200 lines
6.8 KiB
Go
200 lines
6.8 KiB
Go
|
// Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.
|
||
|
package gssapi
|
||
|
|
||
|
import (
|
||
|
"context"
|
||
|
"fmt"
|
||
|
|
||
|
"github.com/jcmturner/gofork/encoding/asn1"
|
||
|
)
|
||
|
|
||
|
// GSS-API OID names
|
||
|
const (
|
||
|
// GSS-API OID names
|
||
|
OIDKRB5 OIDName = "KRB5" // MechType OID for Kerberos 5
|
||
|
OIDMSLegacyKRB5 OIDName = "MSLegacyKRB5" // MechType OID for Kerberos 5
|
||
|
OIDSPNEGO OIDName = "SPNEGO"
|
||
|
)
|
||
|
|
||
|
// GSS-API status values
|
||
|
const (
|
||
|
StatusBadBindings = 1 << iota
|
||
|
StatusBadMech
|
||
|
StatusBadName
|
||
|
StatusBadNameType
|
||
|
StatusBadStatus
|
||
|
StatusBadSig
|
||
|
StatusBadMIC
|
||
|
StatusContextExpired
|
||
|
StatusCredentialsExpired
|
||
|
StatusDefectiveCredential
|
||
|
StatusDefectiveToken
|
||
|
StatusFailure
|
||
|
StatusNoContext
|
||
|
StatusNoCred
|
||
|
StatusBadQOP
|
||
|
StatusUnauthorized
|
||
|
StatusUnavailable
|
||
|
StatusDuplicateElement
|
||
|
StatusNameNotMN
|
||
|
StatusComplete
|
||
|
StatusContinueNeeded
|
||
|
StatusDuplicateToken
|
||
|
StatusOldToken
|
||
|
StatusUnseqToken
|
||
|
StatusGapToken
|
||
|
)
|
||
|
|
||
|
// ContextToken is an interface for a GSS-API context token.
|
||
|
type ContextToken interface {
|
||
|
Marshal() ([]byte, error)
|
||
|
Unmarshal(b []byte) error
|
||
|
Verify() (bool, Status)
|
||
|
Context() context.Context
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
CREDENTIAL MANAGEMENT
|
||
|
|
||
|
GSS_Acquire_cred acquire credentials for use
|
||
|
GSS_Release_cred release credentials after use
|
||
|
GSS_Inquire_cred display information about credentials
|
||
|
GSS_Add_cred construct credentials incrementally
|
||
|
GSS_Inquire_cred_by_mech display per-mechanism credential information
|
||
|
|
||
|
CONTEXT-LEVEL CALLS
|
||
|
|
||
|
GSS_Init_sec_context initiate outbound security context
|
||
|
GSS_Accept_sec_context accept inbound security context
|
||
|
GSS_Delete_sec_context flush context when no longer needed
|
||
|
GSS_Process_context_token process received control token on context
|
||
|
GSS_Context_time indicate validity time remaining on context
|
||
|
GSS_Inquire_context display information about context
|
||
|
GSS_Wrap_size_limit determine GSS_Wrap token size limit
|
||
|
GSS_Export_sec_context transfer context to other process
|
||
|
GSS_Import_sec_context import transferred context
|
||
|
|
||
|
PER-MESSAGE CALLS
|
||
|
|
||
|
GSS_GetMIC apply integrity check, receive as token separate from message
|
||
|
GSS_VerifyMIC validate integrity check token along with message
|
||
|
GSS_Wrap sign, optionally encrypt, encapsulate
|
||
|
GSS_Unwrap decapsulate, decrypt if needed, validate integrity check
|
||
|
|
||
|
SUPPORT CALLS
|
||
|
|
||
|
GSS_Display_status translate status codes to printable form
|
||
|
GSS_Indicate_mechs indicate mech_types supported on local system
|
||
|
GSS_Compare_name compare two names for equality
|
||
|
GSS_Display_name translate name to printable form
|
||
|
GSS_Import_name convert printable name to normalized form
|
||
|
GSS_Release_name free storage of normalized-form name
|
||
|
GSS_Release_buffer free storage of general GSS-allocated object
|
||
|
GSS_Release_OID_set free storage of OID set object
|
||
|
GSS_Create_empty_OID_set create empty OID set
|
||
|
GSS_Add_OID_set_member add member to OID set
|
||
|
GSS_Test_OID_set_member test if OID is member of OID set
|
||
|
GSS_Inquire_names_for_mech indicate name types supported by mechanism
|
||
|
GSS_Inquire_mechs_for_name indicates mechanisms supporting name type
|
||
|
GSS_Canonicalize_name translate name to per-mechanism form
|
||
|
GSS_Export_name externalize per-mechanism name
|
||
|
GSS_Duplicate_name duplicate name object
|
||
|
*/
|
||
|
|
||
|
// Mechanism is the GSS-API interface for authentication mechanisms.
|
||
|
type Mechanism interface {
|
||
|
OID() asn1.ObjectIdentifier
|
||
|
AcquireCred() error // acquire credentials for use (eg. AS exchange for KRB5)
|
||
|
InitSecContext() (ContextToken, error) // initiate outbound security context (eg TGS exchange builds AP_REQ to go into ContextToken to send to service)
|
||
|
AcceptSecContext(ct ContextToken) (bool, context.Context, Status) // service verifies the token server side to establish a context
|
||
|
MIC() MICToken // apply integrity check, receive as token separate from message
|
||
|
VerifyMIC(mt MICToken) (bool, error) // validate integrity check token along with message
|
||
|
Wrap(msg []byte) WrapToken // sign, optionally encrypt, encapsulate
|
||
|
Unwrap(wt WrapToken) []byte // decapsulate, decrypt if needed, validate integrity check
|
||
|
}
|
||
|
|
||
|
// OIDName is the type for defined GSS-API OIDs.
|
||
|
type OIDName string
|
||
|
|
||
|
// OID returns the OID for the provided OID name.
|
||
|
func OID(o OIDName) asn1.ObjectIdentifier {
|
||
|
switch o {
|
||
|
case OIDSPNEGO:
|
||
|
return asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 2}
|
||
|
case OIDKRB5:
|
||
|
return asn1.ObjectIdentifier{1, 2, 840, 113554, 1, 2, 2}
|
||
|
case OIDMSLegacyKRB5:
|
||
|
return asn1.ObjectIdentifier{1, 2, 840, 48018, 1, 2, 2}
|
||
|
}
|
||
|
return asn1.ObjectIdentifier{}
|
||
|
}
|
||
|
|
||
|
// Status is the GSS-API status and implements the error interface.
|
||
|
type Status struct {
|
||
|
Code int
|
||
|
Message string
|
||
|
}
|
||
|
|
||
|
// Error returns the Status description.
|
||
|
func (s Status) Error() string {
|
||
|
var str string
|
||
|
switch s.Code {
|
||
|
case StatusBadBindings:
|
||
|
str = "channel binding mismatch"
|
||
|
case StatusBadMech:
|
||
|
str = "unsupported mechanism requested"
|
||
|
case StatusBadName:
|
||
|
str = "invalid name provided"
|
||
|
case StatusBadNameType:
|
||
|
str = "name of unsupported type provided"
|
||
|
case StatusBadStatus:
|
||
|
str = "invalid input status selector"
|
||
|
case StatusBadSig:
|
||
|
str = "token had invalid integrity check"
|
||
|
case StatusBadMIC:
|
||
|
str = "preferred alias for GSS_S_BAD_SIG"
|
||
|
case StatusContextExpired:
|
||
|
str = "specified security context expired"
|
||
|
case StatusCredentialsExpired:
|
||
|
str = "expired credentials detected"
|
||
|
case StatusDefectiveCredential:
|
||
|
str = "defective credential detected"
|
||
|
case StatusDefectiveToken:
|
||
|
str = "defective token detected"
|
||
|
case StatusFailure:
|
||
|
str = "failure, unspecified at GSS-API level"
|
||
|
case StatusNoContext:
|
||
|
str = "no valid security context specified"
|
||
|
case StatusNoCred:
|
||
|
str = "no valid credentials provided"
|
||
|
case StatusBadQOP:
|
||
|
str = "unsupported QOP valu"
|
||
|
case StatusUnauthorized:
|
||
|
str = "operation unauthorized"
|
||
|
case StatusUnavailable:
|
||
|
str = "operation unavailable"
|
||
|
case StatusDuplicateElement:
|
||
|
str = "duplicate credential element requested"
|
||
|
case StatusNameNotMN:
|
||
|
str = "name contains multi-mechanism elements"
|
||
|
case StatusComplete:
|
||
|
str = "normal completion"
|
||
|
case StatusContinueNeeded:
|
||
|
str = "continuation call to routine required"
|
||
|
case StatusDuplicateToken:
|
||
|
str = "duplicate per-message token detected"
|
||
|
case StatusOldToken:
|
||
|
str = "timed-out per-message token detected"
|
||
|
case StatusUnseqToken:
|
||
|
str = "reordered (early) per-message token detected"
|
||
|
case StatusGapToken:
|
||
|
str = "skipped predecessor token(s) detected"
|
||
|
default:
|
||
|
str = "unknown GSS-API error status"
|
||
|
}
|
||
|
if s.Message != "" {
|
||
|
return fmt.Sprintf("%s: %s", str, s.Message)
|
||
|
}
|
||
|
return str
|
||
|
}
|