum field of this WrapToken. If the payload has not been set or the checksum has already been set, an error is returned.

func (*WrapToken) ComputeCheckSum 

func (wt *WrapToken) ComputeCheckSum(key types.EncryptionKey, keyUsage uint32) ([]byte, error)

ComputeCheckSum computes and returns the checksum of this token, computed using the passed key and key usage. Conforms to RFC 4121 in that the checksum will be computed over { body | header }, with the EC and RRC flags zeroed out. In the context of Kerberos Wrap tokens, mostly keyusage GSSAPI_ACCEPTOR_SEAL (=22) and GSSAPI_INITIATOR_SEAL (=24) will be used. Note: This will NOT update the struct's Checksum field.

func (*WrapToken) Marshal 

func (wt *WrapToken) Marshal() ([]byte, error)

Marshal the WrapToken into a byte slice. The payload should have been set and the checksum computed, otherwise an error is returned.

func (*WrapToken) Unmarshal 

func (wt *WrapToken) Unmarshal(b []byte, expectFromAcceptor bool) error

Unmarshal bytes into the corresponding WrapToken. If expectFromAcceptor is true, we expect the token to have been emitted by the gss acceptor, and will check the according flag, returning an error if the token does not match the expectation.

func (*WrapToken) VerifyCheckSum 

func (wt *WrapToken) VerifyCheckSum(key types.EncryptionKey, keyUsage uint32) (bool, error)

VerifyCheckSum computes the token's checksum with the provided key and usage, and compares it to the checksum present in the token. In case of any failure, (false, Err) is returned, with Err an explanatory error.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.