Documentation ¶
Index ¶
- Constants
- Variables
- func CallRpc(conn *net.Conn, prog, vers, proc, authFlavor uint32, body []byte, ...) (err error)
- func DisplayProxyFlags(flags Flags, complete bool, file io.Writer)
- func DisplayProxyStatus(when string, status Status)
- func FlagsToRaw(flags Flags) uint64
- type AcceptSecContextResults
- type AcquireCredResults
- type CallCtx
- type Cred
- type CredElement
- type ExportCredResults
- type Flags
- type GetCallContextResults
- type GetMicResults
- type ImportAndCanonNameResults
- type ImportCredResults
- type IndicateMechsResults
- type InitSecContextResults
- type MechAttr
- type MechInfo
- type Name
- type NameAttr
- type Option
- type ReleaseCredResults
- type ReleaseSecCtxResults
- type SecCtx
- type SetNegMechsResults
- type Status
- type StoreCredResults
- type UnwrapResults
- type VerifyMicResults
- type WrapResults
- type WrapSizeLimitResults
Constants ¶
const ( /* Request the highest-available lifetime in AcquireCred() and InitSecContext(). */ C_INDEFINITE = 0xffffffff /* Credential Usage values to be passed to ExportCred() and StoreCred(). */ C_INITIATE = 1 C_ACCEPT = 2 C_BOTH = 3 /* Status codes seen in MajorStatus values. */ S_COMPLETE = 0 S_CONTINUE_NEEDED = (1 << (intGSS_C_SUPPLEMENTARY_OFFSET + 0)) S_DUPLICATE_TOKEN = (1 << (intGSS_C_SUPPLEMENTARY_OFFSET + 1)) S_OLD_TOKEN = (1 << (intGSS_C_SUPPLEMENTARY_OFFSET + 2)) S_UNSEQ_TOKEN = (1 << (intGSS_C_SUPPLEMENTARY_OFFSET + 3)) S_GAP_TOKEN = (1 << (intGSS_C_SUPPLEMENTARY_OFFSET + 4)) S_BAD_MECH = (1 << intGSS_C_ROUTINE_ERROR_OFFSET) S_BAD_NAME = (2 << intGSS_C_ROUTINE_ERROR_OFFSET) S_BAD_NAMETYPE = (3 << intGSS_C_ROUTINE_ERROR_OFFSET) S_BAD_BINDINGS = (4 << intGSS_C_ROUTINE_ERROR_OFFSET) S_BAD_STATUS = (5 << intGSS_C_ROUTINE_ERROR_OFFSET) S_BAD_SIG = (6 << intGSS_C_ROUTINE_ERROR_OFFSET) S_NO_CRED = (7 << intGSS_C_ROUTINE_ERROR_OFFSET) S_NO_CONTEXT = (8 << intGSS_C_ROUTINE_ERROR_OFFSET) S_DEFECTIVE_TOKEN = (9 << intGSS_C_ROUTINE_ERROR_OFFSET) S_DEFECTIVE_CREDENTIAL = (10 << intGSS_C_ROUTINE_ERROR_OFFSET) S_CREDENTIALS_EXPIRED = (11 << intGSS_C_ROUTINE_ERROR_OFFSET) S_CONTEXT_EXPIRED = (12 << intGSS_C_ROUTINE_ERROR_OFFSET) S_FAILURE = (13 << intGSS_C_ROUTINE_ERROR_OFFSET) S_BAD_QOP = (14 << intGSS_C_ROUTINE_ERROR_OFFSET) S_UNAUTHORIZED = (15 << intGSS_C_ROUTINE_ERROR_OFFSET) S_UNAVAILABLE = (16 << intGSS_C_ROUTINE_ERROR_OFFSET) S_DUPLICATE_ELEMENT = (17 << intGSS_C_ROUTINE_ERROR_OFFSET) S_NAME_NOT_MN = (18 << intGSS_C_ROUTINE_ERROR_OFFSET) S_BAD_MECH_ATTR = (19 << intGSS_C_ROUTINE_ERROR_OFFSET) /* Default quality of protection, for passing to GetMic()/Wrap(). */ C_QOP_DEFAULT = 0 )
const ( // Message Types CALL = 0 REPLY = 1 // Reply Status values MSG_ACCEPTED = 0 MSG_DENIED = 1 // Accept Status values SUCCESS = 0 PROG_UNAVAIL = 1 PROG_MISMATCH = 2 PROC_UNAVAIL = 3 GARBAGE_ARGS = 4 SYSTEM_ERR = 5 // Reject Status values RPC_MISMATCH = 0 AUTH_ERROR = 1 // Auth Why values AUTH_OK = 0 AUTH_BADCRED = 1 AUTH_REJECTEDCRED = 2 AUTH_BADVERF = 3 AUTH_REJECTEDVERF = 4 AUTH_TOOWEAK = 5 AUTH_INVALIDRESP = 6 AUTH_FAILED = 7 // Auth flavors AUTH_NONE = 0 /* no authentication */ AUTH_NULL = AUTH_NONE AUTH_SYS = 1 /* old-school unix style */ AUTH_UNIX = AUTH_SYS )
Variables ¶
var ( /* Known name types, for use in Name structures. */ NT_USER_NAME = parseOid("1.2.840.113554.1.2.1.1") NT_MACHINE_UID_NAME = parseOid("1.2.840.113554.1.2.1.2") NT_STRING_UID_NAME = parseOid("1.2.840.113554.1.2.1.3") NT_HOSTBASED_SERVICE = parseOid("1.2.840.113554.1.2.1.4") NT_HOSTBASED_SERVICE_X = parseOid("1.3.6.1.5.6.2") NT_ANONYMOUS = parseOid("1.3.6.1.5.6.3") NT_EXPORT_NAME = parseOid("1.3.6.1.5.6.4") /* Known mechanisms. */ MechKerberos5 = parseOid("1.2.840.113554.1.2.2") MechKerberos5Draft = parseOid("1.3.5.1.5.2") MechKerberos5Wrong = parseOid("1.2.840.48018.1.2.2") MechSPNEGO = parseOid("1.3.6.1.5.5.2") MechIAKERB = parseOid("1.3.6.1.5.2.5") )
Functions ¶
func CallRpc ¶
func CallRpc(conn *net.Conn, prog, vers, proc, authFlavor uint32, body []byte, reply *bytes.Buffer) (err error)
CallRpc invokes a minimal stream-based ONC RPC call over the provided connection. While it can supply AUTH_UNIX, it doesn't verify any credentials in the response from the server.
func DisplayProxyFlags ¶
DisplayProxyFlags logs the contents of the passed-in flags.
func DisplayProxyStatus ¶
DisplayProxyStatus prints status error messages associated with the passed-in Status object.
func FlagsToRaw ¶
FlagsToRaw returns the integer representation of the flags structure, as would typically be used by C implementations. It is here mainly to aid in running diagnostics.
Types ¶
type AcceptSecContextResults ¶
type AcceptSecContextResults struct { Status Status SecCtx *SecCtx OutputToken *[]byte DelegatedCredHandle *Cred Options []Option }
func AcceptSecContext ¶
func AcceptSecContext(conn *net.Conn, callCtx *CallCtx, ctx *SecCtx, cred *Cred, inputToken []byte, inputCB *[]byte, retDelegCred bool, options []Option) (results AcceptSecContextResults, err error)
AcceptSecContext accepts a security context initiated by a peer. If the returned Status.MajorStatus is S_CONTINUE_NEEDED, the function should be called again with a token obtained from the peer. If the OutputToken is not nil, then it should be sent to the peer. If the returned Status.MajorStatus is S_COMPLETE, then authentication has succeeded. Any other Status.MajorStatus value is an error.
type AcquireCredResults ¶
func AcquireCred ¶
func AcquireCred(conn *net.Conn, callCtx *CallCtx, inputCredHandle *Cred, addCredToInputHandle bool, desiredName *Name, timeReq uint64, desiredMechs []asn1.ObjectIdentifier, credUsage int, initiatorTimeReq, acceptorTimeReq uint64, options []Option) (results AcquireCredResults, err error)
AcquireCred adds non-default credentials, or credentials using non-default settings, to a credential structure, possibly creating one.
type Cred ¶
type Cred struct { DesiredName Name Elements []CredElement CredHandleReference []byte NeedsRelease bool // contains filtered or unexported fields }
type CredElement ¶
type ExportCredResults ¶
type ExportCredResults struct { Status Status CredUsage int ExportedHandle []byte Options []Option }
func ExportCred ¶
func ExportCred(conn *net.Conn, callCtx *CallCtx, cred Cred, credUsage int, options []Option) (results ExportCredResults, err error)
ExportCred converts a credential structure into a byte slice. As of gss-proxy 0.3.1, the proxy implementation is a no-op.
type Flags ¶
type Flags struct {
Deleg, DelegPolicy, Mutual, Replay, Sequence, Anon, Conf, Integ, Trans, ProtReady bool
}
Flags describe requested parameters for a context passed to InitSecContext(), or the parameters of an established context as returned by AcceptSecContext().
type GetCallContextResults ¶
func GetCallContext ¶
func GetCallContext(conn *net.Conn, callCtx *CallCtx, options []Option) (results GetCallContextResults, err error)
GetCallContext returns a ServerCtx value which should be used in subsequent calls to this proxy server. As of gss-proxy 0.3.1, the proxy implementation is a no-op, so an empty initial value can be used.
type GetMicResults ¶
type ImportAndCanonNameResults ¶
func ImportAndCanonName ¶
func ImportAndCanonName(conn *net.Conn, callCtx *CallCtx, name Name, mech asn1.ObjectIdentifier, nameAttrs []NameAttr, options []Option) (results ImportAndCanonNameResults, err error)
ImportAndCanonName imports and canonicalizes a name. An uncanonicalized name can be used after its DisplayName and NameType are initialized, so this function is not always used.
type ImportCredResults ¶
func ImportCred ¶
func ImportCred(conn *net.Conn, callCtx *CallCtx, exportedCred []byte, options []Option) (results ImportCredResults, err error)
ImportCred reconstructs a credential structure from a byte slice. As of gss-proxy 0.3.1, the proxy implementation is a no-op.
type IndicateMechsResults ¶
type IndicateMechsResults struct { Status Status Mechs []MechInfo MechAttrDescs []MechAttr SupportedExtensions [][]byte Extensions []Option }
func IndicateMechs ¶
func IndicateMechs(conn *net.Conn, callCtx *CallCtx) (results IndicateMechsResults, err error)
IndicateMechs returns a list of the mechanisms supported by this proxy.
type InitSecContextResults ¶
type InitSecContextResults struct { Status Status SecCtx *SecCtx OutputToken *[]byte Options []Option }
func InitSecContext ¶
func InitSecContext(conn *net.Conn, callCtx *CallCtx, ctx *SecCtx, cred *Cred, targetName *Name, mechType asn1.ObjectIdentifier, reqFlags Flags, timeReq uint64, inputCB, inputToken *[]byte, options []Option) (results InitSecContextResults, err error)
InitSecContext initiates a security context with a peer. If the returned Status.MajorStatus is S_CONTINUE_NEEDED, the function should be called again with a token obtained from the peer. If the OutputToken is not nil, then it should be sent to the peer. If the returned Status.MajorStatus is S_COMPLETE, then authentication has succeeded. Any other Status.MajorStatus value is an error.
type MechAttr ¶
type MechAttr struct { Attr asn1.ObjectIdentifier Name, ShortDesc, LongDesc string Extensions []Option }
type MechInfo ¶
type MechInfo struct { Mech asn1.ObjectIdentifier NameTypes, MechAttrs, KnownMechAttrs, CredOptions, SecCtxOptions []asn1.ObjectIdentifier SaslNameSaslMechName, SaslNameMechName, SaslNameMechDesc string Extensions []Option }
type ReleaseCredResults ¶
type ReleaseCredResults struct {
Status Status
}
func ReleaseCred ¶
func ReleaseCred(conn *net.Conn, callCtx *CallCtx, cred *Cred) (results ReleaseCredResults, err error)
ReleaseCred releases credentials which will no longer be needed.
type ReleaseSecCtxResults ¶
type ReleaseSecCtxResults struct {
Status Status
}
func ReleaseSecCtx ¶
func ReleaseSecCtx(conn *net.Conn, callCtx *CallCtx, ctx *SecCtx) (results ReleaseSecCtxResults, err error)
ReleaseSecCtx releases a security context which will no longer be needed.
type SetNegMechsResults ¶
func SetNegMechs ¶
func SetNegMechs(conn *net.Conn, callCtx *CallCtx, cred *Cred, mechTypes *[]asn1.ObjectIdentifier) (results SetNegMechsResults, err error)
SetNegMechs sets the list of mechanisms which will be offered if we attempt to initialize a security context using the SPNEGO mechanism.
type StoreCredResults ¶
type StoreCredResults struct { Status Status ElementsStored []asn1.ObjectIdentifier CredUsageStored int Options []Option }
func StoreCred ¶
func StoreCred(conn *net.Conn, callCtx *CallCtx, cred Cred, credUsage int, desiredMech asn1.ObjectIdentifier, overwriteCred, defaultCred bool, options []Option) (results StoreCredResults, err error)
StoreCred stores credentials for a specific mechanism and which are intended for a specific use in the default credential store, optionally overwriting other credentials which may already be present, and also optionally making them the default credentials. As of gss-proxy 0.3.1, the proxy implementation is a no-op.
type UnwrapResults ¶
type VerifyMicResults ¶
type WrapResults ¶
type WrapSizeLimitResults ¶
func WrapSizeLimit ¶
func WrapSizeLimit(conn *net.Conn, callCtx *CallCtx, ctx *SecCtx, confReq bool, qopReq, reqOutputSize uint64) (results WrapSizeLimitResults, err error)
WrapSizeLimit computes the maximum size of a message that can be wrapped if the resulting message token is to be at most reqOutputSize bytes in length.