updated qrz with postgresql support
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
01e195e1a5
commit
d4b9954636
@ -8,25 +8,25 @@ import (
|
|||||||
"git.paulbsd.com/paulbsd/qrz/src/database"
|
"git.paulbsd.com/paulbsd/qrz/src/database"
|
||||||
"git.paulbsd.com/paulbsd/qrz/src/qrz"
|
"git.paulbsd.com/paulbsd/qrz/src/qrz"
|
||||||
"git.paulbsd.com/paulbsd/qrz/src/qrzws"
|
"git.paulbsd.com/paulbsd/qrz/src/qrzws"
|
||||||
_ "github.com/go-sql-driver/mysql"
|
_ "github.com/lib/pq"
|
||||||
)
|
)
|
||||||
|
|
||||||
var version string
|
var version string
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
var config config.Config
|
var cfg config.Config
|
||||||
config.GetConfig()
|
cfg.GetConfig()
|
||||||
config.Version = version
|
cfg.Version = version
|
||||||
|
|
||||||
err := database.Initialize(&config)
|
err := database.Initialize(&cfg)
|
||||||
defer config.Db.Close()
|
defer config.Db.Close()
|
||||||
|
|
||||||
err = qrz.InitCronConfig(config)
|
err = qrz.InitCronConfig(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalln(err)
|
log.Fatalln(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = qrzws.RunServer(config)
|
err = qrzws.RunServer(cfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalln(err)
|
log.Fatalln(err)
|
||||||
}
|
}
|
||||||
|
6
go.mod
6
go.mod
@ -1,18 +1,18 @@
|
|||||||
module git.paulbsd.com/paulbsd/qrz
|
module git.paulbsd.com/paulbsd/qrz
|
||||||
|
|
||||||
go 1.12
|
go 1.14
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/antchfx/htmlquery v1.0.0
|
github.com/antchfx/htmlquery v1.0.0
|
||||||
github.com/antchfx/xpath v1.0.0 // indirect
|
github.com/antchfx/xpath v1.0.0 // indirect
|
||||||
github.com/go-sql-driver/mysql v1.4.1
|
github.com/go-sql-driver/mysql v1.4.1 // indirect
|
||||||
github.com/gobuffalo/packr/v2 v2.8.0
|
github.com/gobuffalo/packr/v2 v2.8.0
|
||||||
github.com/jmoiron/sqlx v1.2.0
|
github.com/jmoiron/sqlx v1.2.0
|
||||||
github.com/labstack/echo/v4 v4.1.16
|
github.com/labstack/echo/v4 v4.1.16
|
||||||
|
github.com/lib/pq v1.6.0
|
||||||
github.com/markbates/pkger v0.14.0
|
github.com/markbates/pkger v0.14.0
|
||||||
github.com/robfig/cron v1.2.0
|
github.com/robfig/cron v1.2.0
|
||||||
github.com/smartystreets/goconvey v0.0.0-20190731233626-505e41936337 // indirect
|
github.com/smartystreets/goconvey v0.0.0-20190731233626-505e41936337 // indirect
|
||||||
golang.org/x/text v0.3.2
|
|
||||||
google.golang.org/appengine v1.6.2 // indirect
|
google.golang.org/appengine v1.6.2 // indirect
|
||||||
gopkg.in/ini.v1 v1.46.0
|
gopkg.in/ini.v1 v1.46.0
|
||||||
)
|
)
|
||||||
|
31
go.sum
31
go.sum
@ -3,6 +3,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
|
|||||||
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
|
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
|
||||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||||
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
|
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
|
||||||
|
github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 h1:P5U+E4x5OkVEKQDklVPmzs71WM56RTTRqV4OrDC//Y4=
|
||||||
|
github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5/go.mod h1:976q2ETgjT2snVCf2ZaBnyBbVoPERGjUz+0sofzEfro=
|
||||||
github.com/antchfx/htmlquery v1.0.0 h1:O5IXz8fZF3B3MW+B33MZWbTHBlYmcfw0BAxgErHuaMA=
|
github.com/antchfx/htmlquery v1.0.0 h1:O5IXz8fZF3B3MW+B33MZWbTHBlYmcfw0BAxgErHuaMA=
|
||||||
github.com/antchfx/htmlquery v1.0.0/go.mod h1:MS9yksVSQXls00iXkiMqXr0J+umL/AmxXKuP28SUJM8=
|
github.com/antchfx/htmlquery v1.0.0/go.mod h1:MS9yksVSQXls00iXkiMqXr0J+umL/AmxXKuP28SUJM8=
|
||||||
github.com/antchfx/xpath v1.0.0 h1:Q5gFgh2O40VTSwMOVbFE7nFNRBu3tS21Tn0KAWeEjtk=
|
github.com/antchfx/xpath v1.0.0 h1:Q5gFgh2O40VTSwMOVbFE7nFNRBu3tS21Tn0KAWeEjtk=
|
||||||
@ -52,13 +54,31 @@ github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ
|
|||||||
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
|
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
|
||||||
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
|
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
|
||||||
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
|
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
|
||||||
|
github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
|
||||||
|
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
|
||||||
|
github.com/gorilla/sessions v1.2.0 h1:S7P+1Hm5V/AT9cjEcUD5uDaQSX0OE577aCXgoaKpYbQ=
|
||||||
|
github.com/gorilla/sessions v1.2.0/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
|
||||||
github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
|
github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
|
||||||
github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
|
github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
|
||||||
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
|
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
|
||||||
github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
|
github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
|
||||||
|
github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
|
||||||
|
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
|
||||||
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
|
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
|
||||||
github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
|
github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
|
||||||
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
|
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
|
||||||
|
github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
|
||||||
|
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
|
||||||
|
github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
|
||||||
|
github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
|
||||||
|
github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8=
|
||||||
|
github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
|
||||||
|
github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
|
||||||
|
github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
|
||||||
|
github.com/jcmturner/gokrb5/v8 v8.2.0 h1:lzPl/30ZLkTveYsYZPKMcgXc8MbnE6RsTd4F9KgiLtk=
|
||||||
|
github.com/jcmturner/gokrb5/v8 v8.2.0/go.mod h1:T1hnNppQsBtxW0tCHMHTkAt8n/sABdzZgZdoFrZaZNM=
|
||||||
|
github.com/jcmturner/rpc/v2 v2.0.2 h1:gMB4IwRXYsWw4Bc6o/az2HJgFUA1ffSh90i26ZJ6Xl0=
|
||||||
|
github.com/jcmturner/rpc/v2 v2.0.2/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
|
||||||
github.com/jmoiron/sqlx v1.2.0 h1:41Ip0zITnmWNR/vHV+S4m+VoUivnWY5E4OJfLZjCJMA=
|
github.com/jmoiron/sqlx v1.2.0 h1:41Ip0zITnmWNR/vHV+S4m+VoUivnWY5E4OJfLZjCJMA=
|
||||||
github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
|
github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
|
||||||
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
|
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
|
||||||
@ -84,6 +104,8 @@ github.com/labstack/gommon v0.3.0 h1:JEeO0bvc78PKdyHxloTKiF8BD5iGrH8T6MSeGvSgob0
|
|||||||
github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k=
|
github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k=
|
||||||
github.com/lib/pq v1.0.0 h1:X5PMW56eZitiTeO7tKzZxFCSpbFZJtkMMooicw2us9A=
|
github.com/lib/pq v1.0.0 h1:X5PMW56eZitiTeO7tKzZxFCSpbFZJtkMMooicw2us9A=
|
||||||
github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
|
github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
|
||||||
|
github.com/lib/pq v1.6.0 h1:I5DPxhYJChW9KYc66se+oKFFQX6VuQrKiprsX6ivRZc=
|
||||||
|
github.com/lib/pq v1.6.0/go.mod h1:4vXEAYvW1fRQ2/FhZ78H73A60MHw1geSm145z2mdY1g=
|
||||||
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
|
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
|
||||||
github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI=
|
github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI=
|
||||||
github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc=
|
github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc=
|
||||||
@ -170,8 +192,11 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
|
|||||||
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
|
golang.org/x/crypto v0.0.0-20200117160349-530e935923ad/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d h1:1ZiEyfaQIg3Qh0EoqpwAakHVhecoE5wlSg5GjnafJGw=
|
golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d h1:1ZiEyfaQIg3Qh0EoqpwAakHVhecoE5wlSg5GjnafJGw=
|
||||||
golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
|
golang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4 h1:QmwruyY+bKbDDL0BaglrbZABEali68eoMFhTZpCjYVA=
|
||||||
|
golang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
||||||
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||||
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||||
@ -183,6 +208,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
|
|||||||
golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
||||||
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
||||||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8=
|
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8=
|
||||||
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||||
@ -235,6 +261,11 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8
|
|||||||
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
|
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
|
||||||
gopkg.in/ini.v1 v1.46.0 h1:VeDZbLYGaupuvIrsYCEOe/L/2Pcs5n7hdO1ZTjporag=
|
gopkg.in/ini.v1 v1.46.0 h1:VeDZbLYGaupuvIrsYCEOe/L/2Pcs5n7hdO1ZTjporag=
|
||||||
gopkg.in/ini.v1 v1.46.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
gopkg.in/ini.v1 v1.46.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||||
|
gopkg.in/jcmturner/aescts.v1 v1.0.1/go.mod h1:nsR8qBOg+OucoIW+WMhB3GspUQXq9XorLnQb9XtvcOo=
|
||||||
|
gopkg.in/jcmturner/dnsutils.v1 v1.0.1/go.mod h1:m3v+5svpVOhtFAP/wSz+yzh4Mc0Fg7eRhxkJMWSIz9Q=
|
||||||
|
gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4=
|
||||||
|
gopkg.in/jcmturner/gokrb5.v7 v7.5.0/go.mod h1:l8VISx+WGYp+Fp7KRbsiUuXTTOnxIc3Tuvyavf11/WM=
|
||||||
|
gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8=
|
||||||
gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
|
gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
|
||||||
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
|
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
|
||||||
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
@ -42,7 +42,7 @@ func (config *Config) GetConfig() error {
|
|||||||
config.DbSchema = fmt.Sprintf(`
|
config.DbSchema = fmt.Sprintf(`
|
||||||
CREATE TABLE IF NOT EXISTS %s
|
CREATE TABLE IF NOT EXISTS %s
|
||||||
(
|
(
|
||||||
id int(8) NOT NULL AUTO_INCREMENT,
|
id serial NOT NULL PRIMARY KEY,
|
||||||
qrz varchar(25) NOT NULL,
|
qrz varchar(25) NOT NULL,
|
||||||
name varchar(25) DEFAULT NULL,
|
name varchar(25) DEFAULT NULL,
|
||||||
address varchar(50) DEFAULT NULL,
|
address varchar(50) DEFAULT NULL,
|
||||||
@ -51,18 +51,13 @@ func (config *Config) GetConfig() error {
|
|||||||
dept varchar(50) DEFAULT NULL,
|
dept varchar(50) DEFAULT NULL,
|
||||||
country varchar(25) DEFAULT NULL,
|
country varchar(25) DEFAULT NULL,
|
||||||
dmrid varchar(25) DEFAULT NULL,
|
dmrid varchar(25) DEFAULT NULL,
|
||||||
PRIMARY KEY (id),
|
CONSTRAINT qrz UNIQUE(qrz, name, city, dept, country)
|
||||||
UNIQUE KEY qrz (qrz,name,city,dept) USING BTREE,
|
)`,
|
||||||
KEY test (country),
|
|
||||||
FULLTEXT KEY city (city),
|
|
||||||
FULLTEXT KEY dept (dept)
|
|
||||||
)
|
|
||||||
ENGINE=InnoDB DEFAULT CHARSET=utf8;`,
|
|
||||||
config.DbTable)
|
config.DbTable)
|
||||||
|
|
||||||
config.DbStatements.Insert = fmt.Sprintf(
|
config.DbStatements.Insert = fmt.Sprintf(
|
||||||
`INSERT IGNORE INTO %s (qrz, dmrid, name, city, dept, country)
|
`INSERT INTO %s (qrz, dmrid, name, city, dept, country)
|
||||||
VALUES (?,?,?,?,?,?);`,
|
VALUES ($1, $2, $3, $4, $5, $6);`,
|
||||||
config.DbTable)
|
config.DbTable)
|
||||||
config.DbStatements.ExportCSV = fmt.Sprintf(
|
config.DbStatements.ExportCSV = fmt.Sprintf(
|
||||||
`SELECT qrz, name, city, dept, country
|
`SELECT qrz, name, city, dept, country
|
||||||
|
@ -10,7 +10,7 @@ import (
|
|||||||
|
|
||||||
// Initialize creates connection to database and exec Schema
|
// Initialize creates connection to database and exec Schema
|
||||||
func Initialize(config *config.Config) (err error) {
|
func Initialize(config *config.Config) (err error) {
|
||||||
config.Db, err = sqlx.Connect("mysql", fmt.Sprintf("%s:%s@tcp(%s)/%s", config.DbUsername, config.DbPassword, config.DbHostname, config.DbName))
|
config.Db, err = sqlx.Connect("postgres", fmt.Sprintf("postgres://%s:%s@%s/%s", config.DbUsername, config.DbPassword, config.DbHostname, config.DbName))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalln(err)
|
log.Fatalln(err)
|
||||||
}
|
}
|
||||||
|
@ -122,7 +122,11 @@ func getFrsEntries(config config.Config, body string) (frsentries map[string]Frs
|
|||||||
|
|
||||||
// getCurrentEntries fetch existing entries from database
|
// getCurrentEntries fetch existing entries from database
|
||||||
func getCurrentEntries(config config.Config) (existingQRZ []FrsEntry, err error) {
|
func getCurrentEntries(config config.Config) (existingQRZ []FrsEntry, err error) {
|
||||||
err = config.Db.Select(&existingQRZ, fmt.Sprintf("SELECT * FROM %s;", config.DbTable))
|
query := `
|
||||||
|
SELECT *
|
||||||
|
FROM %s;
|
||||||
|
`
|
||||||
|
err = config.Db.Select(&existingQRZ, fmt.Sprintf(query, config.DbTable))
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -57,8 +57,8 @@ func RunServer(config config.Config) (err error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Run runs the main loop
|
// Run runs the main loop
|
||||||
func Run(c echo.Context, config config.Config) (res QrzDatatableOutput, err error) {
|
func Run(c echo.Context, config config.Config) (res DatatableOutput, err error) {
|
||||||
qrzinputjson := new(QrzDatatableInput)
|
qrzinputjson := new(DatatableInput)
|
||||||
var count int
|
var count int
|
||||||
|
|
||||||
if err = c.Bind(qrzinputjson); err != nil {
|
if err = c.Bind(qrzinputjson); err != nil {
|
||||||
@ -95,8 +95,9 @@ func Run(c echo.Context, config config.Config) (res QrzDatatableOutput, err erro
|
|||||||
}
|
}
|
||||||
|
|
||||||
// BuildQuery builds main query
|
// BuildQuery builds main query
|
||||||
func BuildQuery(config config.Config, qrzdt QrzDatatableInput) (rows *sqlx.Rows, err error) {
|
func BuildQuery(config config.Config, qrzdt DatatableInput) (rows *sqlx.Rows, err error) {
|
||||||
var selectstatement, orderstatement, limitstatement, searchstatement string
|
var selectstatement, orderstatement, limitstatement, searchstatement string
|
||||||
|
|
||||||
selectstatement, err = SetSelectStatement(config, qrzdt)
|
selectstatement, err = SetSelectStatement(config, qrzdt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -114,30 +115,41 @@ func BuildQuery(config config.Config, qrzdt QrzDatatableInput) (rows *sqlx.Rows,
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
rows, err = config.Db.Queryx(fmt.Sprintf("SELECT %s FROM %s WHERE %s %s %s;", selectstatement, config.DbTable, searchstatement, orderstatement, limitstatement))
|
query := `
|
||||||
|
SELECT %s
|
||||||
|
FROM %s
|
||||||
|
WHERE %s %s %s;`
|
||||||
|
|
||||||
|
rows, err = config.Db.Queryx(fmt.Sprintf(query, selectstatement, config.DbTable, searchstatement, orderstatement, limitstatement))
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// BuildQueryCountFiltered builds query for counting filtered
|
// BuildQueryCountFiltered builds query for counting filtered
|
||||||
func BuildQueryCountFiltered(config config.Config, qrzdt QrzDatatableInput) (cnt int, err error) {
|
func BuildQueryCountFiltered(config config.Config, qrzdt DatatableInput) (cnt int, err error) {
|
||||||
searchstatement, err := SetSearchStatement(config, qrzdt)
|
searchstatement, err := SetSearchStatement(config, qrzdt)
|
||||||
err = config.Db.Get(&cnt, fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE %s;", config.DbTable, searchstatement))
|
|
||||||
|
query := `
|
||||||
|
SELECT COUNT(*)
|
||||||
|
FROM %s
|
||||||
|
WHERE %s;`
|
||||||
|
|
||||||
|
err = config.Db.Get(&cnt, fmt.Sprintf(query, config.DbTable, searchstatement))
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// BuildQueryCountTotal builds query for counting totals
|
// BuildQueryCountTotal builds query for counting totals
|
||||||
func BuildQueryCountTotal(config config.Config, qrzdt QrzDatatableInput) (cnt int, err error) {
|
func BuildQueryCountTotal(config config.Config, qrzdt DatatableInput) (cnt int, err error) {
|
||||||
err = config.Db.Get(&cnt, fmt.Sprintf("SELECT COUNT(*) FROM %s;", config.DbTable))
|
err = config.Db.Get(&cnt, fmt.Sprintf("SELECT COUNT(*) FROM %s;", config.DbTable))
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetSelectStatement build the sql select statement part
|
// SetSelectStatement build the sql select statement part
|
||||||
func SetSelectStatement(config config.Config, qrzdt QrzDatatableInput) (selectstatement string, err error) {
|
func SetSelectStatement(config config.Config, qrzdt DatatableInput) (selectstatement string, err error) {
|
||||||
var cols []string
|
var cols []string
|
||||||
colre := regexp.MustCompile(`^[a-z]+$`)
|
colre := regexp.MustCompile(`^[A-Za-z0-9]+$`)
|
||||||
if len(qrzdt.Columns) > 0 {
|
if len(qrzdt.Columns) > 0 {
|
||||||
for _, col := range qrzdt.Columns {
|
for _, col := range qrzdt.Columns {
|
||||||
valid := colre.MatchString(col.Name)
|
valid := colre.MatchString(col.Name)
|
||||||
@ -157,7 +169,7 @@ func SetSelectStatement(config config.Config, qrzdt QrzDatatableInput) (selectst
|
|||||||
}
|
}
|
||||||
|
|
||||||
// SetOrderStatement build the sql order statement part
|
// SetOrderStatement build the sql order statement part
|
||||||
func SetOrderStatement(config config.Config, qrzdt QrzDatatableInput) (orderstmt string, err error) {
|
func SetOrderStatement(config config.Config, qrzdt DatatableInput) (orderstmt string, err error) {
|
||||||
var orderstmts []string
|
var orderstmts []string
|
||||||
colre := regexp.MustCompile(`^[a-z]+$`)
|
colre := regexp.MustCompile(`^[a-z]+$`)
|
||||||
orderre := regexp.MustCompile(`^(ASC|asc|DESC|desc)$`)
|
orderre := regexp.MustCompile(`^(ASC|asc|DESC|desc)$`)
|
||||||
@ -176,7 +188,7 @@ func SetOrderStatement(config config.Config, qrzdt QrzDatatableInput) (orderstmt
|
|||||||
}
|
}
|
||||||
|
|
||||||
// SetLimitStatement build the sql limit statement part
|
// SetLimitStatement build the sql limit statement part
|
||||||
func SetLimitStatement(config config.Config, qrzdt QrzDatatableInput) (limitstmt string, err error) {
|
func SetLimitStatement(config config.Config, qrzdt DatatableInput) (limitstmt string, err error) {
|
||||||
intre := regexp.MustCompile(`^[0-9]+$`)
|
intre := regexp.MustCompile(`^[0-9]+$`)
|
||||||
if qrzdt.Length < 1 {
|
if qrzdt.Length < 1 {
|
||||||
qrzdt.Length = 50
|
qrzdt.Length = 50
|
||||||
@ -191,7 +203,7 @@ func SetLimitStatement(config config.Config, qrzdt QrzDatatableInput) (limitstmt
|
|||||||
}
|
}
|
||||||
|
|
||||||
// SetSearchStatement build the where clause in sql statement
|
// SetSearchStatement build the where clause in sql statement
|
||||||
func SetSearchStatement(config config.Config, qrzdt QrzDatatableInput) (searchstmt string, err error) {
|
func SetSearchStatement(config config.Config, qrzdt DatatableInput) (searchstmt string, err error) {
|
||||||
var searchstmtslice []string
|
var searchstmtslice []string
|
||||||
if len(qrzdt.Columns) > 0 {
|
if len(qrzdt.Columns) > 0 {
|
||||||
for id, i := range qrzdt.Columns {
|
for id, i := range qrzdt.Columns {
|
||||||
@ -234,8 +246,8 @@ func RunCSVExport(c echo.Context, config config.Config) (data []byte, mime strin
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// QrzDatatableInput describes datatable query
|
// DatatableInput describes datatable query
|
||||||
type QrzDatatableInput struct {
|
type DatatableInput struct {
|
||||||
Columns []struct {
|
Columns []struct {
|
||||||
Data int `json:"data"`
|
Data int `json:"data"`
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
@ -259,8 +271,8 @@ type QrzDatatableInput struct {
|
|||||||
Start int `json:"start"`
|
Start int `json:"start"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// QrzDatatableOutput describes datatable response
|
// DatatableOutput describes datatable response
|
||||||
type QrzDatatableOutput struct {
|
type DatatableOutput struct {
|
||||||
Data [][]string `json:"data"`
|
Data [][]string `json:"data"`
|
||||||
Draw int `json:"draw"`
|
Draw int `json:"draw"`
|
||||||
RecordsTotal int `json:"recordsTotal"`
|
RecordsTotal int `json:"recordsTotal"`
|
||||||
|
@ -1,9 +1,5 @@
|
|||||||
$(document).ready(function () {
|
$(document).ready(function () {
|
||||||
$('#main_table').DataTable({
|
$('#main_table').DataTable({
|
||||||
"rowReorder": {
|
|
||||||
"selector": 'td:nth-child(2)'
|
|
||||||
},
|
|
||||||
"responsive": true,
|
|
||||||
"display": true,
|
"display": true,
|
||||||
"cell-border": true,
|
"cell-border": true,
|
||||||
"processing": true,
|
"processing": true,
|
||||||
|
@ -2,17 +2,13 @@
|
|||||||
|
|
||||||
<head>
|
<head>
|
||||||
<link rel="stylesheet" type="text/css" href="static/css/main.css" media="screen">
|
<link rel="stylesheet" type="text/css" href="static/css/main.css" media="screen">
|
||||||
|
<link rel="stylesheet" type="text/css" href="static/css/jquery.dataTables.min.css" media="screen">
|
||||||
<link rel="stylesheet" type="text/css" href="static/css/font-awesome/all.css">
|
<link rel="stylesheet" type="text/css" href="static/css/font-awesome/all.css">
|
||||||
<link rel="stylesheet" type="text/css" href="static/css/bootstrap.css">
|
<link rel="stylesheet" type="text/css" href="static/css/bootstrap.min.css">
|
||||||
<link rel="stylesheet" type="text/css" href="static/css/dataTables.bootstrap4.min.css">
|
|
||||||
<link rel="stylesheet" type="text/css" href="static/css/responsive.dataTables.min.css">
|
|
||||||
<link rel="stylesheet" type="text/css" href="static/css/rowReorder.dataTables.min.css">
|
|
||||||
|
|
||||||
|
|
||||||
<script type="text/javascript" src="static/js/jquery.js"></script>
|
<script type="text/javascript" src="static/js/jquery.js"></script>
|
||||||
<script type="text/javascript" src="static/js/jquery.dataTables.min.js"></script>
|
<script type="text/javascript" src="static/js/jquery.dataTables.min.js"></script>
|
||||||
<script type="text/javascript" src="static/js/bootstrap.min.js"></script>
|
<script type="text/javascript" src="static/js/bootstrap.min.js"></script>
|
||||||
<script type="text/javascript" src="static/js/dataTables.bootstrap4.min.js"></script>
|
|
||||||
<script type="text/javascript" src="static/js/axios.min.js"></script>
|
<script type="text/javascript" src="static/js/axios.min.js"></script>
|
||||||
<script type="text/javascript" src="static/js/vue.min.js"></script>
|
<script type="text/javascript" src="static/js/vue.min.js"></script>
|
||||||
<script type="text/javascript" src="static/js/datatable.js"></script>
|
<script type="text/javascript" src="static/js/datatable.js"></script>
|
||||||
@ -20,10 +16,10 @@
|
|||||||
</head>
|
</head>
|
||||||
|
|
||||||
<body>
|
<body>
|
||||||
<h1 class="display-3">FRS QRZ database</h1>
|
<h1 class="jumbotron-heading">FRS QRZ database</h1>
|
||||||
<p>Mirror of <a href="http://groupe-frs.hamstation.eu">http://groupe-frs.hamstation.eu</a> list of users</p>
|
<p>Mirror of <a href="http://groupe-frs.hamstation.eu">http://groupe-frs.hamstation.eu</a> list of users</p>
|
||||||
<div>
|
<div>
|
||||||
<table id="main_table" class="table table-striped table-bordered">
|
<table id="main_table" class="display cell-border">
|
||||||
<thead class="thead-dark">
|
<thead class="thead-dark">
|
||||||
<tr>
|
<tr>
|
||||||
<td>QRZ</td>
|
<td>QRZ</td>
|
||||||
|
27
vendor/github.com/alexbrainman/sspi/LICENSE
generated
vendored
Normal file
27
vendor/github.com/alexbrainman/sspi/LICENSE
generated
vendored
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
Copyright (c) 2012 The Go Authors. All rights reserved.
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions are
|
||||||
|
met:
|
||||||
|
|
||||||
|
* Redistributions of source code must retain the above copyright
|
||||||
|
notice, this list of conditions and the following disclaimer.
|
||||||
|
* Redistributions in binary form must reproduce the above
|
||||||
|
copyright notice, this list of conditions and the following disclaimer
|
||||||
|
in the documentation and/or other materials provided with the
|
||||||
|
distribution.
|
||||||
|
* Neither the name of Google Inc. nor the names of its
|
||||||
|
contributors may be used to endorse or promote products derived from
|
||||||
|
this software without specific prior written permission.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||||
|
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
1
vendor/github.com/alexbrainman/sspi/README.md
generated
vendored
Normal file
1
vendor/github.com/alexbrainman/sspi/README.md
generated
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
This repository holds Go packages for accessing Security Support Provider Interface on Windows.
|
57
vendor/github.com/alexbrainman/sspi/buffer.go
generated
vendored
Normal file
57
vendor/github.com/alexbrainman/sspi/buffer.go
generated
vendored
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
// Copyright 2015 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build windows
|
||||||
|
|
||||||
|
package sspi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io"
|
||||||
|
"unsafe"
|
||||||
|
)
|
||||||
|
|
||||||
|
func (b *SecBuffer) Set(buftype uint32, data []byte) {
|
||||||
|
b.BufferType = buftype
|
||||||
|
if len(data) > 0 {
|
||||||
|
b.Buffer = &data[0]
|
||||||
|
b.BufferSize = uint32(len(data))
|
||||||
|
} else {
|
||||||
|
b.Buffer = nil
|
||||||
|
b.BufferSize = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *SecBuffer) Free() error {
|
||||||
|
if b.Buffer == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return FreeContextBuffer((*byte)(unsafe.Pointer(b.Buffer)))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *SecBuffer) Bytes() []byte {
|
||||||
|
if b.Buffer == nil || b.BufferSize <= 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return (*[2 << 20]byte)(unsafe.Pointer(b.Buffer))[:b.BufferSize]
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *SecBuffer) WriteAll(w io.Writer) (int, error) {
|
||||||
|
if b.BufferSize == 0 || b.Buffer == nil {
|
||||||
|
return 0, nil
|
||||||
|
}
|
||||||
|
data := b.Bytes()
|
||||||
|
total := 0
|
||||||
|
for {
|
||||||
|
n, err := w.Write(data)
|
||||||
|
total += n
|
||||||
|
if err != nil {
|
||||||
|
return total, err
|
||||||
|
}
|
||||||
|
if n >= len(data) {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
data = data[n:]
|
||||||
|
}
|
||||||
|
return total, nil
|
||||||
|
}
|
7
vendor/github.com/alexbrainman/sspi/mksyscall.go
generated
vendored
Normal file
7
vendor/github.com/alexbrainman/sspi/mksyscall.go
generated
vendored
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package sspi
|
||||||
|
|
||||||
|
//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -systemdll=false -output=zsyscall_windows.go syscall.go
|
462
vendor/github.com/alexbrainman/sspi/negotiate/negotiate.go
generated
vendored
Normal file
462
vendor/github.com/alexbrainman/sspi/negotiate/negotiate.go
generated
vendored
Normal file
@ -0,0 +1,462 @@
|
|||||||
|
// Copyright 2016 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build windows
|
||||||
|
|
||||||
|
// Package negotiate provides access to the Microsoft Negotiate SSP Package.
|
||||||
|
//
|
||||||
|
package negotiate
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"syscall"
|
||||||
|
"time"
|
||||||
|
"unsafe"
|
||||||
|
|
||||||
|
"github.com/alexbrainman/sspi"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TODO: maybe (if possible) move all winapi related out of sspi and into sspi/internal/winapi
|
||||||
|
|
||||||
|
// PackageInfo contains Negotiate SSP package description.
|
||||||
|
var PackageInfo *sspi.PackageInfo
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
var err error
|
||||||
|
PackageInfo, err = sspi.QueryPackageInfo(sspi.NEGOSSP_NAME)
|
||||||
|
if err != nil {
|
||||||
|
panic("failed to fetch Negotiate package info: " + err.Error())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func acquireCredentials(principalName string, creduse uint32, ai *sspi.SEC_WINNT_AUTH_IDENTITY) (*sspi.Credentials, error) {
|
||||||
|
c, err := sspi.AcquireCredentials(principalName, sspi.NEGOSSP_NAME, creduse, (*byte)(unsafe.Pointer(ai)))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return c, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// AcquireCurrentUserCredentials acquires credentials of currently
|
||||||
|
// logged on user. These will be used by the client to authenticate
|
||||||
|
// itself to the server. It will also be used by the server
|
||||||
|
// to impersonate the user.
|
||||||
|
func AcquireCurrentUserCredentials() (*sspi.Credentials, error) {
|
||||||
|
return acquireCredentials("", sspi.SECPKG_CRED_OUTBOUND, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: see if I can share this common ntlm and negotiate code
|
||||||
|
|
||||||
|
// AcquireUserCredentials acquires credentials of user described by
|
||||||
|
// domain, username and password. These will be used by the client to
|
||||||
|
// authenticate itself to the server. It will also be used by the
|
||||||
|
// server to impersonate the user.
|
||||||
|
func AcquireUserCredentials(domain, username, password string) (*sspi.Credentials, error) {
|
||||||
|
if len(username) == 0 {
|
||||||
|
return nil, errors.New("username parameter cannot be empty")
|
||||||
|
}
|
||||||
|
d, err := syscall.UTF16FromString(domain)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
u, err := syscall.UTF16FromString(username)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
p, err := syscall.UTF16FromString(password)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
ai := sspi.SEC_WINNT_AUTH_IDENTITY{
|
||||||
|
User: &u[0],
|
||||||
|
UserLength: uint32(len(u) - 1), // do not count terminating 0
|
||||||
|
Domain: &d[0],
|
||||||
|
DomainLength: uint32(len(d) - 1), // do not count terminating 0
|
||||||
|
Password: &p[0],
|
||||||
|
PasswordLength: uint32(len(p) - 1), // do not count terminating 0
|
||||||
|
Flags: sspi.SEC_WINNT_AUTH_IDENTITY_UNICODE,
|
||||||
|
}
|
||||||
|
return acquireCredentials("", sspi.SECPKG_CRED_OUTBOUND, &ai)
|
||||||
|
}
|
||||||
|
|
||||||
|
// AcquireServerCredentials acquires server credentials that will
|
||||||
|
// be used to authenticate clients.
|
||||||
|
// The principalName parameter is passed to the underlying call to
|
||||||
|
// the winapi AcquireCredentialsHandle function (and specifies the
|
||||||
|
// name of the principal whose credentials the underlying handle
|
||||||
|
// will reference).
|
||||||
|
// As a special case, using an empty string for the principal name
|
||||||
|
// will require the credential of the user under whose security context
|
||||||
|
// the current process is running.
|
||||||
|
func AcquireServerCredentials(principalName string) (*sspi.Credentials, error) {
|
||||||
|
return acquireCredentials(principalName, sspi.SECPKG_CRED_INBOUND, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
func updateContext(c *sspi.Context, dst, src []byte, targetName *uint16) (authCompleted bool, n int, err error) {
|
||||||
|
var inBuf, outBuf [1]sspi.SecBuffer
|
||||||
|
inBuf[0].Set(sspi.SECBUFFER_TOKEN, src)
|
||||||
|
inBufs := &sspi.SecBufferDesc{
|
||||||
|
Version: sspi.SECBUFFER_VERSION,
|
||||||
|
BuffersCount: 1,
|
||||||
|
Buffers: &inBuf[0],
|
||||||
|
}
|
||||||
|
outBuf[0].Set(sspi.SECBUFFER_TOKEN, dst)
|
||||||
|
outBufs := &sspi.SecBufferDesc{
|
||||||
|
Version: sspi.SECBUFFER_VERSION,
|
||||||
|
BuffersCount: 1,
|
||||||
|
Buffers: &outBuf[0],
|
||||||
|
}
|
||||||
|
ret := c.Update(targetName, outBufs, inBufs)
|
||||||
|
switch ret {
|
||||||
|
case sspi.SEC_E_OK:
|
||||||
|
// session established -> return success
|
||||||
|
return true, int(outBuf[0].BufferSize), nil
|
||||||
|
case sspi.SEC_I_COMPLETE_NEEDED, sspi.SEC_I_COMPLETE_AND_CONTINUE:
|
||||||
|
ret = sspi.CompleteAuthToken(c.Handle, outBufs)
|
||||||
|
if ret != sspi.SEC_E_OK {
|
||||||
|
return false, 0, ret
|
||||||
|
}
|
||||||
|
case sspi.SEC_I_CONTINUE_NEEDED:
|
||||||
|
default:
|
||||||
|
return false, 0, ret
|
||||||
|
}
|
||||||
|
return false, int(outBuf[0].BufferSize), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func makeSignature(c *sspi.Context, msg []byte, qop, seqno uint32) ([]byte, error) {
|
||||||
|
_, maxSignature, _, _, err := c.Sizes()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if maxSignature == 0 {
|
||||||
|
return nil, errors.New("integrity services are not requested or unavailable")
|
||||||
|
}
|
||||||
|
|
||||||
|
var b [2]sspi.SecBuffer
|
||||||
|
b[0].Set(sspi.SECBUFFER_DATA, msg)
|
||||||
|
b[1].Set(sspi.SECBUFFER_TOKEN, make([]byte, maxSignature))
|
||||||
|
|
||||||
|
ret := sspi.MakeSignature(c.Handle, qop, sspi.NewSecBufferDesc(b[:]), seqno)
|
||||||
|
if ret != sspi.SEC_E_OK {
|
||||||
|
return nil, ret
|
||||||
|
}
|
||||||
|
|
||||||
|
return b[1].Bytes(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func encryptMessage(c *sspi.Context, msg []byte, qop, seqno uint32) ([]byte, error) {
|
||||||
|
_ /*maxToken*/, maxSignature, cBlockSize, cSecurityTrailer, err := c.Sizes()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if maxSignature == 0 {
|
||||||
|
return nil, errors.New("integrity services are not requested or unavailable")
|
||||||
|
}
|
||||||
|
|
||||||
|
var b [3]sspi.SecBuffer
|
||||||
|
b[0].Set(sspi.SECBUFFER_TOKEN, make([]byte, cSecurityTrailer))
|
||||||
|
b[1].Set(sspi.SECBUFFER_DATA, msg)
|
||||||
|
b[2].Set(sspi.SECBUFFER_PADDING, make([]byte, cBlockSize))
|
||||||
|
|
||||||
|
ret := sspi.EncryptMessage(c.Handle, qop, sspi.NewSecBufferDesc(b[:]), seqno)
|
||||||
|
if ret != sspi.SEC_E_OK {
|
||||||
|
return nil, ret
|
||||||
|
}
|
||||||
|
|
||||||
|
r0, r1, r2 := b[0].Bytes(), b[1].Bytes(), b[2].Bytes()
|
||||||
|
res := make([]byte, 0, len(r0)+len(r1)+len(r2))
|
||||||
|
res = append(res, r0...)
|
||||||
|
res = append(res, r1...)
|
||||||
|
res = append(res, r2...)
|
||||||
|
|
||||||
|
return res, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func decryptMessage(c *sspi.Context, msg []byte, seqno uint32) (uint32, []byte, error) {
|
||||||
|
var b [2]sspi.SecBuffer
|
||||||
|
b[0].Set(sspi.SECBUFFER_STREAM, msg)
|
||||||
|
b[1].Set(sspi.SECBUFFER_DATA, []byte{})
|
||||||
|
|
||||||
|
var qop uint32
|
||||||
|
ret := sspi.DecryptMessage(c.Handle, sspi.NewSecBufferDesc(b[:]), seqno, &qop)
|
||||||
|
if ret != sspi.SEC_E_OK {
|
||||||
|
return qop, nil, ret
|
||||||
|
}
|
||||||
|
|
||||||
|
return qop, b[1].Bytes(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func verifySignature(c *sspi.Context, msg, token []byte, seqno uint32) (uint32, error) {
|
||||||
|
var b [2]sspi.SecBuffer
|
||||||
|
b[0].Set(sspi.SECBUFFER_DATA, msg)
|
||||||
|
b[1].Set(sspi.SECBUFFER_TOKEN, token)
|
||||||
|
|
||||||
|
var qop uint32
|
||||||
|
|
||||||
|
ret := sspi.VerifySignature(c.Handle, sspi.NewSecBufferDesc(b[:]), seqno, &qop)
|
||||||
|
if ret != sspi.SEC_E_OK {
|
||||||
|
return 0, ret
|
||||||
|
}
|
||||||
|
|
||||||
|
return qop, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ClientContext is used by the client to manage all steps of Negotiate negotiation.
|
||||||
|
type ClientContext struct {
|
||||||
|
sctxt *sspi.Context
|
||||||
|
targetName *uint16
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewClientContext creates a new client context. It uses client
|
||||||
|
// credentials cred generated by AcquireCurrentUserCredentials or
|
||||||
|
// AcquireUserCredentials and SPN to start a client Negotiate
|
||||||
|
// negotiation sequence. targetName is the service principal name
|
||||||
|
// (SPN) or the security context of the destination server.
|
||||||
|
// NewClientContext returns a new token to be sent to the server.
|
||||||
|
func NewClientContext(cred *sspi.Credentials, targetName string) (cc *ClientContext, outputToken []byte, err error) {
|
||||||
|
return NewClientContextWithFlags(cred, targetName, sspi.ISC_REQ_CONNECTION)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewClientContextWithFlags creates a new client context. It uses client
|
||||||
|
// credentials cred generated by AcquireCurrentUserCredentials or
|
||||||
|
// AcquireUserCredentials and SPN to start a client Negotiate
|
||||||
|
// negotiation sequence. targetName is the service principal name
|
||||||
|
// (SPN) or the security context of the destination server.
|
||||||
|
// The flags parameter is used to indicate requests for the context
|
||||||
|
// (for example sspi.ISC_REQ_CONFIDENTIALITY|sspi.ISC_REQ_REPLAY_DETECT)
|
||||||
|
// NewClientContextWithFlags returns a new token to be sent to the server.
|
||||||
|
func NewClientContextWithFlags(cred *sspi.Credentials, targetName string, flags uint32) (cc *ClientContext, outputToken []byte, err error) {
|
||||||
|
var tname *uint16
|
||||||
|
if len(targetName) > 0 {
|
||||||
|
p, err2 := syscall.UTF16FromString(targetName)
|
||||||
|
if err2 != nil {
|
||||||
|
return nil, nil, err2
|
||||||
|
}
|
||||||
|
if len(p) > 0 {
|
||||||
|
tname = &p[0]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
otoken := make([]byte, PackageInfo.MaxToken)
|
||||||
|
c := sspi.NewClientContext(cred, flags)
|
||||||
|
|
||||||
|
authCompleted, n, err2 := updateContext(c, otoken, nil, tname)
|
||||||
|
if err2 != nil {
|
||||||
|
return nil, nil, err2
|
||||||
|
}
|
||||||
|
if authCompleted {
|
||||||
|
c.Release()
|
||||||
|
return nil, nil, errors.New("negotiate authentication should not be completed yet")
|
||||||
|
}
|
||||||
|
if n == 0 {
|
||||||
|
c.Release()
|
||||||
|
return nil, nil, errors.New("negotiate token should not be empty")
|
||||||
|
}
|
||||||
|
otoken = otoken[:n]
|
||||||
|
return &ClientContext{sctxt: c, targetName: tname}, otoken, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Release free up resources associated with client context c.
|
||||||
|
func (c *ClientContext) Release() error {
|
||||||
|
if c == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return c.sctxt.Release()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Expiry returns c expiry time.
|
||||||
|
func (c *ClientContext) Expiry() time.Time {
|
||||||
|
return c.sctxt.Expiry()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update advances client part of Negotiate negotiation c. It uses
|
||||||
|
// token received from the server and returns true if client part
|
||||||
|
// of authentication is complete. It also returns new token to be
|
||||||
|
// sent to the server.
|
||||||
|
func (c *ClientContext) Update(token []byte) (authCompleted bool, outputToken []byte, err error) {
|
||||||
|
otoken := make([]byte, PackageInfo.MaxToken)
|
||||||
|
authDone, n, err2 := updateContext(c.sctxt, otoken, token, c.targetName)
|
||||||
|
if err2 != nil {
|
||||||
|
return false, nil, err2
|
||||||
|
}
|
||||||
|
if n == 0 && !authDone {
|
||||||
|
return false, nil, errors.New("negotiate token should not be empty")
|
||||||
|
}
|
||||||
|
otoken = otoken[:n]
|
||||||
|
return authDone, otoken, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sizes queries the client context for the sizes used in per-message
|
||||||
|
// functions. It returns the maximum token size used in authentication
|
||||||
|
// exchanges, the maximum signature size, the preferred integral size of
|
||||||
|
// messages, the size of any security trailer, and any error.
|
||||||
|
func (c *ClientContext) Sizes() (uint32, uint32, uint32, uint32, error) {
|
||||||
|
return c.sctxt.Sizes()
|
||||||
|
}
|
||||||
|
|
||||||
|
// MakeSignature uses the established client context to create a signature
|
||||||
|
// for the given message using the provided quality of protection flags and
|
||||||
|
// sequence number. It returns the signature token in addition to any error.
|
||||||
|
func (c *ClientContext) MakeSignature(msg []byte, qop, seqno uint32) ([]byte, error) {
|
||||||
|
return makeSignature(c.sctxt, msg, qop, seqno)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifySignature uses the established client context and signature token
|
||||||
|
// to check that the provided message hasn't been tampered or received out
|
||||||
|
// of sequence. It returns any quality of protection flags and any error
|
||||||
|
// that occurred.
|
||||||
|
func (c *ClientContext) VerifySignature(msg, token []byte, seqno uint32) (uint32, error) {
|
||||||
|
return verifySignature(c.sctxt, msg, token, seqno)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage uses the established client context to encrypt a message
|
||||||
|
// using the provided quality of protection flags and sequence number.
|
||||||
|
// It returns the signature token in addition to any error.
|
||||||
|
// IMPORTANT: the input msg parameter is updated in place by the low-level windows api
|
||||||
|
// so must be copied if the initial content should not be modified.
|
||||||
|
func (c *ClientContext) EncryptMessage(msg []byte, qop, seqno uint32) ([]byte, error) {
|
||||||
|
return encryptMessage(c.sctxt, msg, qop, seqno)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage uses the established client context to decrypt a message
|
||||||
|
// using the provided sequence number.
|
||||||
|
// It returns the quality of protection flag and the decrypted message in addition to any error.
|
||||||
|
func (c *ClientContext) DecryptMessage(msg []byte, seqno uint32) (uint32, []byte, error) {
|
||||||
|
return decryptMessage(c.sctxt, msg, seqno)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyFlags determines if all flags used to construct the client context
|
||||||
|
// were honored (see NewClientContextWithFlags). It should be called after c.Update.
|
||||||
|
func (c *ClientContext) VerifyFlags() error {
|
||||||
|
return c.sctxt.VerifyFlags()
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifySelectiveFlags determines if the given flags were honored (see NewClientContextWithFlags).
|
||||||
|
// It should be called after c.Update.
|
||||||
|
func (c *ClientContext) VerifySelectiveFlags(flags uint32) error {
|
||||||
|
return c.sctxt.VerifySelectiveFlags(flags)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ServerContext is used by the server to manage all steps of Negotiate
|
||||||
|
// negotiation. Once authentication is completed the context can be
|
||||||
|
// used to impersonate client.
|
||||||
|
type ServerContext struct {
|
||||||
|
sctxt *sspi.Context
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewServerContext creates new server context. It uses server
|
||||||
|
// credentials created by AcquireServerCredentials and token from
|
||||||
|
// the client to start server Negotiate negotiation sequence.
|
||||||
|
// It also returns new token to be sent to the client.
|
||||||
|
func NewServerContext(cred *sspi.Credentials, token []byte) (sc *ServerContext, authDone bool, outputToken []byte, err error) {
|
||||||
|
otoken := make([]byte, PackageInfo.MaxToken)
|
||||||
|
c := sspi.NewServerContext(cred, sspi.ASC_REQ_CONNECTION)
|
||||||
|
authDone, n, err2 := updateContext(c, otoken, token, nil)
|
||||||
|
if err2 != nil {
|
||||||
|
return nil, false, nil, err2
|
||||||
|
}
|
||||||
|
otoken = otoken[:n]
|
||||||
|
return &ServerContext{sctxt: c}, authDone, otoken, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Release free up resources associated with server context c.
|
||||||
|
func (c *ServerContext) Release() error {
|
||||||
|
if c == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return c.sctxt.Release()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Expiry returns c expiry time.
|
||||||
|
func (c *ServerContext) Expiry() time.Time {
|
||||||
|
return c.sctxt.Expiry()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update advances server part of Negotiate negotiation c. It uses
|
||||||
|
// token received from the client and returns true if server part
|
||||||
|
// of authentication is complete. It also returns new token to be
|
||||||
|
// sent to the client.
|
||||||
|
func (c *ServerContext) Update(token []byte) (authCompleted bool, outputToken []byte, err error) {
|
||||||
|
otoken := make([]byte, PackageInfo.MaxToken)
|
||||||
|
authDone, n, err2 := updateContext(c.sctxt, otoken, token, nil)
|
||||||
|
if err2 != nil {
|
||||||
|
return false, nil, err2
|
||||||
|
}
|
||||||
|
if n == 0 && !authDone {
|
||||||
|
return false, nil, errors.New("negotiate token should not be empty")
|
||||||
|
}
|
||||||
|
otoken = otoken[:n]
|
||||||
|
return authDone, otoken, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const _SECPKG_ATTR_NATIVE_NAMES = 13
|
||||||
|
|
||||||
|
type _SecPkgContext_NativeNames struct {
|
||||||
|
ClientName *uint16
|
||||||
|
ServerName *uint16
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetUsername returns the username corresponding to the authenticated client
|
||||||
|
func (c *ServerContext) GetUsername() (string, error) {
|
||||||
|
var ns _SecPkgContext_NativeNames
|
||||||
|
ret := sspi.QueryContextAttributes(c.sctxt.Handle, _SECPKG_ATTR_NATIVE_NAMES, (*byte)(unsafe.Pointer(&ns)))
|
||||||
|
if ret != sspi.SEC_E_OK {
|
||||||
|
return "", ret
|
||||||
|
}
|
||||||
|
sspi.FreeContextBuffer((*byte)(unsafe.Pointer(ns.ServerName)))
|
||||||
|
defer sspi.FreeContextBuffer((*byte)(unsafe.Pointer(ns.ClientName)))
|
||||||
|
return syscall.UTF16ToString((*[2 << 20]uint16)(unsafe.Pointer(ns.ClientName))[:]), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ImpersonateUser changes current OS thread user. New user is
|
||||||
|
// the user as specified by client credentials.
|
||||||
|
func (c *ServerContext) ImpersonateUser() error {
|
||||||
|
return c.sctxt.ImpersonateUser()
|
||||||
|
}
|
||||||
|
|
||||||
|
// RevertToSelf stops impersonation. It changes current OS thread
|
||||||
|
// user to what it was before ImpersonateUser was executed.
|
||||||
|
func (c *ServerContext) RevertToSelf() error {
|
||||||
|
return c.sctxt.RevertToSelf()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sizes queries the server context for the sizes used in per-message
|
||||||
|
// functions. It returns the maximum token size used in authentication
|
||||||
|
// exchanges, the maximum signature size, the preferred integral size of
|
||||||
|
// messages, the size of any security trailer, and any error.
|
||||||
|
func (c *ServerContext) Sizes() (uint32, uint32, uint32, uint32, error) {
|
||||||
|
return c.sctxt.Sizes()
|
||||||
|
}
|
||||||
|
|
||||||
|
// MakeSignature uses the established server context to create a signature
|
||||||
|
// for the given message using the provided quality of protection flags and
|
||||||
|
// sequence number. It returns the signature token in addition to any error.
|
||||||
|
func (c *ServerContext) MakeSignature(msg []byte, qop, seqno uint32) ([]byte, error) {
|
||||||
|
return makeSignature(c.sctxt, msg, qop, seqno)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifySignature uses the established server context and signature token
|
||||||
|
// to check that the provided message hasn't been tampered or received out
|
||||||
|
// of sequence. It returns any quality of protection flags and any error
|
||||||
|
// that occurred.
|
||||||
|
func (c *ServerContext) VerifySignature(msg, token []byte, seqno uint32) (uint32, error) {
|
||||||
|
return verifySignature(c.sctxt, msg, token, seqno)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage uses the established server context to encrypt a message
|
||||||
|
// using the provided quality of protection flags and sequence number.
|
||||||
|
// It returns the signature token in addition to any error.
|
||||||
|
// IMPORTANT: the input msg parameter is updated in place by the low-level windows api
|
||||||
|
// so must be copied if the initial content should not be modified.
|
||||||
|
func (c *ServerContext) EncryptMessage(msg []byte, qop, seqno uint32) ([]byte, error) {
|
||||||
|
return encryptMessage(c.sctxt, msg, qop, seqno)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage uses the established server context to decrypt a message
|
||||||
|
// using the provided sequence number.
|
||||||
|
// It returns the quality of protection flag and the decrypted message in addition to any error.
|
||||||
|
func (c *ServerContext) DecryptMessage(msg []byte, seqno uint32) (uint32, []byte, error) {
|
||||||
|
return decryptMessage(c.sctxt, msg, seqno)
|
||||||
|
}
|
226
vendor/github.com/alexbrainman/sspi/sspi.go
generated
vendored
Normal file
226
vendor/github.com/alexbrainman/sspi/sspi.go
generated
vendored
Normal file
@ -0,0 +1,226 @@
|
|||||||
|
// Copyright 2015 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build windows
|
||||||
|
|
||||||
|
package sspi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"syscall"
|
||||||
|
"time"
|
||||||
|
"unsafe"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TODO: add documentation
|
||||||
|
|
||||||
|
type PackageInfo struct {
|
||||||
|
Capabilities uint32
|
||||||
|
Version uint16
|
||||||
|
RPCID uint16
|
||||||
|
MaxToken uint32
|
||||||
|
Name string
|
||||||
|
Comment string
|
||||||
|
}
|
||||||
|
|
||||||
|
func QueryPackageInfo(pkgname string) (*PackageInfo, error) {
|
||||||
|
name, err := syscall.UTF16PtrFromString(pkgname)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
var pi *SecPkgInfo
|
||||||
|
ret := QuerySecurityPackageInfo(name, &pi)
|
||||||
|
if ret != SEC_E_OK {
|
||||||
|
return nil, ret
|
||||||
|
}
|
||||||
|
defer FreeContextBuffer((*byte)(unsafe.Pointer(pi)))
|
||||||
|
|
||||||
|
return &PackageInfo{
|
||||||
|
Capabilities: pi.Capabilities,
|
||||||
|
Version: pi.Version,
|
||||||
|
RPCID: pi.RPCID,
|
||||||
|
MaxToken: pi.MaxToken,
|
||||||
|
Name: syscall.UTF16ToString((*[2 << 12]uint16)(unsafe.Pointer(pi.Name))[:]),
|
||||||
|
Comment: syscall.UTF16ToString((*[2 << 12]uint16)(unsafe.Pointer(pi.Comment))[:]),
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
type Credentials struct {
|
||||||
|
Handle CredHandle
|
||||||
|
expiry syscall.Filetime
|
||||||
|
}
|
||||||
|
|
||||||
|
// AcquireCredentials calls the windows AcquireCredentialsHandle function and
|
||||||
|
// returns Credentials containing a security handle that can be used for
|
||||||
|
// InitializeSecurityContext or AcceptSecurityContext operations.
|
||||||
|
// As a special case, passing an empty string as the principal parameter will
|
||||||
|
// pass a null string to the underlying function.
|
||||||
|
func AcquireCredentials(principal string, pkgname string, creduse uint32, authdata *byte) (*Credentials, error) {
|
||||||
|
var principalName *uint16
|
||||||
|
if principal != "" {
|
||||||
|
var err error
|
||||||
|
principalName, err = syscall.UTF16PtrFromString(principal)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
name, err := syscall.UTF16PtrFromString(pkgname)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
var c Credentials
|
||||||
|
ret := AcquireCredentialsHandle(principalName, name, creduse, nil, authdata, 0, 0, &c.Handle, &c.expiry)
|
||||||
|
if ret != SEC_E_OK {
|
||||||
|
return nil, ret
|
||||||
|
}
|
||||||
|
return &c, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Credentials) Release() error {
|
||||||
|
if c == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
ret := FreeCredentialsHandle(&c.Handle)
|
||||||
|
if ret != SEC_E_OK {
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Credentials) Expiry() time.Time {
|
||||||
|
return time.Unix(0, c.expiry.Nanoseconds())
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: add functions to display and manage RequestedFlags and EstablishedFlags fields.
|
||||||
|
// TODO: maybe get rid of RequestedFlags and EstablishedFlags fields, and replace them with input parameter for New...Context and return value of Update (instead of current bool parameter).
|
||||||
|
|
||||||
|
type updateFunc func(c *Context, targname *uint16, h, newh *CtxtHandle, out, in *SecBufferDesc) syscall.Errno
|
||||||
|
|
||||||
|
type Context struct {
|
||||||
|
Cred *Credentials
|
||||||
|
Handle *CtxtHandle
|
||||||
|
handle CtxtHandle
|
||||||
|
updFn updateFunc
|
||||||
|
expiry syscall.Filetime
|
||||||
|
RequestedFlags uint32
|
||||||
|
EstablishedFlags uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewClientContext(cred *Credentials, flags uint32) *Context {
|
||||||
|
return &Context{
|
||||||
|
Cred: cred,
|
||||||
|
updFn: initialize,
|
||||||
|
RequestedFlags: flags,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewServerContext(cred *Credentials, flags uint32) *Context {
|
||||||
|
return &Context{
|
||||||
|
Cred: cred,
|
||||||
|
updFn: accept,
|
||||||
|
RequestedFlags: flags,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func initialize(c *Context, targname *uint16, h, newh *CtxtHandle, out, in *SecBufferDesc) syscall.Errno {
|
||||||
|
return InitializeSecurityContext(&c.Cred.Handle, h, targname, c.RequestedFlags,
|
||||||
|
0, SECURITY_NATIVE_DREP, in, 0, newh, out, &c.EstablishedFlags, &c.expiry)
|
||||||
|
}
|
||||||
|
|
||||||
|
func accept(c *Context, targname *uint16, h, newh *CtxtHandle, out, in *SecBufferDesc) syscall.Errno {
|
||||||
|
return AcceptSecurityContext(&c.Cred.Handle, h, in, c.RequestedFlags,
|
||||||
|
SECURITY_NATIVE_DREP, newh, out, &c.EstablishedFlags, &c.expiry)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Context) Update(targname *uint16, out, in *SecBufferDesc) syscall.Errno {
|
||||||
|
h := c.Handle
|
||||||
|
if c.Handle == nil {
|
||||||
|
c.Handle = &c.handle
|
||||||
|
}
|
||||||
|
return c.updFn(c, targname, h, c.Handle, out, in)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Context) Release() error {
|
||||||
|
if c == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
ret := DeleteSecurityContext(c.Handle)
|
||||||
|
if ret != SEC_E_OK {
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Context) Expiry() time.Time {
|
||||||
|
return time.Unix(0, c.expiry.Nanoseconds())
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: add comment to function doco that this "impersonation" is applied to current OS thread.
|
||||||
|
func (c *Context) ImpersonateUser() error {
|
||||||
|
ret := ImpersonateSecurityContext(c.Handle)
|
||||||
|
if ret != SEC_E_OK {
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Context) RevertToSelf() error {
|
||||||
|
ret := RevertSecurityContext(c.Handle)
|
||||||
|
if ret != SEC_E_OK {
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sizes queries the context for the sizes used in per-message functions.
|
||||||
|
// It returns the maximum token size used in authentication exchanges, the
|
||||||
|
// maximum signature size, the preferred integral size of messages, the
|
||||||
|
// size of any security trailer, and any error.
|
||||||
|
func (c *Context) Sizes() (uint32, uint32, uint32, uint32, error) {
|
||||||
|
var s _SecPkgContext_Sizes
|
||||||
|
ret := QueryContextAttributes(c.Handle, _SECPKG_ATTR_SIZES, (*byte)(unsafe.Pointer(&s)))
|
||||||
|
if ret != SEC_E_OK {
|
||||||
|
return 0, 0, 0, 0, ret
|
||||||
|
}
|
||||||
|
return s.MaxToken, s.MaxSignature, s.BlockSize, s.SecurityTrailer, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyFlags determines if all flags used to construct the context
|
||||||
|
// were honored (see NewClientContext). It should be called after c.Update.
|
||||||
|
func (c *Context) VerifyFlags() error {
|
||||||
|
return c.VerifySelectiveFlags(c.RequestedFlags)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifySelectiveFlags determines if the given flags were honored (see NewClientContext).
|
||||||
|
// It should be called after c.Update.
|
||||||
|
func (c *Context) VerifySelectiveFlags(flags uint32) error {
|
||||||
|
if valid, missing, extra := verifySelectiveFlags(flags, c.RequestedFlags); !valid {
|
||||||
|
return fmt.Errorf("sspi: invalid flags check: desired=%b requested=%b missing=%b extra=%b", flags, c.RequestedFlags, missing, extra)
|
||||||
|
}
|
||||||
|
if valid, missing, extra := verifySelectiveFlags(flags, c.EstablishedFlags); !valid {
|
||||||
|
return fmt.Errorf("sspi: invalid flags: desired=%b established=%b missing=%b extra=%b", flags, c.EstablishedFlags, missing, extra)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// verifySelectiveFlags determines if all bits requested in flags are set in establishedFlags.
|
||||||
|
// missing represents the bits set in flags that are not set in establishedFlags.
|
||||||
|
// extra represents the bits set in establishedFlags that are not set in flags.
|
||||||
|
// valid is true and missing is zero when establishedFlags has all of the requested flags.
|
||||||
|
func verifySelectiveFlags(flags, establishedFlags uint32) (valid bool, missing, extra uint32) {
|
||||||
|
missing = flags&establishedFlags ^ flags
|
||||||
|
extra = flags | establishedFlags ^ flags
|
||||||
|
valid = missing == 0
|
||||||
|
return valid, missing, extra
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewSecBufferDesc returns an initialized SecBufferDesc describing the
|
||||||
|
// provided SecBuffer.
|
||||||
|
func NewSecBufferDesc(b []SecBuffer) *SecBufferDesc {
|
||||||
|
return &SecBufferDesc{
|
||||||
|
Version: SECBUFFER_VERSION,
|
||||||
|
BuffersCount: uint32(len(b)),
|
||||||
|
Buffers: &b[0],
|
||||||
|
}
|
||||||
|
}
|
174
vendor/github.com/alexbrainman/sspi/syscall.go
generated
vendored
Normal file
174
vendor/github.com/alexbrainman/sspi/syscall.go
generated
vendored
Normal file
@ -0,0 +1,174 @@
|
|||||||
|
// Copyright 2015 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// +build windows
|
||||||
|
|
||||||
|
package sspi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"syscall"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
SEC_E_OK = syscall.Errno(0)
|
||||||
|
|
||||||
|
SEC_I_COMPLETE_AND_CONTINUE = syscall.Errno(590612)
|
||||||
|
SEC_I_COMPLETE_NEEDED = syscall.Errno(590611)
|
||||||
|
SEC_I_CONTINUE_NEEDED = syscall.Errno(590610)
|
||||||
|
|
||||||
|
SEC_E_LOGON_DENIED = syscall.Errno(0x8009030c)
|
||||||
|
SEC_E_CONTEXT_EXPIRED = syscall.Errno(0x80090317) // not sure if the value is valid
|
||||||
|
SEC_E_INCOMPLETE_MESSAGE = syscall.Errno(0x80090318)
|
||||||
|
|
||||||
|
NTLMSP_NAME = "NTLM"
|
||||||
|
MICROSOFT_KERBEROS_NAME = "Kerberos"
|
||||||
|
NEGOSSP_NAME = "Negotiate"
|
||||||
|
UNISP_NAME = "Microsoft Unified Security Protocol Provider"
|
||||||
|
|
||||||
|
_SECPKG_ATTR_SIZES = 0
|
||||||
|
_SECPKG_ATTR_NAMES = 1
|
||||||
|
_SECPKG_ATTR_LIFESPAN = 2
|
||||||
|
_SECPKG_ATTR_DCE_INFO = 3
|
||||||
|
_SECPKG_ATTR_STREAM_SIZES = 4
|
||||||
|
_SECPKG_ATTR_KEY_INFO = 5
|
||||||
|
_SECPKG_ATTR_AUTHORITY = 6
|
||||||
|
_SECPKG_ATTR_PROTO_INFO = 7
|
||||||
|
_SECPKG_ATTR_PASSWORD_EXPIRY = 8
|
||||||
|
_SECPKG_ATTR_SESSION_KEY = 9
|
||||||
|
_SECPKG_ATTR_PACKAGE_INFO = 10
|
||||||
|
_SECPKG_ATTR_USER_FLAGS = 11
|
||||||
|
_SECPKG_ATTR_NEGOTIATION_INFO = 12
|
||||||
|
_SECPKG_ATTR_NATIVE_NAMES = 13
|
||||||
|
_SECPKG_ATTR_FLAGS = 14
|
||||||
|
)
|
||||||
|
|
||||||
|
type SecPkgInfo struct {
|
||||||
|
Capabilities uint32
|
||||||
|
Version uint16
|
||||||
|
RPCID uint16
|
||||||
|
MaxToken uint32
|
||||||
|
Name *uint16
|
||||||
|
Comment *uint16
|
||||||
|
}
|
||||||
|
|
||||||
|
type _SecPkgContext_Sizes struct {
|
||||||
|
MaxToken uint32
|
||||||
|
MaxSignature uint32
|
||||||
|
BlockSize uint32
|
||||||
|
SecurityTrailer uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
//sys QuerySecurityPackageInfo(pkgname *uint16, pkginfo **SecPkgInfo) (ret syscall.Errno) = secur32.QuerySecurityPackageInfoW
|
||||||
|
//sys FreeContextBuffer(buf *byte) (ret syscall.Errno) = secur32.FreeContextBuffer
|
||||||
|
|
||||||
|
const (
|
||||||
|
SECPKG_CRED_INBOUND = 1
|
||||||
|
SECPKG_CRED_OUTBOUND = 2
|
||||||
|
SECPKG_CRED_BOTH = (SECPKG_CRED_OUTBOUND | SECPKG_CRED_INBOUND)
|
||||||
|
|
||||||
|
SEC_WINNT_AUTH_IDENTITY_UNICODE = 0x2
|
||||||
|
)
|
||||||
|
|
||||||
|
type SEC_WINNT_AUTH_IDENTITY struct {
|
||||||
|
User *uint16
|
||||||
|
UserLength uint32
|
||||||
|
Domain *uint16
|
||||||
|
DomainLength uint32
|
||||||
|
Password *uint16
|
||||||
|
PasswordLength uint32
|
||||||
|
Flags uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
type LUID struct {
|
||||||
|
LowPart uint32
|
||||||
|
HighPart int32
|
||||||
|
}
|
||||||
|
|
||||||
|
type CredHandle struct {
|
||||||
|
Lower uintptr
|
||||||
|
Upper uintptr
|
||||||
|
}
|
||||||
|
|
||||||
|
//sys AcquireCredentialsHandle(principal *uint16, pkgname *uint16, creduse uint32, logonid *LUID, authdata *byte, getkeyfn uintptr, getkeyarg uintptr, handle *CredHandle, expiry *syscall.Filetime) (ret syscall.Errno) = secur32.AcquireCredentialsHandleW
|
||||||
|
//sys FreeCredentialsHandle(handle *CredHandle) (ret syscall.Errno) = secur32.FreeCredentialsHandle
|
||||||
|
|
||||||
|
const (
|
||||||
|
SECURITY_NATIVE_DREP = 16
|
||||||
|
|
||||||
|
SECBUFFER_DATA = 1
|
||||||
|
SECBUFFER_TOKEN = 2
|
||||||
|
SECBUFFER_PKG_PARAMS = 3
|
||||||
|
SECBUFFER_MISSING = 4
|
||||||
|
SECBUFFER_EXTRA = 5
|
||||||
|
SECBUFFER_STREAM_TRAILER = 6
|
||||||
|
SECBUFFER_STREAM_HEADER = 7
|
||||||
|
SECBUFFER_PADDING = 9
|
||||||
|
SECBUFFER_STREAM = 10
|
||||||
|
SECBUFFER_READONLY = 0x80000000
|
||||||
|
SECBUFFER_ATTRMASK = 0xf0000000
|
||||||
|
SECBUFFER_VERSION = 0
|
||||||
|
SECBUFFER_EMPTY = 0
|
||||||
|
|
||||||
|
ISC_REQ_DELEGATE = 1
|
||||||
|
ISC_REQ_MUTUAL_AUTH = 2
|
||||||
|
ISC_REQ_REPLAY_DETECT = 4
|
||||||
|
ISC_REQ_SEQUENCE_DETECT = 8
|
||||||
|
ISC_REQ_CONFIDENTIALITY = 16
|
||||||
|
ISC_REQ_USE_SESSION_KEY = 32
|
||||||
|
ISC_REQ_PROMPT_FOR_CREDS = 64
|
||||||
|
ISC_REQ_USE_SUPPLIED_CREDS = 128
|
||||||
|
ISC_REQ_ALLOCATE_MEMORY = 256
|
||||||
|
ISC_REQ_USE_DCE_STYLE = 512
|
||||||
|
ISC_REQ_DATAGRAM = 1024
|
||||||
|
ISC_REQ_CONNECTION = 2048
|
||||||
|
ISC_REQ_EXTENDED_ERROR = 16384
|
||||||
|
ISC_REQ_STREAM = 32768
|
||||||
|
ISC_REQ_INTEGRITY = 65536
|
||||||
|
ISC_REQ_MANUAL_CRED_VALIDATION = 524288
|
||||||
|
ISC_REQ_HTTP = 268435456
|
||||||
|
|
||||||
|
ASC_REQ_DELEGATE = 1
|
||||||
|
ASC_REQ_MUTUAL_AUTH = 2
|
||||||
|
ASC_REQ_REPLAY_DETECT = 4
|
||||||
|
ASC_REQ_SEQUENCE_DETECT = 8
|
||||||
|
ASC_REQ_CONFIDENTIALITY = 16
|
||||||
|
ASC_REQ_USE_SESSION_KEY = 32
|
||||||
|
ASC_REQ_ALLOCATE_MEMORY = 256
|
||||||
|
ASC_REQ_USE_DCE_STYLE = 512
|
||||||
|
ASC_REQ_DATAGRAM = 1024
|
||||||
|
ASC_REQ_CONNECTION = 2048
|
||||||
|
ASC_REQ_EXTENDED_ERROR = 32768
|
||||||
|
ASC_REQ_STREAM = 65536
|
||||||
|
ASC_REQ_INTEGRITY = 131072
|
||||||
|
)
|
||||||
|
|
||||||
|
type CtxtHandle struct {
|
||||||
|
Lower uintptr
|
||||||
|
Upper uintptr
|
||||||
|
}
|
||||||
|
|
||||||
|
type SecBuffer struct {
|
||||||
|
BufferSize uint32
|
||||||
|
BufferType uint32
|
||||||
|
Buffer *byte
|
||||||
|
}
|
||||||
|
|
||||||
|
type SecBufferDesc struct {
|
||||||
|
Version uint32
|
||||||
|
BuffersCount uint32
|
||||||
|
Buffers *SecBuffer
|
||||||
|
}
|
||||||
|
|
||||||
|
//sys InitializeSecurityContext(credential *CredHandle, context *CtxtHandle, targname *uint16, contextreq uint32, reserved1 uint32, targdatarep uint32, input *SecBufferDesc, reserved2 uint32, newcontext *CtxtHandle, output *SecBufferDesc, contextattr *uint32, expiry *syscall.Filetime) (ret syscall.Errno) = secur32.InitializeSecurityContextW
|
||||||
|
//sys AcceptSecurityContext(credential *CredHandle, context *CtxtHandle, input *SecBufferDesc, contextreq uint32, targdatarep uint32, newcontext *CtxtHandle, output *SecBufferDesc, contextattr *uint32, expiry *syscall.Filetime) (ret syscall.Errno) = secur32.AcceptSecurityContext
|
||||||
|
//sys CompleteAuthToken(context *CtxtHandle, token *SecBufferDesc) (ret syscall.Errno) = secur32.CompleteAuthToken
|
||||||
|
//sys DeleteSecurityContext(context *CtxtHandle) (ret syscall.Errno) = secur32.DeleteSecurityContext
|
||||||
|
//sys ImpersonateSecurityContext(context *CtxtHandle) (ret syscall.Errno) = secur32.ImpersonateSecurityContext
|
||||||
|
//sys RevertSecurityContext(context *CtxtHandle) (ret syscall.Errno) = secur32.RevertSecurityContext
|
||||||
|
//sys QueryContextAttributes(context *CtxtHandle, attribute uint32, buf *byte) (ret syscall.Errno) = secur32.QueryContextAttributesW
|
||||||
|
//sys EncryptMessage(context *CtxtHandle, qop uint32, message *SecBufferDesc, messageseqno uint32) (ret syscall.Errno) = secur32.EncryptMessage
|
||||||
|
//sys DecryptMessage(context *CtxtHandle, message *SecBufferDesc, messageseqno uint32, qop *uint32) (ret syscall.Errno) = secur32.DecryptMessage
|
||||||
|
//sys ApplyControlToken(context *CtxtHandle, input *SecBufferDesc) (ret syscall.Errno) = secur32.ApplyControlToken
|
||||||
|
//sys MakeSignature(context *CtxtHandle, qop uint32, message *SecBufferDesc, messageseqno uint32) (ret syscall.Errno) = secur32.MakeSignature
|
||||||
|
//sys VerifySignature(context *CtxtHandle, message *SecBufferDesc, messageseqno uint32, qop *uint32) (ret syscall.Errno) = secur32.VerifySignature
|
152
vendor/github.com/alexbrainman/sspi/zsyscall_windows.go
generated
vendored
Normal file
152
vendor/github.com/alexbrainman/sspi/zsyscall_windows.go
generated
vendored
Normal file
@ -0,0 +1,152 @@
|
|||||||
|
// MACHINE GENERATED BY 'go generate' COMMAND; DO NOT EDIT
|
||||||
|
|
||||||
|
package sspi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"syscall"
|
||||||
|
"unsafe"
|
||||||
|
)
|
||||||
|
|
||||||
|
var _ unsafe.Pointer
|
||||||
|
|
||||||
|
// Do the interface allocations only once for common
|
||||||
|
// Errno values.
|
||||||
|
const (
|
||||||
|
errnoERROR_IO_PENDING = 997
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
|
||||||
|
)
|
||||||
|
|
||||||
|
// errnoErr returns common boxed Errno values, to prevent
|
||||||
|
// allocations at runtime.
|
||||||
|
func errnoErr(e syscall.Errno) error {
|
||||||
|
switch e {
|
||||||
|
case 0:
|
||||||
|
return nil
|
||||||
|
case errnoERROR_IO_PENDING:
|
||||||
|
return errERROR_IO_PENDING
|
||||||
|
}
|
||||||
|
// TODO: add more here, after collecting data on the common
|
||||||
|
// error values see on Windows. (perhaps when running
|
||||||
|
// all.bat?)
|
||||||
|
return e
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
modsecur32 = syscall.NewLazyDLL("secur32.dll")
|
||||||
|
|
||||||
|
procQuerySecurityPackageInfoW = modsecur32.NewProc("QuerySecurityPackageInfoW")
|
||||||
|
procFreeContextBuffer = modsecur32.NewProc("FreeContextBuffer")
|
||||||
|
procAcquireCredentialsHandleW = modsecur32.NewProc("AcquireCredentialsHandleW")
|
||||||
|
procFreeCredentialsHandle = modsecur32.NewProc("FreeCredentialsHandle")
|
||||||
|
procInitializeSecurityContextW = modsecur32.NewProc("InitializeSecurityContextW")
|
||||||
|
procAcceptSecurityContext = modsecur32.NewProc("AcceptSecurityContext")
|
||||||
|
procCompleteAuthToken = modsecur32.NewProc("CompleteAuthToken")
|
||||||
|
procDeleteSecurityContext = modsecur32.NewProc("DeleteSecurityContext")
|
||||||
|
procImpersonateSecurityContext = modsecur32.NewProc("ImpersonateSecurityContext")
|
||||||
|
procRevertSecurityContext = modsecur32.NewProc("RevertSecurityContext")
|
||||||
|
procQueryContextAttributesW = modsecur32.NewProc("QueryContextAttributesW")
|
||||||
|
procEncryptMessage = modsecur32.NewProc("EncryptMessage")
|
||||||
|
procDecryptMessage = modsecur32.NewProc("DecryptMessage")
|
||||||
|
procApplyControlToken = modsecur32.NewProc("ApplyControlToken")
|
||||||
|
procMakeSignature = modsecur32.NewProc("MakeSignature")
|
||||||
|
procVerifySignature = modsecur32.NewProc("VerifySignature")
|
||||||
|
)
|
||||||
|
|
||||||
|
func QuerySecurityPackageInfo(pkgname *uint16, pkginfo **SecPkgInfo) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procQuerySecurityPackageInfoW.Addr(), 2, uintptr(unsafe.Pointer(pkgname)), uintptr(unsafe.Pointer(pkginfo)), 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func FreeContextBuffer(buf *byte) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procFreeContextBuffer.Addr(), 1, uintptr(unsafe.Pointer(buf)), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func AcquireCredentialsHandle(principal *uint16, pkgname *uint16, creduse uint32, logonid *LUID, authdata *byte, getkeyfn uintptr, getkeyarg uintptr, handle *CredHandle, expiry *syscall.Filetime) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall9(procAcquireCredentialsHandleW.Addr(), 9, uintptr(unsafe.Pointer(principal)), uintptr(unsafe.Pointer(pkgname)), uintptr(creduse), uintptr(unsafe.Pointer(logonid)), uintptr(unsafe.Pointer(authdata)), uintptr(getkeyfn), uintptr(getkeyarg), uintptr(unsafe.Pointer(handle)), uintptr(unsafe.Pointer(expiry)))
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func FreeCredentialsHandle(handle *CredHandle) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procFreeCredentialsHandle.Addr(), 1, uintptr(unsafe.Pointer(handle)), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func InitializeSecurityContext(credential *CredHandle, context *CtxtHandle, targname *uint16, contextreq uint32, reserved1 uint32, targdatarep uint32, input *SecBufferDesc, reserved2 uint32, newcontext *CtxtHandle, output *SecBufferDesc, contextattr *uint32, expiry *syscall.Filetime) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall12(procInitializeSecurityContextW.Addr(), 12, uintptr(unsafe.Pointer(credential)), uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(targname)), uintptr(contextreq), uintptr(reserved1), uintptr(targdatarep), uintptr(unsafe.Pointer(input)), uintptr(reserved2), uintptr(unsafe.Pointer(newcontext)), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(contextattr)), uintptr(unsafe.Pointer(expiry)))
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func AcceptSecurityContext(credential *CredHandle, context *CtxtHandle, input *SecBufferDesc, contextreq uint32, targdatarep uint32, newcontext *CtxtHandle, output *SecBufferDesc, contextattr *uint32, expiry *syscall.Filetime) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall9(procAcceptSecurityContext.Addr(), 9, uintptr(unsafe.Pointer(credential)), uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(input)), uintptr(contextreq), uintptr(targdatarep), uintptr(unsafe.Pointer(newcontext)), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(contextattr)), uintptr(unsafe.Pointer(expiry)))
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func CompleteAuthToken(context *CtxtHandle, token *SecBufferDesc) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procCompleteAuthToken.Addr(), 2, uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(token)), 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func DeleteSecurityContext(context *CtxtHandle) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procDeleteSecurityContext.Addr(), 1, uintptr(unsafe.Pointer(context)), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func ImpersonateSecurityContext(context *CtxtHandle) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procImpersonateSecurityContext.Addr(), 1, uintptr(unsafe.Pointer(context)), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func RevertSecurityContext(context *CtxtHandle) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procRevertSecurityContext.Addr(), 1, uintptr(unsafe.Pointer(context)), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func QueryContextAttributes(context *CtxtHandle, attribute uint32, buf *byte) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procQueryContextAttributesW.Addr(), 3, uintptr(unsafe.Pointer(context)), uintptr(attribute), uintptr(unsafe.Pointer(buf)))
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func EncryptMessage(context *CtxtHandle, qop uint32, message *SecBufferDesc, messageseqno uint32) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall6(procEncryptMessage.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(qop), uintptr(unsafe.Pointer(message)), uintptr(messageseqno), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func DecryptMessage(context *CtxtHandle, message *SecBufferDesc, messageseqno uint32, qop *uint32) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall6(procDecryptMessage.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(message)), uintptr(messageseqno), uintptr(unsafe.Pointer(qop)), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func ApplyControlToken(context *CtxtHandle, input *SecBufferDesc) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall(procApplyControlToken.Addr(), 2, uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(input)), 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func MakeSignature(context *CtxtHandle, qop uint32, message *SecBufferDesc, messageseqno uint32) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall6(procMakeSignature.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(qop), uintptr(unsafe.Pointer(message)), uintptr(messageseqno), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func VerifySignature(context *CtxtHandle, message *SecBufferDesc, messageseqno uint32, qop *uint32) (ret syscall.Errno) {
|
||||||
|
r0, _, _ := syscall.Syscall6(procVerifySignature.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(message)), uintptr(messageseqno), uintptr(unsafe.Pointer(qop)), 0, 0)
|
||||||
|
ret = syscall.Errno(r0)
|
||||||
|
return
|
||||||
|
}
|
12
vendor/github.com/hashicorp/go-uuid/.travis.yml
generated
vendored
Normal file
12
vendor/github.com/hashicorp/go-uuid/.travis.yml
generated
vendored
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
language: go
|
||||||
|
|
||||||
|
sudo: false
|
||||||
|
|
||||||
|
go:
|
||||||
|
- 1.4
|
||||||
|
- 1.5
|
||||||
|
- 1.6
|
||||||
|
- tip
|
||||||
|
|
||||||
|
script:
|
||||||
|
- go test -bench . -benchmem -v ./...
|
363
vendor/github.com/hashicorp/go-uuid/LICENSE
generated
vendored
Normal file
363
vendor/github.com/hashicorp/go-uuid/LICENSE
generated
vendored
Normal file
@ -0,0 +1,363 @@
|
|||||||
|
Mozilla Public License, version 2.0
|
||||||
|
|
||||||
|
1. Definitions
|
||||||
|
|
||||||
|
1.1. "Contributor"
|
||||||
|
|
||||||
|
means each individual or legal entity that creates, contributes to the
|
||||||
|
creation of, or owns Covered Software.
|
||||||
|
|
||||||
|
1.2. "Contributor Version"
|
||||||
|
|
||||||
|
means the combination of the Contributions of others (if any) used by a
|
||||||
|
Contributor and that particular Contributor's Contribution.
|
||||||
|
|
||||||
|
1.3. "Contribution"
|
||||||
|
|
||||||
|
means Covered Software of a particular Contributor.
|
||||||
|
|
||||||
|
1.4. "Covered Software"
|
||||||
|
|
||||||
|
means Source Code Form to which the initial Contributor has attached the
|
||||||
|
notice in Exhibit A, the Executable Form of such Source Code Form, and
|
||||||
|
Modifications of such Source Code Form, in each case including portions
|
||||||
|
thereof.
|
||||||
|
|
||||||
|
1.5. "Incompatible With Secondary Licenses"
|
||||||
|
means
|
||||||
|
|
||||||
|
a. that the initial Contributor has attached the notice described in
|
||||||
|
Exhibit B to the Covered Software; or
|
||||||
|
|
||||||
|
b. that the Covered Software was made available under the terms of
|
||||||
|
version 1.1 or earlier of the License, but not also under the terms of
|
||||||
|
a Secondary License.
|
||||||
|
|
||||||
|
1.6. "Executable Form"
|
||||||
|
|
||||||
|
means any form of the work other than Source Code Form.
|
||||||
|
|
||||||
|
1.7. "Larger Work"
|
||||||
|
|
||||||
|
means a work that combines Covered Software with other material, in a
|
||||||
|
separate file or files, that is not Covered Software.
|
||||||
|
|
||||||
|
1.8. "License"
|
||||||
|
|
||||||
|
means this document.
|
||||||
|
|
||||||
|
1.9. "Licensable"
|
||||||
|
|
||||||
|
means having the right to grant, to the maximum extent possible, whether
|
||||||
|
at the time of the initial grant or subsequently, any and all of the
|
||||||
|
rights conveyed by this License.
|
||||||
|
|
||||||
|
1.10. "Modifications"
|
||||||
|
|
||||||
|
means any of the following:
|
||||||
|
|
||||||
|
a. any file in Source Code Form that results from an addition to,
|
||||||
|
deletion from, or modification of the contents of Covered Software; or
|
||||||
|
|
||||||
|
b. any new file in Source Code Form that contains any Covered Software.
|
||||||
|
|
||||||
|
1.11. "Patent Claims" of a Contributor
|
||||||
|
|
||||||
|
means any patent claim(s), including without limitation, method,
|
||||||
|
process, and apparatus claims, in any patent Licensable by such
|
||||||
|
Contributor that would be infringed, but for the grant of the License,
|
||||||
|
by the making, using, selling, offering for sale, having made, import,
|
||||||
|
or transfer of either its Contributions or its Contributor Version.
|
||||||
|
|
||||||
|
1.12. "Secondary License"
|
||||||
|
|
||||||
|
means either the GNU General Public License, Version 2.0, the GNU Lesser
|
||||||
|
General Public License, Version 2.1, the GNU Affero General Public
|
||||||
|
License, Version 3.0, or any later versions of those licenses.
|
||||||
|
|
||||||
|
1.13. "Source Code Form"
|
||||||
|
|
||||||
|
means the form of the work preferred for making modifications.
|
||||||
|
|
||||||
|
1.14. "You" (or "Your")
|
||||||
|
|
||||||
|
means an individual or a legal entity exercising rights under this
|
||||||
|
License. For legal entities, "You" includes any entity that controls, is
|
||||||
|
controlled by, or is under common control with You. For purposes of this
|
||||||
|
definition, "control" means (a) the power, direct or indirect, to cause
|
||||||
|
the direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (b) ownership of more than fifty percent (50%) of the
|
||||||
|
outstanding shares or beneficial ownership of such entity.
|
||||||
|
|
||||||
|
|
||||||
|
2. License Grants and Conditions
|
||||||
|
|
||||||
|
2.1. Grants
|
||||||
|
|
||||||
|
Each Contributor hereby grants You a world-wide, royalty-free,
|
||||||
|
non-exclusive license:
|
||||||
|
|
||||||
|
a. under intellectual property rights (other than patent or trademark)
|
||||||
|
Licensable by such Contributor to use, reproduce, make available,
|
||||||
|
modify, display, perform, distribute, and otherwise exploit its
|
||||||
|
Contributions, either on an unmodified basis, with Modifications, or
|
||||||
|
as part of a Larger Work; and
|
||||||
|
|
||||||
|
b. under Patent Claims of such Contributor to make, use, sell, offer for
|
||||||
|
sale, have made, import, and otherwise transfer either its
|
||||||
|
Contributions or its Contributor Version.
|
||||||
|
|
||||||
|
2.2. Effective Date
|
||||||
|
|
||||||
|
The licenses granted in Section 2.1 with respect to any Contribution
|
||||||
|
become effective for each Contribution on the date the Contributor first
|
||||||
|
distributes such Contribution.
|
||||||
|
|
||||||
|
2.3. Limitations on Grant Scope
|
||||||
|
|
||||||
|
The licenses granted in this Section 2 are the only rights granted under
|
||||||
|
this License. No additional rights or licenses will be implied from the
|
||||||
|
distribution or licensing of Covered Software under this License.
|
||||||
|
Notwithstanding Section 2.1(b) above, no patent license is granted by a
|
||||||
|
Contributor:
|
||||||
|
|
||||||
|
a. for any code that a Contributor has removed from Covered Software; or
|
||||||
|
|
||||||
|
b. for infringements caused by: (i) Your and any other third party's
|
||||||
|
modifications of Covered Software, or (ii) the combination of its
|
||||||
|
Contributions with other software (except as part of its Contributor
|
||||||
|
Version); or
|
||||||
|
|
||||||
|
c. under Patent Claims infringed by Covered Software in the absence of
|
||||||
|
its Contributions.
|
||||||
|
|
||||||
|
This License does not grant any rights in the trademarks, service marks,
|
||||||
|
or logos of any Contributor (except as may be necessary to comply with
|
||||||
|
the notice requirements in Section 3.4).
|
||||||
|
|
||||||
|
2.4. Subsequent Licenses
|
||||||
|
|
||||||
|
No Contributor makes additional grants as a result of Your choice to
|
||||||
|
distribute the Covered Software under a subsequent version of this
|
||||||
|
License (see Section 10.2) or under the terms of a Secondary License (if
|
||||||
|
permitted under the terms of Section 3.3).
|
||||||
|
|
||||||
|
2.5. Representation
|
||||||
|
|
||||||
|
Each Contributor represents that the Contributor believes its
|
||||||
|
Contributions are its original creation(s) or it has sufficient rights to
|
||||||
|
grant the rights to its Contributions conveyed by this License.
|
||||||
|
|
||||||
|
2.6. Fair Use
|
||||||
|
|
||||||
|
This License is not intended to limit any rights You have under
|
||||||
|
applicable copyright doctrines of fair use, fair dealing, or other
|
||||||
|
equivalents.
|
||||||
|
|
||||||
|
2.7. Conditions
|
||||||
|
|
||||||
|
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
|
||||||
|
Section 2.1.
|
||||||
|
|
||||||
|
|
||||||
|
3. Responsibilities
|
||||||
|
|
||||||
|
3.1. Distribution of Source Form
|
||||||
|
|
||||||
|
All distribution of Covered Software in Source Code Form, including any
|
||||||
|
Modifications that You create or to which You contribute, must be under
|
||||||
|
the terms of this License. You must inform recipients that the Source
|
||||||
|
Code Form of the Covered Software is governed by the terms of this
|
||||||
|
License, and how they can obtain a copy of this License. You may not
|
||||||
|
attempt to alter or restrict the recipients' rights in the Source Code
|
||||||
|
Form.
|
||||||
|
|
||||||
|
3.2. Distribution of Executable Form
|
||||||
|
|
||||||
|
If You distribute Covered Software in Executable Form then:
|
||||||
|
|
||||||
|
a. such Covered Software must also be made available in Source Code Form,
|
||||||
|
as described in Section 3.1, and You must inform recipients of the
|
||||||
|
Executable Form how they can obtain a copy of such Source Code Form by
|
||||||
|
reasonable means in a timely manner, at a charge no more than the cost
|
||||||
|
of distribution to the recipient; and
|
||||||
|
|
||||||
|
b. You may distribute such Executable Form under the terms of this
|
||||||
|
License, or sublicense it under different terms, provided that the
|
||||||
|
license for the Executable Form does not attempt to limit or alter the
|
||||||
|
recipients' rights in the Source Code Form under this License.
|
||||||
|
|
||||||
|
3.3. Distribution of a Larger Work
|
||||||
|
|
||||||
|
You may create and distribute a Larger Work under terms of Your choice,
|
||||||
|
provided that You also comply with the requirements of this License for
|
||||||
|
the Covered Software. If the Larger Work is a combination of Covered
|
||||||
|
Software with a work governed by one or more Secondary Licenses, and the
|
||||||
|
Covered Software is not Incompatible With Secondary Licenses, this
|
||||||
|
License permits You to additionally distribute such Covered Software
|
||||||
|
under the terms of such Secondary License(s), so that the recipient of
|
||||||
|
the Larger Work may, at their option, further distribute the Covered
|
||||||
|
Software under the terms of either this License or such Secondary
|
||||||
|
License(s).
|
||||||
|
|
||||||
|
3.4. Notices
|
||||||
|
|
||||||
|
You may not remove or alter the substance of any license notices
|
||||||
|
(including copyright notices, patent notices, disclaimers of warranty, or
|
||||||
|
limitations of liability) contained within the Source Code Form of the
|
||||||
|
Covered Software, except that You may alter any license notices to the
|
||||||
|
extent required to remedy known factual inaccuracies.
|
||||||
|
|
||||||
|
3.5. Application of Additional Terms
|
||||||
|
|
||||||
|
You may choose to offer, and to charge a fee for, warranty, support,
|
||||||
|
indemnity or liability obligations to one or more recipients of Covered
|
||||||
|
Software. However, You may do so only on Your own behalf, and not on
|
||||||
|
behalf of any Contributor. You must make it absolutely clear that any
|
||||||
|
such warranty, support, indemnity, or liability obligation is offered by
|
||||||
|
You alone, and You hereby agree to indemnify every Contributor for any
|
||||||
|
liability incurred by such Contributor as a result of warranty, support,
|
||||||
|
indemnity or liability terms You offer. You may include additional
|
||||||
|
disclaimers of warranty and limitations of liability specific to any
|
||||||
|
jurisdiction.
|
||||||
|
|
||||||
|
4. Inability to Comply Due to Statute or Regulation
|
||||||
|
|
||||||
|
If it is impossible for You to comply with any of the terms of this License
|
||||||
|
with respect to some or all of the Covered Software due to statute,
|
||||||
|
judicial order, or regulation then You must: (a) comply with the terms of
|
||||||
|
this License to the maximum extent possible; and (b) describe the
|
||||||
|
limitations and the code they affect. Such description must be placed in a
|
||||||
|
text file included with all distributions of the Covered Software under
|
||||||
|
this License. Except to the extent prohibited by statute or regulation,
|
||||||
|
such description must be sufficiently detailed for a recipient of ordinary
|
||||||
|
skill to be able to understand it.
|
||||||
|
|
||||||
|
5. Termination
|
||||||
|
|
||||||
|
5.1. The rights granted under this License will terminate automatically if You
|
||||||
|
fail to comply with any of its terms. However, if You become compliant,
|
||||||
|
then the rights granted under this License from a particular Contributor
|
||||||
|
are reinstated (a) provisionally, unless and until such Contributor
|
||||||
|
explicitly and finally terminates Your grants, and (b) on an ongoing
|
||||||
|
basis, if such Contributor fails to notify You of the non-compliance by
|
||||||
|
some reasonable means prior to 60 days after You have come back into
|
||||||
|
compliance. Moreover, Your grants from a particular Contributor are
|
||||||
|
reinstated on an ongoing basis if such Contributor notifies You of the
|
||||||
|
non-compliance by some reasonable means, this is the first time You have
|
||||||
|
received notice of non-compliance with this License from such
|
||||||
|
Contributor, and You become compliant prior to 30 days after Your receipt
|
||||||
|
of the notice.
|
||||||
|
|
||||||
|
5.2. If You initiate litigation against any entity by asserting a patent
|
||||||
|
infringement claim (excluding declaratory judgment actions,
|
||||||
|
counter-claims, and cross-claims) alleging that a Contributor Version
|
||||||
|
directly or indirectly infringes any patent, then the rights granted to
|
||||||
|
You by any and all Contributors for the Covered Software under Section
|
||||||
|
2.1 of this License shall terminate.
|
||||||
|
|
||||||
|
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
|
||||||
|
license agreements (excluding distributors and resellers) which have been
|
||||||
|
validly granted by You or Your distributors under this License prior to
|
||||||
|
termination shall survive termination.
|
||||||
|
|
||||||
|
6. Disclaimer of Warranty
|
||||||
|
|
||||||
|
Covered Software is provided under this License on an "as is" basis,
|
||||||
|
without warranty of any kind, either expressed, implied, or statutory,
|
||||||
|
including, without limitation, warranties that the Covered Software is free
|
||||||
|
of defects, merchantable, fit for a particular purpose or non-infringing.
|
||||||
|
The entire risk as to the quality and performance of the Covered Software
|
||||||
|
is with You. Should any Covered Software prove defective in any respect,
|
||||||
|
You (not any Contributor) assume the cost of any necessary servicing,
|
||||||
|
repair, or correction. This disclaimer of warranty constitutes an essential
|
||||||
|
part of this License. No use of any Covered Software is authorized under
|
||||||
|
this License except under this disclaimer.
|
||||||
|
|
||||||
|
7. Limitation of Liability
|
||||||
|
|
||||||
|
Under no circumstances and under no legal theory, whether tort (including
|
||||||
|
negligence), contract, or otherwise, shall any Contributor, or anyone who
|
||||||
|
distributes Covered Software as permitted above, be liable to You for any
|
||||||
|
direct, indirect, special, incidental, or consequential damages of any
|
||||||
|
character including, without limitation, damages for lost profits, loss of
|
||||||
|
goodwill, work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses, even if such party shall have been
|
||||||
|
informed of the possibility of such damages. This limitation of liability
|
||||||
|
shall not apply to liability for death or personal injury resulting from
|
||||||
|
such party's negligence to the extent applicable law prohibits such
|
||||||
|
limitation. Some jurisdictions do not allow the exclusion or limitation of
|
||||||
|
incidental or consequential damages, so this exclusion and limitation may
|
||||||
|
not apply to You.
|
||||||
|
|
||||||
|
8. Litigation
|
||||||
|
|
||||||
|
Any litigation relating to this License may be brought only in the courts
|
||||||
|
of a jurisdiction where the defendant maintains its principal place of
|
||||||
|
business and such litigation shall be governed by laws of that
|
||||||
|
jurisdiction, without reference to its conflict-of-law provisions. Nothing
|
||||||
|
in this Section shall prevent a party's ability to bring cross-claims or
|
||||||
|
counter-claims.
|
||||||
|
|
||||||
|
9. Miscellaneous
|
||||||
|
|
||||||
|
This License represents the complete agreement concerning the subject
|
||||||
|
matter hereof. If any provision of this License is held to be
|
||||||
|
unenforceable, such provision shall be reformed only to the extent
|
||||||
|
necessary to make it enforceable. Any law or regulation which provides that
|
||||||
|
the language of a contract shall be construed against the drafter shall not
|
||||||
|
be used to construe this License against a Contributor.
|
||||||
|
|
||||||
|
|
||||||
|
10. Versions of the License
|
||||||
|
|
||||||
|
10.1. New Versions
|
||||||
|
|
||||||
|
Mozilla Foundation is the license steward. Except as provided in Section
|
||||||
|
10.3, no one other than the license steward has the right to modify or
|
||||||
|
publish new versions of this License. Each version will be given a
|
||||||
|
distinguishing version number.
|
||||||
|
|
||||||
|
10.2. Effect of New Versions
|
||||||
|
|
||||||
|
You may distribute the Covered Software under the terms of the version
|
||||||
|
of the License under which You originally received the Covered Software,
|
||||||
|
or under the terms of any subsequent version published by the license
|
||||||
|
steward.
|
||||||
|
|
||||||
|
10.3. Modified Versions
|
||||||
|
|
||||||
|
If you create software not governed by this License, and you want to
|
||||||
|
create a new license for such software, you may create and use a
|
||||||
|
modified version of this License if you rename the license and remove
|
||||||
|
any references to the name of the license steward (except to note that
|
||||||
|
such modified license differs from this License).
|
||||||
|
|
||||||
|
10.4. Distributing Source Code Form that is Incompatible With Secondary
|
||||||
|
Licenses If You choose to distribute Source Code Form that is
|
||||||
|
Incompatible With Secondary Licenses under the terms of this version of
|
||||||
|
the License, the notice described in Exhibit B of this License must be
|
||||||
|
attached.
|
||||||
|
|
||||||
|
Exhibit A - Source Code Form License Notice
|
||||||
|
|
||||||
|
This Source Code Form is subject to the
|
||||||
|
terms of the Mozilla Public License, v.
|
||||||
|
2.0. If a copy of the MPL was not
|
||||||
|
distributed with this file, You can
|
||||||
|
obtain one at
|
||||||
|
http://mozilla.org/MPL/2.0/.
|
||||||
|
|
||||||
|
If it is not possible or desirable to put the notice in a particular file,
|
||||||
|
then You may include the notice in a location (such as a LICENSE file in a
|
||||||
|
relevant directory) where a recipient would be likely to look for such a
|
||||||
|
notice.
|
||||||
|
|
||||||
|
You may add additional accurate notices of copyright ownership.
|
||||||
|
|
||||||
|
Exhibit B - "Incompatible With Secondary Licenses" Notice
|
||||||
|
|
||||||
|
This Source Code Form is "Incompatible
|
||||||
|
With Secondary Licenses", as defined by
|
||||||
|
the Mozilla Public License, v. 2.0.
|
||||||
|
|
8
vendor/github.com/hashicorp/go-uuid/README.md
generated
vendored
Normal file
8
vendor/github.com/hashicorp/go-uuid/README.md
generated
vendored
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# uuid [![Build Status](https://travis-ci.org/hashicorp/go-uuid.svg?branch=master)](https://travis-ci.org/hashicorp/go-uuid)
|
||||||
|
|
||||||
|
Generates UUID-format strings using high quality, _purely random_ bytes. It is **not** intended to be RFC compliant, merely to use a well-understood string representation of a 128-bit value. It can also parse UUID-format strings into their component bytes.
|
||||||
|
|
||||||
|
Documentation
|
||||||
|
=============
|
||||||
|
|
||||||
|
The full documentation is available on [Godoc](http://godoc.org/github.com/hashicorp/go-uuid).
|
1
vendor/github.com/hashicorp/go-uuid/go.mod
generated
vendored
Normal file
1
vendor/github.com/hashicorp/go-uuid/go.mod
generated
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
module github.com/hashicorp/go-uuid
|
83
vendor/github.com/hashicorp/go-uuid/uuid.go
generated
vendored
Normal file
83
vendor/github.com/hashicorp/go-uuid/uuid.go
generated
vendored
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
package uuid
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"encoding/hex"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GenerateRandomBytes is used to generate random bytes of given size.
|
||||||
|
func GenerateRandomBytes(size int) ([]byte, error) {
|
||||||
|
return GenerateRandomBytesWithReader(size, rand.Reader)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateRandomBytesWithReader is used to generate random bytes of given size read from a given reader.
|
||||||
|
func GenerateRandomBytesWithReader(size int, reader io.Reader) ([]byte, error) {
|
||||||
|
if reader == nil {
|
||||||
|
return nil, fmt.Errorf("provided reader is nil")
|
||||||
|
}
|
||||||
|
buf := make([]byte, size)
|
||||||
|
if _, err := io.ReadFull(reader, buf); err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to read random bytes: %v", err)
|
||||||
|
}
|
||||||
|
return buf, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
const uuidLen = 16
|
||||||
|
|
||||||
|
// GenerateUUID is used to generate a random UUID
|
||||||
|
func GenerateUUID() (string, error) {
|
||||||
|
return GenerateUUIDWithReader(rand.Reader)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GenerateUUIDWithReader is used to generate a random UUID with a given Reader
|
||||||
|
func GenerateUUIDWithReader(reader io.Reader) (string, error) {
|
||||||
|
if reader == nil {
|
||||||
|
return "", fmt.Errorf("provided reader is nil")
|
||||||
|
}
|
||||||
|
buf, err := GenerateRandomBytesWithReader(uuidLen, reader)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return FormatUUID(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
func FormatUUID(buf []byte) (string, error) {
|
||||||
|
if buflen := len(buf); buflen != uuidLen {
|
||||||
|
return "", fmt.Errorf("wrong length byte slice (%d)", buflen)
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Sprintf("%x-%x-%x-%x-%x",
|
||||||
|
buf[0:4],
|
||||||
|
buf[4:6],
|
||||||
|
buf[6:8],
|
||||||
|
buf[8:10],
|
||||||
|
buf[10:16]), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func ParseUUID(uuid string) ([]byte, error) {
|
||||||
|
if len(uuid) != 2 * uuidLen + 4 {
|
||||||
|
return nil, fmt.Errorf("uuid string is wrong length")
|
||||||
|
}
|
||||||
|
|
||||||
|
if uuid[8] != '-' ||
|
||||||
|
uuid[13] != '-' ||
|
||||||
|
uuid[18] != '-' ||
|
||||||
|
uuid[23] != '-' {
|
||||||
|
return nil, fmt.Errorf("uuid is improperly formatted")
|
||||||
|
}
|
||||||
|
|
||||||
|
hexStr := uuid[0:8] + uuid[9:13] + uuid[14:18] + uuid[19:23] + uuid[24:36]
|
||||||
|
|
||||||
|
ret, err := hex.DecodeString(hexStr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if len(ret) != uuidLen {
|
||||||
|
return nil, fmt.Errorf("decoded hex is the wrong length")
|
||||||
|
}
|
||||||
|
|
||||||
|
return ret, nil
|
||||||
|
}
|
201
vendor/github.com/jcmturner/aescts/v2/LICENSE
generated
vendored
Normal file
201
vendor/github.com/jcmturner/aescts/v2/LICENSE
generated
vendored
Normal file
@ -0,0 +1,201 @@
|
|||||||
|
Apache License
|
||||||
|
Version 2.0, January 2004
|
||||||
|
http://www.apache.org/licenses/
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
|
1. Definitions.
|
||||||
|
|
||||||
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
|
|
||||||
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
|
the copyright owner that is granting the License.
|
||||||
|
|
||||||
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
|
other entities that control, are controlled by, or are under common
|
||||||
|
control with that entity. For the purposes of this definition,
|
||||||
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
|
exercising permissions granted by this License.
|
||||||
|
|
||||||
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
|
including but not limited to software source code, documentation
|
||||||
|
source, and configuration files.
|
||||||
|
|
||||||
|
"Object" form shall mean any form resulting from mechanical
|
||||||
|
transformation or translation of a Source form, including but
|
||||||
|
not limited to compiled object code, generated documentation,
|
||||||
|
and conversions to other media types.
|
||||||
|
|
||||||
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
|
Object form, made available under the License, as indicated by a
|
||||||
|
copyright notice that is included in or attached to the work
|
||||||
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
|
form, that is based on (or derived from) the Work and for which the
|
||||||
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
|
of this License, Derivative Works shall not include works that remain
|
||||||
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
|
"Contribution" shall mean any work of authorship, including
|
||||||
|
the original version of the Work and any modifications or additions
|
||||||
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
|
means any form of electronic, verbal, or written communication sent
|
||||||
|
to the Licensor or its representatives, including but not limited to
|
||||||
|
communication on electronic mailing lists, source code control systems,
|
||||||
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
|
excluding communication that is conspicuously marked or otherwise
|
||||||
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
(except as stated in this section) patent license to make, have made,
|
||||||
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
|
where such license applies only to those patent claims licensable
|
||||||
|
by such Contributor that are necessarily infringed by their
|
||||||
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
|
institute patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
|
or contributory patent infringement, then any patent licenses
|
||||||
|
granted to You under this License for that Work shall terminate
|
||||||
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
|
modifications, and in Source or Object form, provided that You
|
||||||
|
meet the following conditions:
|
||||||
|
|
||||||
|
(a) You must give any other recipients of the Work or
|
||||||
|
Derivative Works a copy of this License; and
|
||||||
|
|
||||||
|
(b) You must cause any modified files to carry prominent notices
|
||||||
|
stating that You changed the files; and
|
||||||
|
|
||||||
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
|
that You distribute, all copyright, patent, trademark, and
|
||||||
|
attribution notices from the Source form of the Work,
|
||||||
|
excluding those notices that do not pertain to any part of
|
||||||
|
the Derivative Works; and
|
||||||
|
|
||||||
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
|
distribution, then any Derivative Works that You distribute must
|
||||||
|
include a readable copy of the attribution notices contained
|
||||||
|
within such NOTICE file, excluding those notices that do not
|
||||||
|
pertain to any part of the Derivative Works, in at least one
|
||||||
|
of the following places: within a NOTICE text file distributed
|
||||||
|
as part of the Derivative Works; within the Source form or
|
||||||
|
documentation, if provided along with the Derivative Works; or,
|
||||||
|
within a display generated by the Derivative Works, if and
|
||||||
|
wherever such third-party notices normally appear. The contents
|
||||||
|
of the NOTICE file are for informational purposes only and
|
||||||
|
do not modify the License. You may add Your own attribution
|
||||||
|
notices within Derivative Works that You distribute, alongside
|
||||||
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
|
that such additional attribution notices cannot be construed
|
||||||
|
as modifying the License.
|
||||||
|
|
||||||
|
You may add Your own copyright statement to Your modifications and
|
||||||
|
may provide additional or different license terms and conditions
|
||||||
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
|
the conditions stated in this License.
|
||||||
|
|
||||||
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
|
this License, without any additional terms or conditions.
|
||||||
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
|
the terms of any separate license agreement you may have executed
|
||||||
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
|
except as required for reasonable and customary use in describing the
|
||||||
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
implied, including, without limitation, any warranties or conditions
|
||||||
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
|
appropriateness of using or redistributing the Work and assume any
|
||||||
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
|
unless required by applicable law (such as deliberate and grossly
|
||||||
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
|
liable to You for damages, including any direct, indirect, special,
|
||||||
|
incidental, or consequential damages of any character arising as a
|
||||||
|
result of this License or out of the use or inability to use the
|
||||||
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses), even if such Contributor
|
||||||
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
|
or other liability obligations and/or rights consistent with this
|
||||||
|
License. However, in accepting such obligations, You may act only
|
||||||
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
|
defend, and hold each Contributor harmless for any liability
|
||||||
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
|
of your accepting any such warranty or additional liability.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
APPENDIX: How to apply the Apache License to your work.
|
||||||
|
|
||||||
|
To apply the Apache License to your work, attach the following
|
||||||
|
boilerplate notice, with the fields enclosed by brackets "{}"
|
||||||
|
replaced with your own identifying information. (Don't include
|
||||||
|
the brackets!) The text should be enclosed in the appropriate
|
||||||
|
comment syntax for the file format. We also recommend that a
|
||||||
|
file or class name and description of purpose be included on the
|
||||||
|
same "printed page" as the copyright notice for easier
|
||||||
|
identification within third-party archives.
|
||||||
|
|
||||||
|
Copyright {yyyy} {name of copyright owner}
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
186
vendor/github.com/jcmturner/aescts/v2/aescts.go
generated
vendored
Normal file
186
vendor/github.com/jcmturner/aescts/v2/aescts.go
generated
vendored
Normal file
@ -0,0 +1,186 @@
|
|||||||
|
// Package aescts provides AES CBC CipherText Stealing encryption and decryption methods
|
||||||
|
package aescts
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/cipher"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Encrypt the message with the key and the initial vector.
|
||||||
|
// Returns: next iv, ciphertext bytes, error
|
||||||
|
func Encrypt(key, iv, plaintext []byte) ([]byte, []byte, error) {
|
||||||
|
l := len(plaintext)
|
||||||
|
|
||||||
|
block, err := aes.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("error creating cipher: %v", err)
|
||||||
|
}
|
||||||
|
mode := cipher.NewCBCEncrypter(block, iv)
|
||||||
|
|
||||||
|
m := make([]byte, len(plaintext))
|
||||||
|
copy(m, plaintext)
|
||||||
|
|
||||||
|
/*For consistency, ciphertext stealing is always used for the last two
|
||||||
|
blocks of the data to be encrypted, as in [RC5]. If the data length
|
||||||
|
is a multiple of the block size, this is equivalent to plain CBC mode
|
||||||
|
with the last two ciphertext blocks swapped.*/
|
||||||
|
/*The initial vector carried out from one encryption for use in a
|
||||||
|
subsequent encryption is the next-to-last block of the encryption
|
||||||
|
output; this is the encrypted form of the last plaintext block.*/
|
||||||
|
if l <= aes.BlockSize {
|
||||||
|
m, _ = zeroPad(m, aes.BlockSize)
|
||||||
|
mode.CryptBlocks(m, m)
|
||||||
|
return m, m, nil
|
||||||
|
}
|
||||||
|
if l%aes.BlockSize == 0 {
|
||||||
|
mode.CryptBlocks(m, m)
|
||||||
|
iv = m[len(m)-aes.BlockSize:]
|
||||||
|
rb, _ := swapLastTwoBlocks(m, aes.BlockSize)
|
||||||
|
return iv, rb, nil
|
||||||
|
}
|
||||||
|
m, _ = zeroPad(m, aes.BlockSize)
|
||||||
|
rb, pb, lb, err := tailBlocks(m, aes.BlockSize)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("error tailing blocks: %v", err)
|
||||||
|
}
|
||||||
|
var ct []byte
|
||||||
|
if rb != nil {
|
||||||
|
// Encrpt all but the lats 2 blocks and update the rolling iv
|
||||||
|
mode.CryptBlocks(rb, rb)
|
||||||
|
iv = rb[len(rb)-aes.BlockSize:]
|
||||||
|
mode = cipher.NewCBCEncrypter(block, iv)
|
||||||
|
ct = append(ct, rb...)
|
||||||
|
}
|
||||||
|
mode.CryptBlocks(pb, pb)
|
||||||
|
mode = cipher.NewCBCEncrypter(block, pb)
|
||||||
|
mode.CryptBlocks(lb, lb)
|
||||||
|
// Cipher Text Stealing (CTS) - Ref: https://en.wikipedia.org/wiki/Ciphertext_stealing#CBC_ciphertext_stealing
|
||||||
|
// Swap the last two cipher blocks
|
||||||
|
// Truncate the ciphertext to the length of the original plaintext
|
||||||
|
ct = append(ct, lb...)
|
||||||
|
ct = append(ct, pb...)
|
||||||
|
return lb, ct[:l], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt the ciphertext with the key and the initial vector.
|
||||||
|
func Decrypt(key, iv, ciphertext []byte) ([]byte, error) {
|
||||||
|
// Copy the cipher text as golang slices even when passed by value to this method can result in the backing arrays of the calling code value being updated.
|
||||||
|
ct := make([]byte, len(ciphertext))
|
||||||
|
copy(ct, ciphertext)
|
||||||
|
if len(ct) < aes.BlockSize {
|
||||||
|
return []byte{}, fmt.Errorf("ciphertext is not large enough. It is less that one block size. Blocksize:%v; Ciphertext:%v", aes.BlockSize, len(ct))
|
||||||
|
}
|
||||||
|
// Configure the CBC
|
||||||
|
block, err := aes.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error creating cipher: %v", err)
|
||||||
|
}
|
||||||
|
var mode cipher.BlockMode
|
||||||
|
|
||||||
|
//If ciphertext is multiple of blocksize we just need to swap back the last two blocks and then do CBC
|
||||||
|
//If the ciphertext is just one block we can't swap so we just decrypt
|
||||||
|
if len(ct)%aes.BlockSize == 0 {
|
||||||
|
if len(ct) > aes.BlockSize {
|
||||||
|
ct, _ = swapLastTwoBlocks(ct, aes.BlockSize)
|
||||||
|
}
|
||||||
|
mode = cipher.NewCBCDecrypter(block, iv)
|
||||||
|
message := make([]byte, len(ct))
|
||||||
|
mode.CryptBlocks(message, ct)
|
||||||
|
return message[:len(ct)], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Cipher Text Stealing (CTS) using CBC interface. Ref: https://en.wikipedia.org/wiki/Ciphertext_stealing#CBC_ciphertext_stealing
|
||||||
|
// Get ciphertext of the 2nd to last (penultimate) block (cpb), the last block (clb) and the rest (crb)
|
||||||
|
crb, cpb, clb, _ := tailBlocks(ct, aes.BlockSize)
|
||||||
|
v := make([]byte, len(iv), len(iv))
|
||||||
|
copy(v, iv)
|
||||||
|
var message []byte
|
||||||
|
if crb != nil {
|
||||||
|
//If there is more than just the last and the penultimate block we decrypt it and the last bloc of this becomes the iv for later
|
||||||
|
rb := make([]byte, len(crb))
|
||||||
|
mode = cipher.NewCBCDecrypter(block, v)
|
||||||
|
v = crb[len(crb)-aes.BlockSize:]
|
||||||
|
mode.CryptBlocks(rb, crb)
|
||||||
|
message = append(message, rb...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// We need to modify the cipher text
|
||||||
|
// Decryt the 2nd to last (penultimate) block with a the original iv
|
||||||
|
pb := make([]byte, aes.BlockSize)
|
||||||
|
mode = cipher.NewCBCDecrypter(block, iv)
|
||||||
|
mode.CryptBlocks(pb, cpb)
|
||||||
|
// number of byte needed to pad
|
||||||
|
npb := aes.BlockSize - len(ct)%aes.BlockSize
|
||||||
|
//pad last block using the number of bytes needed from the tail of the plaintext 2nd to last (penultimate) block
|
||||||
|
clb = append(clb, pb[len(pb)-npb:]...)
|
||||||
|
|
||||||
|
// Now decrypt the last block in the penultimate position (iv will be from the crb, if the is no crb it's zeros)
|
||||||
|
// iv for the penultimate block decrypted in the last position becomes the modified last block
|
||||||
|
lb := make([]byte, aes.BlockSize)
|
||||||
|
mode = cipher.NewCBCDecrypter(block, v)
|
||||||
|
v = clb
|
||||||
|
mode.CryptBlocks(lb, clb)
|
||||||
|
message = append(message, lb...)
|
||||||
|
|
||||||
|
// Now decrypt the penultimate block in the last position (iv will be from the modified last block)
|
||||||
|
mode = cipher.NewCBCDecrypter(block, v)
|
||||||
|
mode.CryptBlocks(cpb, cpb)
|
||||||
|
message = append(message, cpb...)
|
||||||
|
|
||||||
|
// Truncate to the size of the original cipher text
|
||||||
|
return message[:len(ct)], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func tailBlocks(b []byte, c int) ([]byte, []byte, []byte, error) {
|
||||||
|
if len(b) <= c {
|
||||||
|
return []byte{}, []byte{}, []byte{}, errors.New("bytes slice is not larger than one block so cannot tail")
|
||||||
|
}
|
||||||
|
// Get size of last block
|
||||||
|
var lbs int
|
||||||
|
if l := len(b) % aes.BlockSize; l == 0 {
|
||||||
|
lbs = aes.BlockSize
|
||||||
|
} else {
|
||||||
|
lbs = l
|
||||||
|
}
|
||||||
|
// Get last block
|
||||||
|
lb := b[len(b)-lbs:]
|
||||||
|
// Get 2nd to last (penultimate) block
|
||||||
|
pb := b[len(b)-lbs-c : len(b)-lbs]
|
||||||
|
if len(b) > 2*c {
|
||||||
|
rb := b[:len(b)-lbs-c]
|
||||||
|
return rb, pb, lb, nil
|
||||||
|
}
|
||||||
|
return nil, pb, lb, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func swapLastTwoBlocks(b []byte, c int) ([]byte, error) {
|
||||||
|
rb, pb, lb, err := tailBlocks(b, c)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
var out []byte
|
||||||
|
if rb != nil {
|
||||||
|
out = append(out, rb...)
|
||||||
|
}
|
||||||
|
out = append(out, lb...)
|
||||||
|
out = append(out, pb...)
|
||||||
|
return out, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// zeroPad pads bytes with zeros to nearest multiple of message size m.
|
||||||
|
func zeroPad(b []byte, m int) ([]byte, error) {
|
||||||
|
if m <= 0 {
|
||||||
|
return nil, errors.New("invalid message block size when padding")
|
||||||
|
}
|
||||||
|
if b == nil || len(b) == 0 {
|
||||||
|
return nil, errors.New("data not valid to pad: Zero size")
|
||||||
|
}
|
||||||
|
if l := len(b) % m; l != 0 {
|
||||||
|
n := m - l
|
||||||
|
z := make([]byte, n)
|
||||||
|
b = append(b, z...)
|
||||||
|
}
|
||||||
|
return b, nil
|
||||||
|
}
|
5
vendor/github.com/jcmturner/aescts/v2/go.mod
generated
vendored
Normal file
5
vendor/github.com/jcmturner/aescts/v2/go.mod
generated
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
module github.com/jcmturner/aescts/v2
|
||||||
|
|
||||||
|
go 1.13
|
||||||
|
|
||||||
|
require github.com/stretchr/testify v1.4.0
|
10
vendor/github.com/jcmturner/aescts/v2/go.sum
generated
vendored
Normal file
10
vendor/github.com/jcmturner/aescts/v2/go.sum
generated
vendored
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
|
||||||
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
|
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
|
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
|
||||||
|
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||||
|
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
201
vendor/github.com/jcmturner/dnsutils/v2/LICENSE
generated
vendored
Normal file
201
vendor/github.com/jcmturner/dnsutils/v2/LICENSE
generated
vendored
Normal file
@ -0,0 +1,201 @@
|
|||||||
|
Apache License
|
||||||
|
Version 2.0, January 2004
|
||||||
|
http://www.apache.org/licenses/
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
|
1. Definitions.
|
||||||
|
|
||||||
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
|
|
||||||
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
|
the copyright owner that is granting the License.
|
||||||
|
|
||||||
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
|
other entities that control, are controlled by, or are under common
|
||||||
|
control with that entity. For the purposes of this definition,
|
||||||
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
|
exercising permissions granted by this License.
|
||||||
|
|
||||||
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
|
including but not limited to software source code, documentation
|
||||||
|
source, and configuration files.
|
||||||
|
|
||||||
|
"Object" form shall mean any form resulting from mechanical
|
||||||
|
transformation or translation of a Source form, including but
|
||||||
|
not limited to compiled object code, generated documentation,
|
||||||
|
and conversions to other media types.
|
||||||
|
|
||||||
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
|
Object form, made available under the License, as indicated by a
|
||||||
|
copyright notice that is included in or attached to the work
|
||||||
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
|
form, that is based on (or derived from) the Work and for which the
|
||||||
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
|
of this License, Derivative Works shall not include works that remain
|
||||||
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
|
"Contribution" shall mean any work of authorship, including
|
||||||
|
the original version of the Work and any modifications or additions
|
||||||
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
|
means any form of electronic, verbal, or written communication sent
|
||||||
|
to the Licensor or its representatives, including but not limited to
|
||||||
|
communication on electronic mailing lists, source code control systems,
|
||||||
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
|
excluding communication that is conspicuously marked or otherwise
|
||||||
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
(except as stated in this section) patent license to make, have made,
|
||||||
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
|
where such license applies only to those patent claims licensable
|
||||||
|
by such Contributor that are necessarily infringed by their
|
||||||
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
|
institute patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
|
or contributory patent infringement, then any patent licenses
|
||||||
|
granted to You under this License for that Work shall terminate
|
||||||
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
|
modifications, and in Source or Object form, provided that You
|
||||||
|
meet the following conditions:
|
||||||
|
|
||||||
|
(a) You must give any other recipients of the Work or
|
||||||
|
Derivative Works a copy of this License; and
|
||||||
|
|
||||||
|
(b) You must cause any modified files to carry prominent notices
|
||||||
|
stating that You changed the files; and
|
||||||
|
|
||||||
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
|
that You distribute, all copyright, patent, trademark, and
|
||||||
|
attribution notices from the Source form of the Work,
|
||||||
|
excluding those notices that do not pertain to any part of
|
||||||
|
the Derivative Works; and
|
||||||
|
|
||||||
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
|
distribution, then any Derivative Works that You distribute must
|
||||||
|
include a readable copy of the attribution notices contained
|
||||||
|
within such NOTICE file, excluding those notices that do not
|
||||||
|
pertain to any part of the Derivative Works, in at least one
|
||||||
|
of the following places: within a NOTICE text file distributed
|
||||||
|
as part of the Derivative Works; within the Source form or
|
||||||
|
documentation, if provided along with the Derivative Works; or,
|
||||||
|
within a display generated by the Derivative Works, if and
|
||||||
|
wherever such third-party notices normally appear. The contents
|
||||||
|
of the NOTICE file are for informational purposes only and
|
||||||
|
do not modify the License. You may add Your own attribution
|
||||||
|
notices within Derivative Works that You distribute, alongside
|
||||||
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
|
that such additional attribution notices cannot be construed
|
||||||
|
as modifying the License.
|
||||||
|
|
||||||
|
You may add Your own copyright statement to Your modifications and
|
||||||
|
may provide additional or different license terms and conditions
|
||||||
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
|
the conditions stated in this License.
|
||||||
|
|
||||||
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
|
this License, without any additional terms or conditions.
|
||||||
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
|
the terms of any separate license agreement you may have executed
|
||||||
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
|
except as required for reasonable and customary use in describing the
|
||||||
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
implied, including, without limitation, any warranties or conditions
|
||||||
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
|
appropriateness of using or redistributing the Work and assume any
|
||||||
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
|
unless required by applicable law (such as deliberate and grossly
|
||||||
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
|
liable to You for damages, including any direct, indirect, special,
|
||||||
|
incidental, or consequential damages of any character arising as a
|
||||||
|
result of this License or out of the use or inability to use the
|
||||||
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses), even if such Contributor
|
||||||
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
|
or other liability obligations and/or rights consistent with this
|
||||||
|
License. However, in accepting such obligations, You may act only
|
||||||
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
|
defend, and hold each Contributor harmless for any liability
|
||||||
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
|
of your accepting any such warranty or additional liability.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
APPENDIX: How to apply the Apache License to your work.
|
||||||
|
|
||||||
|
To apply the Apache License to your work, attach the following
|
||||||
|
boilerplate notice, with the fields enclosed by brackets "[]"
|
||||||
|
replaced with your own identifying information. (Don't include
|
||||||
|
the brackets!) The text should be enclosed in the appropriate
|
||||||
|
comment syntax for the file format. We also recommend that a
|
||||||
|
file or class name and description of purpose be included on the
|
||||||
|
same "printed page" as the copyright notice for easier
|
||||||
|
identification within third-party archives.
|
||||||
|
|
||||||
|
Copyright [yyyy] [name of copyright owner]
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
5
vendor/github.com/jcmturner/dnsutils/v2/go.mod
generated
vendored
Normal file
5
vendor/github.com/jcmturner/dnsutils/v2/go.mod
generated
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
module github.com/jcmturner/dnsutils/v2
|
||||||
|
|
||||||
|
go 1.13
|
||||||
|
|
||||||
|
require github.com/stretchr/testify v1.4.0
|
10
vendor/github.com/jcmturner/dnsutils/v2/go.sum
generated
vendored
Normal file
10
vendor/github.com/jcmturner/dnsutils/v2/go.sum
generated
vendored
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
|
||||||
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
|
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
|
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
|
||||||
|
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||||
|
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
95
vendor/github.com/jcmturner/dnsutils/v2/srv.go
generated
vendored
Normal file
95
vendor/github.com/jcmturner/dnsutils/v2/srv.go
generated
vendored
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
package dnsutils
|
||||||
|
|
||||||
|
import (
|
||||||
|
"math/rand"
|
||||||
|
"net"
|
||||||
|
"sort"
|
||||||
|
)
|
||||||
|
|
||||||
|
// OrderedSRV returns a count of the results and a map keyed on the order they should be used.
|
||||||
|
// This based on the records' priority and randomised selection based on their relative weighting.
|
||||||
|
// The function's inputs are the same as those for net.LookupSRV
|
||||||
|
// To use in the correct order:
|
||||||
|
//
|
||||||
|
// count, orderedSRV, err := OrderedSRV(service, proto, name)
|
||||||
|
// i := 1
|
||||||
|
// for i <= count {
|
||||||
|
// srv := orderedSRV[i]
|
||||||
|
// // Do something such as dial this SRV. If fails move on the the next or break if it succeeds.
|
||||||
|
// i += 1
|
||||||
|
// }
|
||||||
|
func OrderedSRV(service, proto, name string) (int, map[int]*net.SRV, error) {
|
||||||
|
_, addrs, err := net.LookupSRV(service, proto, name)
|
||||||
|
if err != nil {
|
||||||
|
return 0, make(map[int]*net.SRV), err
|
||||||
|
}
|
||||||
|
index, osrv := orderSRV(addrs)
|
||||||
|
return index, osrv, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func orderSRV(addrs []*net.SRV) (int, map[int]*net.SRV) {
|
||||||
|
// Initialise the ordered map
|
||||||
|
var o int
|
||||||
|
osrv := make(map[int]*net.SRV)
|
||||||
|
|
||||||
|
prioMap := make(map[int][]*net.SRV, 0)
|
||||||
|
for _, srv := range addrs {
|
||||||
|
prioMap[int(srv.Priority)] = append(prioMap[int(srv.Priority)], srv)
|
||||||
|
}
|
||||||
|
|
||||||
|
priorities := make([]int, 0)
|
||||||
|
for p := range prioMap {
|
||||||
|
priorities = append(priorities, p)
|
||||||
|
}
|
||||||
|
|
||||||
|
var count int
|
||||||
|
sort.Ints(priorities)
|
||||||
|
for _, p := range priorities {
|
||||||
|
tos := weightedOrder(prioMap[p])
|
||||||
|
for i, s := range tos {
|
||||||
|
count += 1
|
||||||
|
osrv[o+i] = s
|
||||||
|
}
|
||||||
|
o += len(tos)
|
||||||
|
}
|
||||||
|
return count, osrv
|
||||||
|
}
|
||||||
|
|
||||||
|
func weightedOrder(srvs []*net.SRV) map[int]*net.SRV {
|
||||||
|
// Get the total weight
|
||||||
|
var tw int
|
||||||
|
for _, s := range srvs {
|
||||||
|
tw += int(s.Weight)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Initialise the ordered map
|
||||||
|
o := 1
|
||||||
|
osrv := make(map[int]*net.SRV)
|
||||||
|
|
||||||
|
// Whilst there are still entries to be ordered
|
||||||
|
l := len(srvs)
|
||||||
|
for l > 0 {
|
||||||
|
i := rand.Intn(l)
|
||||||
|
s := srvs[i]
|
||||||
|
var rw int
|
||||||
|
if tw > 0 {
|
||||||
|
// Greater the weight the more likely this will be zero or less
|
||||||
|
rw = rand.Intn(tw) - int(s.Weight)
|
||||||
|
}
|
||||||
|
if rw <= 0 {
|
||||||
|
// Put entry in position
|
||||||
|
osrv[o] = s
|
||||||
|
if len(srvs) > 1 {
|
||||||
|
// Remove the entry from the source slice by swapping with the last entry and truncating
|
||||||
|
srvs[len(srvs)-1], srvs[i] = srvs[i], srvs[len(srvs)-1]
|
||||||
|
srvs = srvs[:len(srvs)-1]
|
||||||
|
l = len(srvs)
|
||||||
|
} else {
|
||||||
|
l = 0
|
||||||
|
}
|
||||||
|
o += 1
|
||||||
|
tw = tw - int(s.Weight)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return osrv
|
||||||
|
}
|
27
vendor/github.com/jcmturner/gofork/LICENSE
generated
vendored
Normal file
27
vendor/github.com/jcmturner/gofork/LICENSE
generated
vendored
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
Copyright (c) 2009 The Go Authors. All rights reserved.
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions are
|
||||||
|
met:
|
||||||
|
|
||||||
|
* Redistributions of source code must retain the above copyright
|
||||||
|
notice, this list of conditions and the following disclaimer.
|
||||||
|
* Redistributions in binary form must reproduce the above
|
||||||
|
copyright notice, this list of conditions and the following disclaimer
|
||||||
|
in the documentation and/or other materials provided with the
|
||||||
|
distribution.
|
||||||
|
* Neither the name of Google Inc. nor the names of its
|
||||||
|
contributors may be used to endorse or promote products derived from
|
||||||
|
this software without specific prior written permission.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||||
|
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
5
vendor/github.com/jcmturner/gofork/encoding/asn1/README.md
generated
vendored
Normal file
5
vendor/github.com/jcmturner/gofork/encoding/asn1/README.md
generated
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
This is a temporary repository that will be removed when the issues below are fixed in the core golang code.
|
||||||
|
|
||||||
|
## Issues
|
||||||
|
* [encoding/asn1: cannot marshal into a GeneralString](https://github.com/golang/go/issues/18832)
|
||||||
|
* [encoding/asn1: cannot marshal into slice of strings and pass stringtype parameter tags to members](https://github.com/golang/go/issues/18834)
|
1003
vendor/github.com/jcmturner/gofork/encoding/asn1/asn1.go
generated
vendored
Normal file
1003
vendor/github.com/jcmturner/gofork/encoding/asn1/asn1.go
generated
vendored
Normal file
File diff suppressed because it is too large
Load Diff
173
vendor/github.com/jcmturner/gofork/encoding/asn1/common.go
generated
vendored
Normal file
173
vendor/github.com/jcmturner/gofork/encoding/asn1/common.go
generated
vendored
Normal file
@ -0,0 +1,173 @@
|
|||||||
|
// Copyright 2009 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package asn1
|
||||||
|
|
||||||
|
import (
|
||||||
|
"reflect"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ASN.1 objects have metadata preceding them:
|
||||||
|
// the tag: the type of the object
|
||||||
|
// a flag denoting if this object is compound or not
|
||||||
|
// the class type: the namespace of the tag
|
||||||
|
// the length of the object, in bytes
|
||||||
|
|
||||||
|
// Here are some standard tags and classes
|
||||||
|
|
||||||
|
// ASN.1 tags represent the type of the following object.
|
||||||
|
const (
|
||||||
|
TagBoolean = 1
|
||||||
|
TagInteger = 2
|
||||||
|
TagBitString = 3
|
||||||
|
TagOctetString = 4
|
||||||
|
TagOID = 6
|
||||||
|
TagEnum = 10
|
||||||
|
TagUTF8String = 12
|
||||||
|
TagSequence = 16
|
||||||
|
TagSet = 17
|
||||||
|
TagPrintableString = 19
|
||||||
|
TagT61String = 20
|
||||||
|
TagIA5String = 22
|
||||||
|
TagUTCTime = 23
|
||||||
|
TagGeneralizedTime = 24
|
||||||
|
TagGeneralString = 27
|
||||||
|
)
|
||||||
|
|
||||||
|
// ASN.1 class types represent the namespace of the tag.
|
||||||
|
const (
|
||||||
|
ClassUniversal = 0
|
||||||
|
ClassApplication = 1
|
||||||
|
ClassContextSpecific = 2
|
||||||
|
ClassPrivate = 3
|
||||||
|
)
|
||||||
|
|
||||||
|
type tagAndLength struct {
|
||||||
|
class, tag, length int
|
||||||
|
isCompound bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// ASN.1 has IMPLICIT and EXPLICIT tags, which can be translated as "instead
|
||||||
|
// of" and "in addition to". When not specified, every primitive type has a
|
||||||
|
// default tag in the UNIVERSAL class.
|
||||||
|
//
|
||||||
|
// For example: a BIT STRING is tagged [UNIVERSAL 3] by default (although ASN.1
|
||||||
|
// doesn't actually have a UNIVERSAL keyword). However, by saying [IMPLICIT
|
||||||
|
// CONTEXT-SPECIFIC 42], that means that the tag is replaced by another.
|
||||||
|
//
|
||||||
|
// On the other hand, if it said [EXPLICIT CONTEXT-SPECIFIC 10], then an
|
||||||
|
// /additional/ tag would wrap the default tag. This explicit tag will have the
|
||||||
|
// compound flag set.
|
||||||
|
//
|
||||||
|
// (This is used in order to remove ambiguity with optional elements.)
|
||||||
|
//
|
||||||
|
// You can layer EXPLICIT and IMPLICIT tags to an arbitrary depth, however we
|
||||||
|
// don't support that here. We support a single layer of EXPLICIT or IMPLICIT
|
||||||
|
// tagging with tag strings on the fields of a structure.
|
||||||
|
|
||||||
|
// fieldParameters is the parsed representation of tag string from a structure field.
|
||||||
|
type fieldParameters struct {
|
||||||
|
optional bool // true iff the field is OPTIONAL
|
||||||
|
explicit bool // true iff an EXPLICIT tag is in use.
|
||||||
|
application bool // true iff an APPLICATION tag is in use.
|
||||||
|
defaultValue *int64 // a default value for INTEGER typed fields (maybe nil).
|
||||||
|
tag *int // the EXPLICIT or IMPLICIT tag (maybe nil).
|
||||||
|
stringType int // the string tag to use when marshaling.
|
||||||
|
timeType int // the time tag to use when marshaling.
|
||||||
|
set bool // true iff this should be encoded as a SET
|
||||||
|
omitEmpty bool // true iff this should be omitted if empty when marshaling.
|
||||||
|
|
||||||
|
// Invariants:
|
||||||
|
// if explicit is set, tag is non-nil.
|
||||||
|
}
|
||||||
|
|
||||||
|
// Given a tag string with the format specified in the package comment,
|
||||||
|
// parseFieldParameters will parse it into a fieldParameters structure,
|
||||||
|
// ignoring unknown parts of the string.
|
||||||
|
func parseFieldParameters(str string) (ret fieldParameters) {
|
||||||
|
for _, part := range strings.Split(str, ",") {
|
||||||
|
switch {
|
||||||
|
case part == "optional":
|
||||||
|
ret.optional = true
|
||||||
|
case part == "explicit":
|
||||||
|
ret.explicit = true
|
||||||
|
if ret.tag == nil {
|
||||||
|
ret.tag = new(int)
|
||||||
|
}
|
||||||
|
case part == "generalized":
|
||||||
|
ret.timeType = TagGeneralizedTime
|
||||||
|
case part == "utc":
|
||||||
|
ret.timeType = TagUTCTime
|
||||||
|
case part == "ia5":
|
||||||
|
ret.stringType = TagIA5String
|
||||||
|
// jtasn1 case below added
|
||||||
|
case part == "generalstring":
|
||||||
|
ret.stringType = TagGeneralString
|
||||||
|
case part == "printable":
|
||||||
|
ret.stringType = TagPrintableString
|
||||||
|
case part == "utf8":
|
||||||
|
ret.stringType = TagUTF8String
|
||||||
|
case strings.HasPrefix(part, "default:"):
|
||||||
|
i, err := strconv.ParseInt(part[8:], 10, 64)
|
||||||
|
if err == nil {
|
||||||
|
ret.defaultValue = new(int64)
|
||||||
|
*ret.defaultValue = i
|
||||||
|
}
|
||||||
|
case strings.HasPrefix(part, "tag:"):
|
||||||
|
i, err := strconv.Atoi(part[4:])
|
||||||
|
if err == nil {
|
||||||
|
ret.tag = new(int)
|
||||||
|
*ret.tag = i
|
||||||
|
}
|
||||||
|
case part == "set":
|
||||||
|
ret.set = true
|
||||||
|
case part == "application":
|
||||||
|
ret.application = true
|
||||||
|
if ret.tag == nil {
|
||||||
|
ret.tag = new(int)
|
||||||
|
}
|
||||||
|
case part == "omitempty":
|
||||||
|
ret.omitEmpty = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Given a reflected Go type, getUniversalType returns the default tag number
|
||||||
|
// and expected compound flag.
|
||||||
|
func getUniversalType(t reflect.Type) (tagNumber int, isCompound, ok bool) {
|
||||||
|
switch t {
|
||||||
|
case objectIdentifierType:
|
||||||
|
return TagOID, false, true
|
||||||
|
case bitStringType:
|
||||||
|
return TagBitString, false, true
|
||||||
|
case timeType:
|
||||||
|
return TagUTCTime, false, true
|
||||||
|
case enumeratedType:
|
||||||
|
return TagEnum, false, true
|
||||||
|
case bigIntType:
|
||||||
|
return TagInteger, false, true
|
||||||
|
}
|
||||||
|
switch t.Kind() {
|
||||||
|
case reflect.Bool:
|
||||||
|
return TagBoolean, false, true
|
||||||
|
case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
|
||||||
|
return TagInteger, false, true
|
||||||
|
case reflect.Struct:
|
||||||
|
return TagSequence, true, true
|
||||||
|
case reflect.Slice:
|
||||||
|
if t.Elem().Kind() == reflect.Uint8 {
|
||||||
|
return TagOctetString, false, true
|
||||||
|
}
|
||||||
|
if strings.HasSuffix(t.Name(), "SET") {
|
||||||
|
return TagSet, true, true
|
||||||
|
}
|
||||||
|
return TagSequence, true, true
|
||||||
|
case reflect.String:
|
||||||
|
return TagPrintableString, false, true
|
||||||
|
}
|
||||||
|
return 0, false, false
|
||||||
|
}
|
659
vendor/github.com/jcmturner/gofork/encoding/asn1/marshal.go
generated
vendored
Normal file
659
vendor/github.com/jcmturner/gofork/encoding/asn1/marshal.go
generated
vendored
Normal file
@ -0,0 +1,659 @@
|
|||||||
|
// Copyright 2009 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package asn1
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"math/big"
|
||||||
|
"reflect"
|
||||||
|
"time"
|
||||||
|
"unicode/utf8"
|
||||||
|
)
|
||||||
|
|
||||||
|
// A forkableWriter is an in-memory buffer that can be
|
||||||
|
// 'forked' to create new forkableWriters that bracket the
|
||||||
|
// original. After
|
||||||
|
// pre, post := w.fork()
|
||||||
|
// the overall sequence of bytes represented is logically w+pre+post.
|
||||||
|
type forkableWriter struct {
|
||||||
|
*bytes.Buffer
|
||||||
|
pre, post *forkableWriter
|
||||||
|
}
|
||||||
|
|
||||||
|
func newForkableWriter() *forkableWriter {
|
||||||
|
return &forkableWriter{new(bytes.Buffer), nil, nil}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *forkableWriter) fork() (pre, post *forkableWriter) {
|
||||||
|
if f.pre != nil || f.post != nil {
|
||||||
|
panic("have already forked")
|
||||||
|
}
|
||||||
|
f.pre = newForkableWriter()
|
||||||
|
f.post = newForkableWriter()
|
||||||
|
return f.pre, f.post
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *forkableWriter) Len() (l int) {
|
||||||
|
l += f.Buffer.Len()
|
||||||
|
if f.pre != nil {
|
||||||
|
l += f.pre.Len()
|
||||||
|
}
|
||||||
|
if f.post != nil {
|
||||||
|
l += f.post.Len()
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (f *forkableWriter) writeTo(out io.Writer) (n int, err error) {
|
||||||
|
n, err = out.Write(f.Bytes())
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var nn int
|
||||||
|
|
||||||
|
if f.pre != nil {
|
||||||
|
nn, err = f.pre.writeTo(out)
|
||||||
|
n += nn
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if f.post != nil {
|
||||||
|
nn, err = f.post.writeTo(out)
|
||||||
|
n += nn
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalBase128Int(out *forkableWriter, n int64) (err error) {
|
||||||
|
if n == 0 {
|
||||||
|
err = out.WriteByte(0)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
l := 0
|
||||||
|
for i := n; i > 0; i >>= 7 {
|
||||||
|
l++
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := l - 1; i >= 0; i-- {
|
||||||
|
o := byte(n >> uint(i*7))
|
||||||
|
o &= 0x7f
|
||||||
|
if i != 0 {
|
||||||
|
o |= 0x80
|
||||||
|
}
|
||||||
|
err = out.WriteByte(o)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalInt64(out *forkableWriter, i int64) (err error) {
|
||||||
|
n := int64Length(i)
|
||||||
|
|
||||||
|
for ; n > 0; n-- {
|
||||||
|
err = out.WriteByte(byte(i >> uint((n-1)*8)))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func int64Length(i int64) (numBytes int) {
|
||||||
|
numBytes = 1
|
||||||
|
|
||||||
|
for i > 127 {
|
||||||
|
numBytes++
|
||||||
|
i >>= 8
|
||||||
|
}
|
||||||
|
|
||||||
|
for i < -128 {
|
||||||
|
numBytes++
|
||||||
|
i >>= 8
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalBigInt(out *forkableWriter, n *big.Int) (err error) {
|
||||||
|
if n.Sign() < 0 {
|
||||||
|
// A negative number has to be converted to two's-complement
|
||||||
|
// form. So we'll subtract 1 and invert. If the
|
||||||
|
// most-significant-bit isn't set then we'll need to pad the
|
||||||
|
// beginning with 0xff in order to keep the number negative.
|
||||||
|
nMinus1 := new(big.Int).Neg(n)
|
||||||
|
nMinus1.Sub(nMinus1, bigOne)
|
||||||
|
bytes := nMinus1.Bytes()
|
||||||
|
for i := range bytes {
|
||||||
|
bytes[i] ^= 0xff
|
||||||
|
}
|
||||||
|
if len(bytes) == 0 || bytes[0]&0x80 == 0 {
|
||||||
|
err = out.WriteByte(0xff)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
_, err = out.Write(bytes)
|
||||||
|
} else if n.Sign() == 0 {
|
||||||
|
// Zero is written as a single 0 zero rather than no bytes.
|
||||||
|
err = out.WriteByte(0x00)
|
||||||
|
} else {
|
||||||
|
bytes := n.Bytes()
|
||||||
|
if len(bytes) > 0 && bytes[0]&0x80 != 0 {
|
||||||
|
// We'll have to pad this with 0x00 in order to stop it
|
||||||
|
// looking like a negative number.
|
||||||
|
err = out.WriteByte(0)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
_, err = out.Write(bytes)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalLength(out *forkableWriter, i int) (err error) {
|
||||||
|
n := lengthLength(i)
|
||||||
|
|
||||||
|
for ; n > 0; n-- {
|
||||||
|
err = out.WriteByte(byte(i >> uint((n-1)*8)))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func lengthLength(i int) (numBytes int) {
|
||||||
|
numBytes = 1
|
||||||
|
for i > 255 {
|
||||||
|
numBytes++
|
||||||
|
i >>= 8
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalTagAndLength(out *forkableWriter, t tagAndLength) (err error) {
|
||||||
|
b := uint8(t.class) << 6
|
||||||
|
if t.isCompound {
|
||||||
|
b |= 0x20
|
||||||
|
}
|
||||||
|
if t.tag >= 31 {
|
||||||
|
b |= 0x1f
|
||||||
|
err = out.WriteByte(b)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
err = marshalBase128Int(out, int64(t.tag))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
b |= uint8(t.tag)
|
||||||
|
err = out.WriteByte(b)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if t.length >= 128 {
|
||||||
|
l := lengthLength(t.length)
|
||||||
|
err = out.WriteByte(0x80 | byte(l))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
err = marshalLength(out, t.length)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
err = out.WriteByte(byte(t.length))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalBitString(out *forkableWriter, b BitString) (err error) {
|
||||||
|
paddingBits := byte((8 - b.BitLength%8) % 8)
|
||||||
|
err = out.WriteByte(paddingBits)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, err = out.Write(b.Bytes)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalObjectIdentifier(out *forkableWriter, oid []int) (err error) {
|
||||||
|
if len(oid) < 2 || oid[0] > 2 || (oid[0] < 2 && oid[1] >= 40) {
|
||||||
|
return StructuralError{"invalid object identifier"}
|
||||||
|
}
|
||||||
|
|
||||||
|
err = marshalBase128Int(out, int64(oid[0]*40+oid[1]))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for i := 2; i < len(oid); i++ {
|
||||||
|
err = marshalBase128Int(out, int64(oid[i]))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalPrintableString(out *forkableWriter, s string) (err error) {
|
||||||
|
b := []byte(s)
|
||||||
|
for _, c := range b {
|
||||||
|
if !isPrintable(c) {
|
||||||
|
return StructuralError{"PrintableString contains invalid character"}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = out.Write(b)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalIA5String(out *forkableWriter, s string) (err error) {
|
||||||
|
b := []byte(s)
|
||||||
|
for _, c := range b {
|
||||||
|
if c > 127 {
|
||||||
|
return StructuralError{"IA5String contains invalid character"}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = out.Write(b)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalUTF8String(out *forkableWriter, s string) (err error) {
|
||||||
|
_, err = out.Write([]byte(s))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalTwoDigits(out *forkableWriter, v int) (err error) {
|
||||||
|
err = out.WriteByte(byte('0' + (v/10)%10))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return out.WriteByte(byte('0' + v%10))
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalFourDigits(out *forkableWriter, v int) (err error) {
|
||||||
|
var bytes [4]byte
|
||||||
|
for i := range bytes {
|
||||||
|
bytes[3-i] = '0' + byte(v%10)
|
||||||
|
v /= 10
|
||||||
|
}
|
||||||
|
_, err = out.Write(bytes[:])
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func outsideUTCRange(t time.Time) bool {
|
||||||
|
year := t.Year()
|
||||||
|
return year < 1950 || year >= 2050
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalUTCTime(out *forkableWriter, t time.Time) (err error) {
|
||||||
|
year := t.Year()
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case 1950 <= year && year < 2000:
|
||||||
|
err = marshalTwoDigits(out, year-1900)
|
||||||
|
case 2000 <= year && year < 2050:
|
||||||
|
err = marshalTwoDigits(out, year-2000)
|
||||||
|
default:
|
||||||
|
return StructuralError{"cannot represent time as UTCTime"}
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
return marshalTimeCommon(out, t)
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalGeneralizedTime(out *forkableWriter, t time.Time) (err error) {
|
||||||
|
year := t.Year()
|
||||||
|
if year < 0 || year > 9999 {
|
||||||
|
return StructuralError{"cannot represent time as GeneralizedTime"}
|
||||||
|
}
|
||||||
|
if err = marshalFourDigits(out, year); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
return marshalTimeCommon(out, t)
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalTimeCommon(out *forkableWriter, t time.Time) (err error) {
|
||||||
|
_, month, day := t.Date()
|
||||||
|
|
||||||
|
err = marshalTwoDigits(out, int(month))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
err = marshalTwoDigits(out, day)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
hour, min, sec := t.Clock()
|
||||||
|
|
||||||
|
err = marshalTwoDigits(out, hour)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
err = marshalTwoDigits(out, min)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
err = marshalTwoDigits(out, sec)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, offset := t.Zone()
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case offset/60 == 0:
|
||||||
|
err = out.WriteByte('Z')
|
||||||
|
return
|
||||||
|
case offset > 0:
|
||||||
|
err = out.WriteByte('+')
|
||||||
|
case offset < 0:
|
||||||
|
err = out.WriteByte('-')
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
offsetMinutes := offset / 60
|
||||||
|
if offsetMinutes < 0 {
|
||||||
|
offsetMinutes = -offsetMinutes
|
||||||
|
}
|
||||||
|
|
||||||
|
err = marshalTwoDigits(out, offsetMinutes/60)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
err = marshalTwoDigits(out, offsetMinutes%60)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func stripTagAndLength(in []byte) []byte {
|
||||||
|
_, offset, err := parseTagAndLength(in, 0)
|
||||||
|
if err != nil {
|
||||||
|
return in
|
||||||
|
}
|
||||||
|
return in[offset:]
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalBody(out *forkableWriter, value reflect.Value, params fieldParameters) (err error) {
|
||||||
|
switch value.Type() {
|
||||||
|
case flagType:
|
||||||
|
return nil
|
||||||
|
case timeType:
|
||||||
|
t := value.Interface().(time.Time)
|
||||||
|
if params.timeType == TagGeneralizedTime || outsideUTCRange(t) {
|
||||||
|
return marshalGeneralizedTime(out, t)
|
||||||
|
} else {
|
||||||
|
return marshalUTCTime(out, t)
|
||||||
|
}
|
||||||
|
case bitStringType:
|
||||||
|
return marshalBitString(out, value.Interface().(BitString))
|
||||||
|
case objectIdentifierType:
|
||||||
|
return marshalObjectIdentifier(out, value.Interface().(ObjectIdentifier))
|
||||||
|
case bigIntType:
|
||||||
|
return marshalBigInt(out, value.Interface().(*big.Int))
|
||||||
|
}
|
||||||
|
|
||||||
|
switch v := value; v.Kind() {
|
||||||
|
case reflect.Bool:
|
||||||
|
if v.Bool() {
|
||||||
|
return out.WriteByte(255)
|
||||||
|
} else {
|
||||||
|
return out.WriteByte(0)
|
||||||
|
}
|
||||||
|
case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
|
||||||
|
return marshalInt64(out, v.Int())
|
||||||
|
case reflect.Struct:
|
||||||
|
t := v.Type()
|
||||||
|
|
||||||
|
startingField := 0
|
||||||
|
|
||||||
|
// If the first element of the structure is a non-empty
|
||||||
|
// RawContents, then we don't bother serializing the rest.
|
||||||
|
if t.NumField() > 0 && t.Field(0).Type == rawContentsType {
|
||||||
|
s := v.Field(0)
|
||||||
|
if s.Len() > 0 {
|
||||||
|
bytes := make([]byte, s.Len())
|
||||||
|
for i := 0; i < s.Len(); i++ {
|
||||||
|
bytes[i] = uint8(s.Index(i).Uint())
|
||||||
|
}
|
||||||
|
/* The RawContents will contain the tag and
|
||||||
|
* length fields but we'll also be writing
|
||||||
|
* those ourselves, so we strip them out of
|
||||||
|
* bytes */
|
||||||
|
_, err = out.Write(stripTagAndLength(bytes))
|
||||||
|
return
|
||||||
|
} else {
|
||||||
|
startingField = 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := startingField; i < t.NumField(); i++ {
|
||||||
|
var pre *forkableWriter
|
||||||
|
pre, out = out.fork()
|
||||||
|
err = marshalField(pre, v.Field(i), parseFieldParameters(t.Field(i).Tag.Get("asn1")))
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
case reflect.Slice:
|
||||||
|
sliceType := v.Type()
|
||||||
|
if sliceType.Elem().Kind() == reflect.Uint8 {
|
||||||
|
bytes := make([]byte, v.Len())
|
||||||
|
for i := 0; i < v.Len(); i++ {
|
||||||
|
bytes[i] = uint8(v.Index(i).Uint())
|
||||||
|
}
|
||||||
|
_, err = out.Write(bytes)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// jtasn1 Pass on the tags to the members but need to unset explicit switch and implicit value
|
||||||
|
//var fp fieldParameters
|
||||||
|
params.explicit = false
|
||||||
|
params.tag = nil
|
||||||
|
for i := 0; i < v.Len(); i++ {
|
||||||
|
var pre *forkableWriter
|
||||||
|
pre, out = out.fork()
|
||||||
|
err = marshalField(pre, v.Index(i), params)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
case reflect.String:
|
||||||
|
switch params.stringType {
|
||||||
|
case TagIA5String:
|
||||||
|
return marshalIA5String(out, v.String())
|
||||||
|
case TagPrintableString:
|
||||||
|
return marshalPrintableString(out, v.String())
|
||||||
|
default:
|
||||||
|
return marshalUTF8String(out, v.String())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return StructuralError{"unknown Go type"}
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalField(out *forkableWriter, v reflect.Value, params fieldParameters) (err error) {
|
||||||
|
if !v.IsValid() {
|
||||||
|
return fmt.Errorf("asn1: cannot marshal nil value")
|
||||||
|
}
|
||||||
|
// If the field is an interface{} then recurse into it.
|
||||||
|
if v.Kind() == reflect.Interface && v.Type().NumMethod() == 0 {
|
||||||
|
return marshalField(out, v.Elem(), params)
|
||||||
|
}
|
||||||
|
|
||||||
|
if v.Kind() == reflect.Slice && v.Len() == 0 && params.omitEmpty {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if params.optional && params.defaultValue != nil && canHaveDefaultValue(v.Kind()) {
|
||||||
|
defaultValue := reflect.New(v.Type()).Elem()
|
||||||
|
defaultValue.SetInt(*params.defaultValue)
|
||||||
|
|
||||||
|
if reflect.DeepEqual(v.Interface(), defaultValue.Interface()) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// If no default value is given then the zero value for the type is
|
||||||
|
// assumed to be the default value. This isn't obviously the correct
|
||||||
|
// behaviour, but it's what Go has traditionally done.
|
||||||
|
if params.optional && params.defaultValue == nil {
|
||||||
|
if reflect.DeepEqual(v.Interface(), reflect.Zero(v.Type()).Interface()) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if v.Type() == rawValueType {
|
||||||
|
rv := v.Interface().(RawValue)
|
||||||
|
if len(rv.FullBytes) != 0 {
|
||||||
|
_, err = out.Write(rv.FullBytes)
|
||||||
|
} else {
|
||||||
|
err = marshalTagAndLength(out, tagAndLength{rv.Class, rv.Tag, len(rv.Bytes), rv.IsCompound})
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, err = out.Write(rv.Bytes)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
tag, isCompound, ok := getUniversalType(v.Type())
|
||||||
|
if !ok {
|
||||||
|
err = StructuralError{fmt.Sprintf("unknown Go type: %v", v.Type())}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
class := ClassUniversal
|
||||||
|
|
||||||
|
if params.timeType != 0 && tag != TagUTCTime {
|
||||||
|
return StructuralError{"explicit time type given to non-time member"}
|
||||||
|
}
|
||||||
|
|
||||||
|
// jtasn1 updated to allow slices of strings
|
||||||
|
if params.stringType != 0 && !(tag == TagPrintableString || (v.Kind() == reflect.Slice && tag == 16 && v.Type().Elem().Kind() == reflect.String)) {
|
||||||
|
return StructuralError{"explicit string type given to non-string member"}
|
||||||
|
}
|
||||||
|
|
||||||
|
switch tag {
|
||||||
|
case TagPrintableString:
|
||||||
|
if params.stringType == 0 {
|
||||||
|
// This is a string without an explicit string type. We'll use
|
||||||
|
// a PrintableString if the character set in the string is
|
||||||
|
// sufficiently limited, otherwise we'll use a UTF8String.
|
||||||
|
for _, r := range v.String() {
|
||||||
|
if r >= utf8.RuneSelf || !isPrintable(byte(r)) {
|
||||||
|
if !utf8.ValidString(v.String()) {
|
||||||
|
return errors.New("asn1: string not valid UTF-8")
|
||||||
|
}
|
||||||
|
tag = TagUTF8String
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
tag = params.stringType
|
||||||
|
}
|
||||||
|
case TagUTCTime:
|
||||||
|
if params.timeType == TagGeneralizedTime || outsideUTCRange(v.Interface().(time.Time)) {
|
||||||
|
tag = TagGeneralizedTime
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if params.set {
|
||||||
|
if tag != TagSequence {
|
||||||
|
return StructuralError{"non sequence tagged as set"}
|
||||||
|
}
|
||||||
|
tag = TagSet
|
||||||
|
}
|
||||||
|
|
||||||
|
tags, body := out.fork()
|
||||||
|
|
||||||
|
err = marshalBody(body, v, params)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
bodyLen := body.Len()
|
||||||
|
|
||||||
|
var explicitTag *forkableWriter
|
||||||
|
if params.explicit {
|
||||||
|
explicitTag, tags = tags.fork()
|
||||||
|
}
|
||||||
|
|
||||||
|
if !params.explicit && params.tag != nil {
|
||||||
|
// implicit tag.
|
||||||
|
tag = *params.tag
|
||||||
|
class = ClassContextSpecific
|
||||||
|
}
|
||||||
|
|
||||||
|
err = marshalTagAndLength(tags, tagAndLength{class, tag, bodyLen, isCompound})
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if params.explicit {
|
||||||
|
err = marshalTagAndLength(explicitTag, tagAndLength{
|
||||||
|
class: ClassContextSpecific,
|
||||||
|
tag: *params.tag,
|
||||||
|
length: bodyLen + tags.Len(),
|
||||||
|
isCompound: true,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal returns the ASN.1 encoding of val.
|
||||||
|
//
|
||||||
|
// In addition to the struct tags recognised by Unmarshal, the following can be
|
||||||
|
// used:
|
||||||
|
//
|
||||||
|
// ia5: causes strings to be marshaled as ASN.1, IA5 strings
|
||||||
|
// omitempty: causes empty slices to be skipped
|
||||||
|
// printable: causes strings to be marshaled as ASN.1, PrintableString strings.
|
||||||
|
// utf8: causes strings to be marshaled as ASN.1, UTF8 strings
|
||||||
|
func Marshal(val interface{}) ([]byte, error) {
|
||||||
|
var out bytes.Buffer
|
||||||
|
v := reflect.ValueOf(val)
|
||||||
|
f := newForkableWriter()
|
||||||
|
err := marshalField(f, v, fieldParameters{})
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
_, err = f.writeTo(&out)
|
||||||
|
return out.Bytes(), err
|
||||||
|
}
|
98
vendor/github.com/jcmturner/gofork/x/crypto/pbkdf2/pbkdf2.go
generated
vendored
Normal file
98
vendor/github.com/jcmturner/gofork/x/crypto/pbkdf2/pbkdf2.go
generated
vendored
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
// Copyright 2012 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
/*
|
||||||
|
Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
|
||||||
|
2898 / PKCS #5 v2.0.
|
||||||
|
|
||||||
|
A key derivation function is useful when encrypting data based on a password
|
||||||
|
or any other not-fully-random data. It uses a pseudorandom function to derive
|
||||||
|
a secure encryption key based on the password.
|
||||||
|
|
||||||
|
While v2.0 of the standard defines only one pseudorandom function to use,
|
||||||
|
HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
|
||||||
|
Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
|
||||||
|
choose, you can pass the `New` functions from the different SHA packages to
|
||||||
|
pbkdf2.Key.
|
||||||
|
*/
|
||||||
|
package pbkdf2
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/hmac"
|
||||||
|
"hash"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Key derives a key from the password, salt and iteration count, returning a
|
||||||
|
// []byte of length keylen that can be used as cryptographic key. The key is
|
||||||
|
// derived based on the method described as PBKDF2 with the HMAC variant using
|
||||||
|
// the supplied hash function.
|
||||||
|
//
|
||||||
|
// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
|
||||||
|
// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
|
||||||
|
// doing:
|
||||||
|
//
|
||||||
|
// dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
|
||||||
|
//
|
||||||
|
// Remember to get a good random salt. At least 8 bytes is recommended by the
|
||||||
|
// RFC.
|
||||||
|
//
|
||||||
|
// Using a higher iteration count will increase the cost of an exhaustive
|
||||||
|
// search but will also make derivation proportionally slower.
|
||||||
|
func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
|
||||||
|
return Key64(password, salt, int64(iter), int64(keyLen), h)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Key64 derives a key from the password, salt and iteration count, returning a
|
||||||
|
// []byte of length keylen that can be used as cryptographic key. Key64 uses
|
||||||
|
// int64 for the iteration count and key length to allow larger values.
|
||||||
|
// The key is derived based on the method described as PBKDF2 with the HMAC
|
||||||
|
// variant using the supplied hash function.
|
||||||
|
//
|
||||||
|
// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
|
||||||
|
// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
|
||||||
|
// doing:
|
||||||
|
//
|
||||||
|
// dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
|
||||||
|
//
|
||||||
|
// Remember to get a good random salt. At least 8 bytes is recommended by the
|
||||||
|
// RFC.
|
||||||
|
//
|
||||||
|
// Using a higher iteration count will increase the cost of an exhaustive
|
||||||
|
// search but will also make derivation proportionally slower.
|
||||||
|
func Key64(password, salt []byte, iter, keyLen int64, h func() hash.Hash) []byte {
|
||||||
|
prf := hmac.New(h, password)
|
||||||
|
hashLen := int64(prf.Size())
|
||||||
|
numBlocks := (keyLen + hashLen - 1) / hashLen
|
||||||
|
|
||||||
|
var buf [4]byte
|
||||||
|
dk := make([]byte, 0, numBlocks*hashLen)
|
||||||
|
U := make([]byte, hashLen)
|
||||||
|
for block := int64(1); block <= numBlocks; block++ {
|
||||||
|
// N.B.: || means concatenation, ^ means XOR
|
||||||
|
// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
|
||||||
|
// U_1 = PRF(password, salt || uint(i))
|
||||||
|
prf.Reset()
|
||||||
|
prf.Write(salt)
|
||||||
|
buf[0] = byte(block >> 24)
|
||||||
|
buf[1] = byte(block >> 16)
|
||||||
|
buf[2] = byte(block >> 8)
|
||||||
|
buf[3] = byte(block)
|
||||||
|
prf.Write(buf[:4])
|
||||||
|
dk = prf.Sum(dk)
|
||||||
|
T := dk[int64(len(dk))-hashLen:]
|
||||||
|
copy(U, T)
|
||||||
|
|
||||||
|
// U_n = PRF(password, U_(n-1))
|
||||||
|
for n := int64(2); n <= iter; n++ {
|
||||||
|
prf.Reset()
|
||||||
|
prf.Write(U)
|
||||||
|
U = U[:0]
|
||||||
|
U = prf.Sum(U)
|
||||||
|
for x := range U {
|
||||||
|
T[x] ^= U[x]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return dk[:keyLen]
|
||||||
|
}
|
201
vendor/github.com/jcmturner/goidentity/v6/LICENSE
generated
vendored
Normal file
201
vendor/github.com/jcmturner/goidentity/v6/LICENSE
generated
vendored
Normal file
@ -0,0 +1,201 @@
|
|||||||
|
Apache License
|
||||||
|
Version 2.0, January 2004
|
||||||
|
http://www.apache.org/licenses/
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
|
1. Definitions.
|
||||||
|
|
||||||
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
|
|
||||||
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
|
the copyright owner that is granting the License.
|
||||||
|
|
||||||
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
|
other entities that control, are controlled by, or are under common
|
||||||
|
control with that entity. For the purposes of this definition,
|
||||||
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
|
exercising permissions granted by this License.
|
||||||
|
|
||||||
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
|
including but not limited to software source code, documentation
|
||||||
|
source, and configuration files.
|
||||||
|
|
||||||
|
"Object" form shall mean any form resulting from mechanical
|
||||||
|
transformation or translation of a Source form, including but
|
||||||
|
not limited to compiled object code, generated documentation,
|
||||||
|
and conversions to other media types.
|
||||||
|
|
||||||
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
|
Object form, made available under the License, as indicated by a
|
||||||
|
copyright notice that is included in or attached to the work
|
||||||
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
|
form, that is based on (or derived from) the Work and for which the
|
||||||
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
|
of this License, Derivative Works shall not include works that remain
|
||||||
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
|
"Contribution" shall mean any work of authorship, including
|
||||||
|
the original version of the Work and any modifications or additions
|
||||||
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
|
means any form of electronic, verbal, or written communication sent
|
||||||
|
to the Licensor or its representatives, including but not limited to
|
||||||
|
communication on electronic mailing lists, source code control systems,
|
||||||
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
|
excluding communication that is conspicuously marked or otherwise
|
||||||
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
(except as stated in this section) patent license to make, have made,
|
||||||
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
|
where such license applies only to those patent claims licensable
|
||||||
|
by such Contributor that are necessarily infringed by their
|
||||||
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
|
institute patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
|
or contributory patent infringement, then any patent licenses
|
||||||
|
granted to You under this License for that Work shall terminate
|
||||||
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
|
modifications, and in Source or Object form, provided that You
|
||||||
|
meet the following conditions:
|
||||||
|
|
||||||
|
(a) You must give any other recipients of the Work or
|
||||||
|
Derivative Works a copy of this License; and
|
||||||
|
|
||||||
|
(b) You must cause any modified files to carry prominent notices
|
||||||
|
stating that You changed the files; and
|
||||||
|
|
||||||
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
|
that You distribute, all copyright, patent, trademark, and
|
||||||
|
attribution notices from the Source form of the Work,
|
||||||
|
excluding those notices that do not pertain to any part of
|
||||||
|
the Derivative Works; and
|
||||||
|
|
||||||
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
|
distribution, then any Derivative Works that You distribute must
|
||||||
|
include a readable copy of the attribution notices contained
|
||||||
|
within such NOTICE file, excluding those notices that do not
|
||||||
|
pertain to any part of the Derivative Works, in at least one
|
||||||
|
of the following places: within a NOTICE text file distributed
|
||||||
|
as part of the Derivative Works; within the Source form or
|
||||||
|
documentation, if provided along with the Derivative Works; or,
|
||||||
|
within a display generated by the Derivative Works, if and
|
||||||
|
wherever such third-party notices normally appear. The contents
|
||||||
|
of the NOTICE file are for informational purposes only and
|
||||||
|
do not modify the License. You may add Your own attribution
|
||||||
|
notices within Derivative Works that You distribute, alongside
|
||||||
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
|
that such additional attribution notices cannot be construed
|
||||||
|
as modifying the License.
|
||||||
|
|
||||||
|
You may add Your own copyright statement to Your modifications and
|
||||||
|
may provide additional or different license terms and conditions
|
||||||
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
|
the conditions stated in this License.
|
||||||
|
|
||||||
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
|
this License, without any additional terms or conditions.
|
||||||
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
|
the terms of any separate license agreement you may have executed
|
||||||
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
|
except as required for reasonable and customary use in describing the
|
||||||
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
implied, including, without limitation, any warranties or conditions
|
||||||
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
|
appropriateness of using or redistributing the Work and assume any
|
||||||
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
|
unless required by applicable law (such as deliberate and grossly
|
||||||
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
|
liable to You for damages, including any direct, indirect, special,
|
||||||
|
incidental, or consequential damages of any character arising as a
|
||||||
|
result of this License or out of the use or inability to use the
|
||||||
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses), even if such Contributor
|
||||||
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
|
or other liability obligations and/or rights consistent with this
|
||||||
|
License. However, in accepting such obligations, You may act only
|
||||||
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
|
defend, and hold each Contributor harmless for any liability
|
||||||
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
|
of your accepting any such warranty or additional liability.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
APPENDIX: How to apply the Apache License to your work.
|
||||||
|
|
||||||
|
To apply the Apache License to your work, attach the following
|
||||||
|
boilerplate notice, with the fields enclosed by brackets "{}"
|
||||||
|
replaced with your own identifying information. (Don't include
|
||||||
|
the brackets!) The text should be enclosed in the appropriate
|
||||||
|
comment syntax for the file format. We also recommend that a
|
||||||
|
file or class name and description of purpose be included on the
|
||||||
|
same "printed page" as the copyright notice for easier
|
||||||
|
identification within third-party archives.
|
||||||
|
|
||||||
|
Copyright {yyyy} {name of copyright owner}
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
7
vendor/github.com/jcmturner/goidentity/v6/README.md
generated
vendored
Normal file
7
vendor/github.com/jcmturner/goidentity/v6/README.md
generated
vendored
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# goidentity
|
||||||
|
[![GoDoc](https://godoc.org/github.com/jcmturner/goidentity/v6?status.svg)](https://godoc.org/github.com/jcmturner/goidentity/v6) [![Go Report Card](https://goreportcard.com/badge/github.com/jcmturner/goidentity/v6)](https://goreportcard.com/report/github.com/jcmturner/goidentity/v6)
|
||||||
|
|
||||||
|
Please import as below
|
||||||
|
```
|
||||||
|
import "github.com/jcmturner/goidentity/v6"
|
||||||
|
```
|
6
vendor/github.com/jcmturner/goidentity/v6/authenticator.go
generated
vendored
Normal file
6
vendor/github.com/jcmturner/goidentity/v6/authenticator.go
generated
vendored
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
package goidentity
|
||||||
|
|
||||||
|
type Authenticator interface {
|
||||||
|
Authenticate() (Identity, bool, error)
|
||||||
|
Mechanism() string // gives the name of the type of authentication mechanism
|
||||||
|
}
|
8
vendor/github.com/jcmturner/goidentity/v6/go.mod
generated
vendored
Normal file
8
vendor/github.com/jcmturner/goidentity/v6/go.mod
generated
vendored
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
module github.com/jcmturner/goidentity/v6
|
||||||
|
|
||||||
|
go 1.13
|
||||||
|
|
||||||
|
require (
|
||||||
|
github.com/hashicorp/go-uuid v1.0.2
|
||||||
|
github.com/stretchr/testify v1.4.0
|
||||||
|
)
|
12
vendor/github.com/jcmturner/goidentity/v6/go.sum
generated
vendored
Normal file
12
vendor/github.com/jcmturner/goidentity/v6/go.sum
generated
vendored
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
|
||||||
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
|
github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
|
||||||
|
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
|
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
|
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
|
||||||
|
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||||
|
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
52
vendor/github.com/jcmturner/goidentity/v6/identity.go
generated
vendored
Normal file
52
vendor/github.com/jcmturner/goidentity/v6/identity.go
generated
vendored
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
package goidentity
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"net/http"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
CTXKey = "jcmturner/goidentity"
|
||||||
|
)
|
||||||
|
|
||||||
|
type Identity interface {
|
||||||
|
UserName() string
|
||||||
|
SetUserName(s string)
|
||||||
|
Domain() string
|
||||||
|
SetDomain(s string)
|
||||||
|
DisplayName() string
|
||||||
|
SetDisplayName(s string)
|
||||||
|
Human() bool
|
||||||
|
SetHuman(b bool)
|
||||||
|
AuthTime() time.Time
|
||||||
|
SetAuthTime(t time.Time)
|
||||||
|
AuthzAttributes() []string
|
||||||
|
AddAuthzAttribute(a string)
|
||||||
|
RemoveAuthzAttribute(a string)
|
||||||
|
Authenticated() bool
|
||||||
|
SetAuthenticated(b bool)
|
||||||
|
Authorized(a string) bool
|
||||||
|
SessionID() string
|
||||||
|
Expired() bool
|
||||||
|
Attributes() map[string]interface{}
|
||||||
|
SetAttribute(k string, v interface{})
|
||||||
|
SetAttributes(map[string]interface{})
|
||||||
|
RemoveAttribute(k string)
|
||||||
|
Marshal() ([]byte, error)
|
||||||
|
Unmarshal([]byte) error
|
||||||
|
}
|
||||||
|
|
||||||
|
func AddToHTTPRequestContext(id Identity, r *http.Request) *http.Request {
|
||||||
|
ctx := r.Context()
|
||||||
|
ctx = context.WithValue(ctx, CTXKey, id)
|
||||||
|
return r.WithContext(ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
func FromHTTPRequestContext(r *http.Request) Identity {
|
||||||
|
ctx := r.Context()
|
||||||
|
if id, ok := ctx.Value(CTXKey).(Identity); ok {
|
||||||
|
return id
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
172
vendor/github.com/jcmturner/goidentity/v6/user.go
generated
vendored
Normal file
172
vendor/github.com/jcmturner/goidentity/v6/user.go
generated
vendored
Normal file
@ -0,0 +1,172 @@
|
|||||||
|
package goidentity
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/gob"
|
||||||
|
"github.com/hashicorp/go-uuid"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
type User struct {
|
||||||
|
authenticated bool
|
||||||
|
domain string
|
||||||
|
userName string
|
||||||
|
displayName string
|
||||||
|
email string
|
||||||
|
human bool
|
||||||
|
groupMembership map[string]bool
|
||||||
|
authTime time.Time
|
||||||
|
sessionID string
|
||||||
|
expiry time.Time
|
||||||
|
attributes map[string]interface{}
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewUser(username string) User {
|
||||||
|
uuid, err := uuid.GenerateUUID()
|
||||||
|
if err != nil {
|
||||||
|
uuid = "00unique-sess-ions-uuid-unavailable0"
|
||||||
|
}
|
||||||
|
return User{
|
||||||
|
userName: username,
|
||||||
|
groupMembership: make(map[string]bool),
|
||||||
|
sessionID: uuid,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) UserName() string {
|
||||||
|
return u.userName
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetUserName(s string) {
|
||||||
|
u.userName = s
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) Domain() string {
|
||||||
|
return u.domain
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetDomain(s string) {
|
||||||
|
u.domain = s
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) DisplayName() string {
|
||||||
|
if u.displayName == "" {
|
||||||
|
return u.userName
|
||||||
|
}
|
||||||
|
return u.displayName
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetDisplayName(s string) {
|
||||||
|
u.displayName = s
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) Human() bool {
|
||||||
|
return u.human
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetHuman(b bool) {
|
||||||
|
u.human = b
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) AuthTime() time.Time {
|
||||||
|
return u.authTime
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetAuthTime(t time.Time) {
|
||||||
|
u.authTime = t
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) AuthzAttributes() []string {
|
||||||
|
s := make([]string, len(u.groupMembership))
|
||||||
|
i := 0
|
||||||
|
for a := range u.groupMembership {
|
||||||
|
s[i] = a
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) Authenticated() bool {
|
||||||
|
return u.authenticated
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetAuthenticated(b bool) {
|
||||||
|
u.authenticated = b
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) AddAuthzAttribute(a string) {
|
||||||
|
u.groupMembership[a] = true
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) RemoveAuthzAttribute(a string) {
|
||||||
|
if _, ok := u.groupMembership[a]; !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
delete(u.groupMembership, a)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) EnableAuthzAttribute(a string) {
|
||||||
|
if enabled, ok := u.groupMembership[a]; ok && !enabled {
|
||||||
|
u.groupMembership[a] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) DisableAuthzAttribute(a string) {
|
||||||
|
if enabled, ok := u.groupMembership[a]; ok && enabled {
|
||||||
|
u.groupMembership[a] = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) Authorized(a string) bool {
|
||||||
|
if enabled, ok := u.groupMembership[a]; ok && enabled {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SessionID() string {
|
||||||
|
return u.sessionID
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetExpiry(t time.Time) {
|
||||||
|
u.expiry = t
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) Expired() bool {
|
||||||
|
if !u.expiry.IsZero() && time.Now().UTC().After(u.expiry) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) Attributes() map[string]interface{} {
|
||||||
|
return u.attributes
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetAttribute(k string, v interface{}) {
|
||||||
|
u.attributes[k] = v
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) SetAttributes(a map[string]interface{}) {
|
||||||
|
u.attributes = a
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) RemoveAttribute(k string) {
|
||||||
|
delete(u.attributes, k)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) Marshal() ([]byte, error) {
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
enc := gob.NewEncoder(buf)
|
||||||
|
err := enc.Encode(u)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, err
|
||||||
|
}
|
||||||
|
return buf.Bytes(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (u *User) Unmarshal(b []byte) error {
|
||||||
|
buf := bytes.NewBuffer(b)
|
||||||
|
dec := gob.NewDecoder(buf)
|
||||||
|
return dec.Decode(u)
|
||||||
|
}
|
201
vendor/github.com/jcmturner/gokrb5/v8/LICENSE
generated
vendored
Normal file
201
vendor/github.com/jcmturner/gokrb5/v8/LICENSE
generated
vendored
Normal file
@ -0,0 +1,201 @@
|
|||||||
|
Apache License
|
||||||
|
Version 2.0, January 2004
|
||||||
|
http://www.apache.org/licenses/
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
|
1. Definitions.
|
||||||
|
|
||||||
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
|
|
||||||
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
|
the copyright owner that is granting the License.
|
||||||
|
|
||||||
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
|
other entities that control, are controlled by, or are under common
|
||||||
|
control with that entity. For the purposes of this definition,
|
||||||
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
|
exercising permissions granted by this License.
|
||||||
|
|
||||||
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
|
including but not limited to software source code, documentation
|
||||||
|
source, and configuration files.
|
||||||
|
|
||||||
|
"Object" form shall mean any form resulting from mechanical
|
||||||
|
transformation or translation of a Source form, including but
|
||||||
|
not limited to compiled object code, generated documentation,
|
||||||
|
and conversions to other media types.
|
||||||
|
|
||||||
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
|
Object form, made available under the License, as indicated by a
|
||||||
|
copyright notice that is included in or attached to the work
|
||||||
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
|
form, that is based on (or derived from) the Work and for which the
|
||||||
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
|
of this License, Derivative Works shall not include works that remain
|
||||||
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
|
"Contribution" shall mean any work of authorship, including
|
||||||
|
the original version of the Work and any modifications or additions
|
||||||
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
|
means any form of electronic, verbal, or written communication sent
|
||||||
|
to the Licensor or its representatives, including but not limited to
|
||||||
|
communication on electronic mailing lists, source code control systems,
|
||||||
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
|
excluding communication that is conspicuously marked or otherwise
|
||||||
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
(except as stated in this section) patent license to make, have made,
|
||||||
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
|
where such license applies only to those patent claims licensable
|
||||||
|
by such Contributor that are necessarily infringed by their
|
||||||
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
|
institute patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
|
or contributory patent infringement, then any patent licenses
|
||||||
|
granted to You under this License for that Work shall terminate
|
||||||
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
|
modifications, and in Source or Object form, provided that You
|
||||||
|
meet the following conditions:
|
||||||
|
|
||||||
|
(a) You must give any other recipients of the Work or
|
||||||
|
Derivative Works a copy of this License; and
|
||||||
|
|
||||||
|
(b) You must cause any modified files to carry prominent notices
|
||||||
|
stating that You changed the files; and
|
||||||
|
|
||||||
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
|
that You distribute, all copyright, patent, trademark, and
|
||||||
|
attribution notices from the Source form of the Work,
|
||||||
|
excluding those notices that do not pertain to any part of
|
||||||
|
the Derivative Works; and
|
||||||
|
|
||||||
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
|
distribution, then any Derivative Works that You distribute must
|
||||||
|
include a readable copy of the attribution notices contained
|
||||||
|
within such NOTICE file, excluding those notices that do not
|
||||||
|
pertain to any part of the Derivative Works, in at least one
|
||||||
|
of the following places: within a NOTICE text file distributed
|
||||||
|
as part of the Derivative Works; within the Source form or
|
||||||
|
documentation, if provided along with the Derivative Works; or,
|
||||||
|
within a display generated by the Derivative Works, if and
|
||||||
|
wherever such third-party notices normally appear. The contents
|
||||||
|
of the NOTICE file are for informational purposes only and
|
||||||
|
do not modify the License. You may add Your own attribution
|
||||||
|
notices within Derivative Works that You distribute, alongside
|
||||||
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
|
that such additional attribution notices cannot be construed
|
||||||
|
as modifying the License.
|
||||||
|
|
||||||
|
You may add Your own copyright statement to Your modifications and
|
||||||
|
may provide additional or different license terms and conditions
|
||||||
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
|
the conditions stated in this License.
|
||||||
|
|
||||||
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
|
this License, without any additional terms or conditions.
|
||||||
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
|
the terms of any separate license agreement you may have executed
|
||||||
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
|
except as required for reasonable and customary use in describing the
|
||||||
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
implied, including, without limitation, any warranties or conditions
|
||||||
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
|
appropriateness of using or redistributing the Work and assume any
|
||||||
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
|
unless required by applicable law (such as deliberate and grossly
|
||||||
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
|
liable to You for damages, including any direct, indirect, special,
|
||||||
|
incidental, or consequential damages of any character arising as a
|
||||||
|
result of this License or out of the use or inability to use the
|
||||||
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses), even if such Contributor
|
||||||
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
|
or other liability obligations and/or rights consistent with this
|
||||||
|
License. However, in accepting such obligations, You may act only
|
||||||
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
|
defend, and hold each Contributor harmless for any liability
|
||||||
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
|
of your accepting any such warranty or additional liability.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
APPENDIX: How to apply the Apache License to your work.
|
||||||
|
|
||||||
|
To apply the Apache License to your work, attach the following
|
||||||
|
boilerplate notice, with the fields enclosed by brackets "{}"
|
||||||
|
replaced with your own identifying information. (Don't include
|
||||||
|
the brackets!) The text should be enclosed in the appropriate
|
||||||
|
comment syntax for the file format. We also recommend that a
|
||||||
|
file or class name and description of purpose be included on the
|
||||||
|
same "printed page" as the copyright notice for easier
|
||||||
|
identification within third-party archives.
|
||||||
|
|
||||||
|
Copyright {yyyy} {name of copyright owner}
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
86
vendor/github.com/jcmturner/gokrb5/v8/asn1tools/tools.go
generated
vendored
Normal file
86
vendor/github.com/jcmturner/gokrb5/v8/asn1tools/tools.go
generated
vendored
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
// Package asn1tools provides tools for managing ASN1 marshaled data.
|
||||||
|
package asn1tools
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/jcmturner/gofork/encoding/asn1"
|
||||||
|
)
|
||||||
|
|
||||||
|
// MarshalLengthBytes returns the ASN1 encoded bytes for the length 'l'
|
||||||
|
//
|
||||||
|
// There are two forms: short (for lengths between 0 and 127), and long definite (for lengths between 0 and 2^1008 -1).
|
||||||
|
//
|
||||||
|
// Short form: One octet. Bit 8 has value "0" and bits 7-1 give the length.
|
||||||
|
//
|
||||||
|
// Long form: Two to 127 octets. Bit 8 of first octet has value "1" and bits 7-1 give the number of additional length octets. Second and following octets give the length, base 256, most significant digit first.
|
||||||
|
func MarshalLengthBytes(l int) []byte {
|
||||||
|
if l <= 127 {
|
||||||
|
return []byte{byte(l)}
|
||||||
|
}
|
||||||
|
var b []byte
|
||||||
|
p := 1
|
||||||
|
for i := 1; i < 127; {
|
||||||
|
b = append([]byte{byte((l % (p * 256)) / p)}, b...)
|
||||||
|
p = p * 256
|
||||||
|
l = l - l%p
|
||||||
|
if l <= 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return append([]byte{byte(128 + len(b))}, b...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetLengthFromASN returns the length of a slice of ASN1 encoded bytes from the ASN1 length header it contains.
|
||||||
|
func GetLengthFromASN(b []byte) int {
|
||||||
|
if int(b[1]) <= 127 {
|
||||||
|
return int(b[1])
|
||||||
|
}
|
||||||
|
// The bytes that indicate the length
|
||||||
|
lb := b[2 : 2+int(b[1])-128]
|
||||||
|
base := 1
|
||||||
|
l := 0
|
||||||
|
for i := len(lb) - 1; i >= 0; i-- {
|
||||||
|
l += int(lb[i]) * base
|
||||||
|
base = base * 256
|
||||||
|
}
|
||||||
|
return l
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetNumberBytesInLengthHeader returns the number of bytes in the ASn1 header that indicate the length.
|
||||||
|
func GetNumberBytesInLengthHeader(b []byte) int {
|
||||||
|
if int(b[1]) <= 127 {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
// The bytes that indicate the length
|
||||||
|
return 1 + int(b[1]) - 128
|
||||||
|
}
|
||||||
|
|
||||||
|
// AddASNAppTag adds an ASN1 encoding application tag value to the raw bytes provided.
|
||||||
|
func AddASNAppTag(b []byte, tag int) []byte {
|
||||||
|
r := asn1.RawValue{
|
||||||
|
Class: asn1.ClassApplication,
|
||||||
|
IsCompound: true,
|
||||||
|
Tag: tag,
|
||||||
|
Bytes: b,
|
||||||
|
}
|
||||||
|
ab, _ := asn1.Marshal(r)
|
||||||
|
return ab
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
// The Marshal method of golang's asn1 package does not enable you to define wrapping the output in an application tag.
|
||||||
|
// This method adds that wrapping tag.
|
||||||
|
func AddASNAppTag(b []byte, tag int) []byte {
|
||||||
|
// The ASN1 wrapping consists of 2 bytes:
|
||||||
|
// 1st byte -> Identifier Octet - Application Tag
|
||||||
|
// 2nd byte -> The length (this will be the size indicated in the input bytes + 2 for the additional bytes we add here.
|
||||||
|
// Application Tag:
|
||||||
|
//| Bit: | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 |
|
||||||
|
//| Value: | 0 | 1 | 1 | From the RFC spec 4120 |
|
||||||
|
//| Explanation | Defined by the ASN1 encoding rules for an application tag | A value of 1 indicates a constructed type | The ASN Application tag value |
|
||||||
|
// Therefore the value of the byte is an integer = ( Application tag value + 96 )
|
||||||
|
//b = append(MarshalLengthBytes(int(b[1])+2), b...)
|
||||||
|
b = append(MarshalLengthBytes(len(b)), b...)
|
||||||
|
b = append([]byte{byte(96 + tag)}, b...)
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
*/
|
182
vendor/github.com/jcmturner/gokrb5/v8/client/ASExchange.go
generated
vendored
Normal file
182
vendor/github.com/jcmturner/gokrb5/v8/client/ASExchange.go
generated
vendored
Normal file
@ -0,0 +1,182 @@
|
|||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/errorcode"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/keyusage"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/patype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/krberror"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ASExchange performs an AS exchange for the client to retrieve a TGT.
|
||||||
|
func (cl *Client) ASExchange(realm string, ASReq messages.ASReq, referral int) (messages.ASRep, error) {
|
||||||
|
if ok, err := cl.IsConfigured(); !ok {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.ConfigError, "AS Exchange cannot be performed")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set PAData if required
|
||||||
|
err := setPAData(cl, nil, &ASReq)
|
||||||
|
if err != nil {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.KRBMsgError, "AS Exchange Error: issue with setting PAData on AS_REQ")
|
||||||
|
}
|
||||||
|
|
||||||
|
b, err := ASReq.Marshal()
|
||||||
|
if err != nil {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.EncodingError, "AS Exchange Error: failed marshaling AS_REQ")
|
||||||
|
}
|
||||||
|
var ASRep messages.ASRep
|
||||||
|
|
||||||
|
rb, err := cl.sendToKDC(b, realm)
|
||||||
|
if err != nil {
|
||||||
|
if e, ok := err.(messages.KRBError); ok {
|
||||||
|
switch e.ErrorCode {
|
||||||
|
case errorcode.KDC_ERR_PREAUTH_REQUIRED, errorcode.KDC_ERR_PREAUTH_FAILED:
|
||||||
|
// From now on assume this client will need to do this pre-auth and set the PAData
|
||||||
|
cl.settings.assumePreAuthentication = true
|
||||||
|
err = setPAData(cl, &e, &ASReq)
|
||||||
|
if err != nil {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.KRBMsgError, "AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required")
|
||||||
|
}
|
||||||
|
b, err := ASReq.Marshal()
|
||||||
|
if err != nil {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.EncodingError, "AS Exchange Error: failed marshaling AS_REQ with PAData")
|
||||||
|
}
|
||||||
|
rb, err = cl.sendToKDC(b, realm)
|
||||||
|
if err != nil {
|
||||||
|
if _, ok := err.(messages.KRBError); ok {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.KDCError, "AS Exchange Error: kerberos error response from KDC")
|
||||||
|
}
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.NetworkingError, "AS Exchange Error: failed sending AS_REQ to KDC")
|
||||||
|
}
|
||||||
|
case errorcode.KDC_ERR_WRONG_REALM:
|
||||||
|
// Client referral https://tools.ietf.org/html/rfc6806.html#section-7
|
||||||
|
if referral > 5 {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.KRBMsgError, "maximum number of client referrals exceeded")
|
||||||
|
}
|
||||||
|
referral++
|
||||||
|
return cl.ASExchange(e.CRealm, ASReq, referral)
|
||||||
|
default:
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.KDCError, "AS Exchange Error: kerberos error response from KDC")
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.NetworkingError, "AS Exchange Error: failed sending AS_REQ to KDC")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
err = ASRep.Unmarshal(rb)
|
||||||
|
if err != nil {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.EncodingError, "AS Exchange Error: failed to process the AS_REP")
|
||||||
|
}
|
||||||
|
if ok, err := ASRep.Verify(cl.Config, cl.Credentials, ASReq); !ok {
|
||||||
|
return messages.ASRep{}, krberror.Errorf(err, krberror.KRBMsgError, "AS Exchange Error: AS_REP is not valid or client password/keytab incorrect")
|
||||||
|
}
|
||||||
|
return ASRep, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// setPAData adds pre-authentication data to the AS_REQ.
|
||||||
|
func setPAData(cl *Client, krberr *messages.KRBError, ASReq *messages.ASReq) error {
|
||||||
|
if !cl.settings.DisablePAFXFAST() {
|
||||||
|
pa := types.PAData{PADataType: patype.PA_REQ_ENC_PA_REP}
|
||||||
|
ASReq.PAData = append(ASReq.PAData, pa)
|
||||||
|
}
|
||||||
|
if cl.settings.AssumePreAuthentication() {
|
||||||
|
// Identify the etype to use to encrypt the PA Data
|
||||||
|
var et etype.EType
|
||||||
|
var err error
|
||||||
|
var key types.EncryptionKey
|
||||||
|
var kvno int
|
||||||
|
if krberr == nil {
|
||||||
|
// This is not in response to an error from the KDC. It is preemptive or renewal
|
||||||
|
// There is no KRB Error that tells us the etype to use
|
||||||
|
etn := cl.settings.preAuthEType // Use the etype that may have previously been negotiated
|
||||||
|
if etn == 0 {
|
||||||
|
etn = int32(cl.Config.LibDefaults.PreferredPreauthTypes[0]) // Resort to config
|
||||||
|
}
|
||||||
|
et, err = crypto.GetEtype(etn)
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.EncryptingError, "error getting etype for pre-auth encryption")
|
||||||
|
}
|
||||||
|
key, kvno, err = cl.Key(et, 0, nil)
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.EncryptingError, "error getting key from credentials")
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Get the etype to use from the PA data in the KRBError e-data
|
||||||
|
et, err = preAuthEType(krberr)
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.EncryptingError, "error getting etype for pre-auth encryption")
|
||||||
|
}
|
||||||
|
cl.settings.preAuthEType = et.GetETypeID() // Set the etype that has been defined for potential future use
|
||||||
|
key, kvno, err = cl.Key(et, 0, krberr)
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.EncryptingError, "error getting key from credentials")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Generate the PA data
|
||||||
|
paTSb, err := types.GetPAEncTSEncAsnMarshalled()
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.KRBMsgError, "error creating PAEncTSEnc for Pre-Authentication")
|
||||||
|
}
|
||||||
|
paEncTS, err := crypto.GetEncryptedData(paTSb, key, keyusage.AS_REQ_PA_ENC_TIMESTAMP, kvno)
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.EncryptingError, "error encrypting pre-authentication timestamp")
|
||||||
|
}
|
||||||
|
pb, err := paEncTS.Marshal()
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.EncodingError, "error marshaling the PAEncTSEnc encrypted data")
|
||||||
|
}
|
||||||
|
pa := types.PAData{
|
||||||
|
PADataType: patype.PA_ENC_TIMESTAMP,
|
||||||
|
PADataValue: pb,
|
||||||
|
}
|
||||||
|
// Look for and delete any exiting patype.PA_ENC_TIMESTAMP
|
||||||
|
for i, pa := range ASReq.PAData {
|
||||||
|
if pa.PADataType == patype.PA_ENC_TIMESTAMP {
|
||||||
|
ASReq.PAData[i] = ASReq.PAData[len(ASReq.PAData)-1]
|
||||||
|
ASReq.PAData = ASReq.PAData[:len(ASReq.PAData)-1]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ASReq.PAData = append(ASReq.PAData, pa)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// preAuthEType establishes what encryption type to use for pre-authentication from the KRBError returned from the KDC.
|
||||||
|
func preAuthEType(krberr *messages.KRBError) (etype etype.EType, err error) {
|
||||||
|
//RFC 4120 5.2.7.5 covers the preference order of ETYPE-INFO2 and ETYPE-INFO.
|
||||||
|
var etypeID int32
|
||||||
|
var pas types.PADataSequence
|
||||||
|
e := pas.Unmarshal(krberr.EData)
|
||||||
|
if e != nil {
|
||||||
|
err = krberror.Errorf(e, krberror.EncodingError, "error unmashalling KRBError data")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
Loop:
|
||||||
|
for _, pa := range pas {
|
||||||
|
switch pa.PADataType {
|
||||||
|
case patype.PA_ETYPE_INFO2:
|
||||||
|
info, e := pa.GetETypeInfo2()
|
||||||
|
if e != nil {
|
||||||
|
err = krberror.Errorf(e, krberror.EncodingError, "error unmashalling ETYPE-INFO2 data")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
etypeID = info[0].EType
|
||||||
|
break Loop
|
||||||
|
case patype.PA_ETYPE_INFO:
|
||||||
|
info, e := pa.GetETypeInfo()
|
||||||
|
if e != nil {
|
||||||
|
err = krberror.Errorf(e, krberror.EncodingError, "error unmashalling ETYPE-INFO data")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
etypeID = info[0].EType
|
||||||
|
}
|
||||||
|
}
|
||||||
|
etype, e = crypto.GetEtype(etypeID)
|
||||||
|
if e != nil {
|
||||||
|
err = krberror.Errorf(e, krberror.EncryptingError, "error creating etype")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return etype, nil
|
||||||
|
}
|
103
vendor/github.com/jcmturner/gokrb5/v8/client/TGSExchange.go
generated
vendored
Normal file
103
vendor/github.com/jcmturner/gokrb5/v8/client/TGSExchange.go
generated
vendored
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/flags"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/nametype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/krberror"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TGSREQGenerateAndExchange generates the TGS_REQ and performs a TGS exchange to retrieve a ticket to the specified SPN.
|
||||||
|
func (cl *Client) TGSREQGenerateAndExchange(spn types.PrincipalName, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, renewal bool) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error) {
|
||||||
|
tgsReq, err = messages.NewTGSReq(cl.Credentials.CName(), kdcRealm, cl.Config, tgt, sessionKey, spn, renewal)
|
||||||
|
if err != nil {
|
||||||
|
return tgsReq, tgsRep, krberror.Errorf(err, krberror.KRBMsgError, "TGS Exchange Error: failed to generate a new TGS_REQ")
|
||||||
|
}
|
||||||
|
return cl.TGSExchange(tgsReq, kdcRealm, tgsRep.Ticket, sessionKey, 0)
|
||||||
|
}
|
||||||
|
|
||||||
|
// TGSExchange exchanges the provided TGS_REQ with the KDC to retrieve a TGS_REP.
|
||||||
|
// Referrals are automatically handled.
|
||||||
|
// The client's cache is updated with the ticket received.
|
||||||
|
func (cl *Client) TGSExchange(tgsReq messages.TGSReq, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, referral int) (messages.TGSReq, messages.TGSRep, error) {
|
||||||
|
var tgsRep messages.TGSRep
|
||||||
|
b, err := tgsReq.Marshal()
|
||||||
|
if err != nil {
|
||||||
|
return tgsReq, tgsRep, krberror.Errorf(err, krberror.EncodingError, "TGS Exchange Error: failed to marshal TGS_REQ")
|
||||||
|
}
|
||||||
|
r, err := cl.sendToKDC(b, kdcRealm)
|
||||||
|
if err != nil {
|
||||||
|
if _, ok := err.(messages.KRBError); ok {
|
||||||
|
return tgsReq, tgsRep, krberror.Errorf(err, krberror.KDCError, "TGS Exchange Error: kerberos error response from KDC when requesting for %s", tgsReq.ReqBody.SName.PrincipalNameString())
|
||||||
|
}
|
||||||
|
return tgsReq, tgsRep, krberror.Errorf(err, krberror.NetworkingError, "TGS Exchange Error: issue sending TGS_REQ to KDC")
|
||||||
|
}
|
||||||
|
err = tgsRep.Unmarshal(r)
|
||||||
|
if err != nil {
|
||||||
|
return tgsReq, tgsRep, krberror.Errorf(err, krberror.EncodingError, "TGS Exchange Error: failed to process the TGS_REP")
|
||||||
|
}
|
||||||
|
err = tgsRep.DecryptEncPart(sessionKey)
|
||||||
|
if err != nil {
|
||||||
|
return tgsReq, tgsRep, krberror.Errorf(err, krberror.EncodingError, "TGS Exchange Error: failed to process the TGS_REP")
|
||||||
|
}
|
||||||
|
if ok, err := tgsRep.Verify(cl.Config, tgsReq); !ok {
|
||||||
|
return tgsReq, tgsRep, krberror.Errorf(err, krberror.EncodingError, "TGS Exchange Error: TGS_REP is not valid")
|
||||||
|
}
|
||||||
|
|
||||||
|
if tgsRep.Ticket.SName.NameString[0] == "krbtgt" && !tgsRep.Ticket.SName.Equal(tgsReq.ReqBody.SName) {
|
||||||
|
if referral > 5 {
|
||||||
|
return tgsReq, tgsRep, krberror.Errorf(err, krberror.KRBMsgError, "TGS Exchange Error: maximum number of referrals exceeded")
|
||||||
|
}
|
||||||
|
// Server referral https://tools.ietf.org/html/rfc6806.html#section-8
|
||||||
|
// The TGS Rep contains a TGT for another domain as the service resides in that domain.
|
||||||
|
cl.addSession(tgsRep.Ticket, tgsRep.DecryptedEncPart)
|
||||||
|
realm := tgsRep.Ticket.SName.NameString[len(tgsRep.Ticket.SName.NameString)-1]
|
||||||
|
referral++
|
||||||
|
if types.IsFlagSet(&tgsReq.ReqBody.KDCOptions, flags.EncTktInSkey) && len(tgsReq.ReqBody.AdditionalTickets) > 0 {
|
||||||
|
tgsReq, err = messages.NewUser2UserTGSReq(cl.Credentials.CName(), kdcRealm, cl.Config, tgt, sessionKey, tgsReq.ReqBody.SName, tgsReq.Renewal, tgsReq.ReqBody.AdditionalTickets[0])
|
||||||
|
if err != nil {
|
||||||
|
return tgsReq, tgsRep, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
tgsReq, err = messages.NewTGSReq(cl.Credentials.CName(), realm, cl.Config, tgsRep.Ticket, tgsRep.DecryptedEncPart.Key, tgsReq.ReqBody.SName, tgsReq.Renewal)
|
||||||
|
if err != nil {
|
||||||
|
return tgsReq, tgsRep, err
|
||||||
|
}
|
||||||
|
return cl.TGSExchange(tgsReq, realm, tgsRep.Ticket, tgsRep.DecryptedEncPart.Key, referral)
|
||||||
|
}
|
||||||
|
cl.cache.addEntry(
|
||||||
|
tgsRep.Ticket,
|
||||||
|
tgsRep.DecryptedEncPart.AuthTime,
|
||||||
|
tgsRep.DecryptedEncPart.StartTime,
|
||||||
|
tgsRep.DecryptedEncPart.EndTime,
|
||||||
|
tgsRep.DecryptedEncPart.RenewTill,
|
||||||
|
tgsRep.DecryptedEncPart.Key,
|
||||||
|
)
|
||||||
|
cl.Log("ticket added to cache for %s (EndTime: %v)", tgsRep.Ticket.SName.PrincipalNameString(), tgsRep.DecryptedEncPart.EndTime)
|
||||||
|
return tgsReq, tgsRep, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetServiceTicket makes a request to get a service ticket for the SPN specified
|
||||||
|
// SPN format: <SERVICE>/<FQDN> Eg. HTTP/www.example.com
|
||||||
|
// The ticket will be added to the client's ticket cache
|
||||||
|
func (cl *Client) GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error) {
|
||||||
|
var tkt messages.Ticket
|
||||||
|
var skey types.EncryptionKey
|
||||||
|
if tkt, skey, ok := cl.GetCachedTicket(spn); ok {
|
||||||
|
// Already a valid ticket in the cache
|
||||||
|
return tkt, skey, nil
|
||||||
|
}
|
||||||
|
princ := types.NewPrincipalName(nametype.KRB_NT_PRINCIPAL, spn)
|
||||||
|
realm := cl.Config.ResolveRealm(princ.NameString[len(princ.NameString)-1])
|
||||||
|
|
||||||
|
tgt, skey, err := cl.sessionTGT(realm)
|
||||||
|
if err != nil {
|
||||||
|
return tkt, skey, err
|
||||||
|
}
|
||||||
|
_, tgsRep, err := cl.TGSREQGenerateAndExchange(princ, realm, tgt, skey, false)
|
||||||
|
if err != nil {
|
||||||
|
return tkt, skey, err
|
||||||
|
}
|
||||||
|
return tgsRep.Ticket, tgsRep.DecryptedEncPart.Key, nil
|
||||||
|
}
|
134
vendor/github.com/jcmturner/gokrb5/v8/client/cache.go
generated
vendored
Normal file
134
vendor/github.com/jcmturner/gokrb5/v8/client/cache.go
generated
vendored
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
"sort"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Cache for service tickets held by the client.
|
||||||
|
type Cache struct {
|
||||||
|
Entries map[string]CacheEntry
|
||||||
|
mux sync.RWMutex
|
||||||
|
}
|
||||||
|
|
||||||
|
// CacheEntry holds details for a cache entry.
|
||||||
|
type CacheEntry struct {
|
||||||
|
SPN string
|
||||||
|
Ticket messages.Ticket `json:"-"`
|
||||||
|
AuthTime time.Time
|
||||||
|
StartTime time.Time
|
||||||
|
EndTime time.Time
|
||||||
|
RenewTill time.Time
|
||||||
|
SessionKey types.EncryptionKey `json:"-"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewCache creates a new client ticket cache instance.
|
||||||
|
func NewCache() *Cache {
|
||||||
|
return &Cache{
|
||||||
|
Entries: map[string]CacheEntry{},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// getEntry returns a cache entry that matches the SPN.
|
||||||
|
func (c *Cache) getEntry(spn string) (CacheEntry, bool) {
|
||||||
|
c.mux.RLock()
|
||||||
|
defer c.mux.RUnlock()
|
||||||
|
e, ok := (*c).Entries[spn]
|
||||||
|
return e, ok
|
||||||
|
}
|
||||||
|
|
||||||
|
// JSON returns information about the cached service tickets in a JSON format.
|
||||||
|
func (c *Cache) JSON() (string, error) {
|
||||||
|
c.mux.RLock()
|
||||||
|
defer c.mux.RUnlock()
|
||||||
|
var es []CacheEntry
|
||||||
|
keys := make([]string, 0, len(c.Entries))
|
||||||
|
for k := range c.Entries {
|
||||||
|
keys = append(keys, k)
|
||||||
|
}
|
||||||
|
sort.Strings(keys)
|
||||||
|
for _, k := range keys {
|
||||||
|
es = append(es, c.Entries[k])
|
||||||
|
}
|
||||||
|
b, err := json.MarshalIndent(&es, "", " ")
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return string(b), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// addEntry adds a ticket to the cache.
|
||||||
|
func (c *Cache) addEntry(tkt messages.Ticket, authTime, startTime, endTime, renewTill time.Time, sessionKey types.EncryptionKey) CacheEntry {
|
||||||
|
spn := tkt.SName.PrincipalNameString()
|
||||||
|
c.mux.Lock()
|
||||||
|
defer c.mux.Unlock()
|
||||||
|
(*c).Entries[spn] = CacheEntry{
|
||||||
|
SPN: spn,
|
||||||
|
Ticket: tkt,
|
||||||
|
AuthTime: authTime,
|
||||||
|
StartTime: startTime,
|
||||||
|
EndTime: endTime,
|
||||||
|
RenewTill: renewTill,
|
||||||
|
SessionKey: sessionKey,
|
||||||
|
}
|
||||||
|
return c.Entries[spn]
|
||||||
|
}
|
||||||
|
|
||||||
|
// clear deletes all the cache entries
|
||||||
|
func (c *Cache) clear() {
|
||||||
|
c.mux.Lock()
|
||||||
|
defer c.mux.Unlock()
|
||||||
|
for k := range c.Entries {
|
||||||
|
delete(c.Entries, k)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// RemoveEntry removes the cache entry for the defined SPN.
|
||||||
|
func (c *Cache) RemoveEntry(spn string) {
|
||||||
|
c.mux.Lock()
|
||||||
|
defer c.mux.Unlock()
|
||||||
|
delete(c.Entries, spn)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetCachedTicket returns a ticket from the cache for the SPN.
|
||||||
|
// Only a ticket that is currently valid will be returned.
|
||||||
|
func (cl *Client) GetCachedTicket(spn string) (messages.Ticket, types.EncryptionKey, bool) {
|
||||||
|
if e, ok := cl.cache.getEntry(spn); ok {
|
||||||
|
//If within time window of ticket return it
|
||||||
|
if time.Now().UTC().After(e.StartTime) && time.Now().UTC().Before(e.EndTime) {
|
||||||
|
cl.Log("ticket received from cache for %s", spn)
|
||||||
|
return e.Ticket, e.SessionKey, true
|
||||||
|
} else if time.Now().UTC().Before(e.RenewTill) {
|
||||||
|
e, err := cl.renewTicket(e)
|
||||||
|
if err != nil {
|
||||||
|
return e.Ticket, e.SessionKey, false
|
||||||
|
}
|
||||||
|
return e.Ticket, e.SessionKey, true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
var tkt messages.Ticket
|
||||||
|
var key types.EncryptionKey
|
||||||
|
return tkt, key, false
|
||||||
|
}
|
||||||
|
|
||||||
|
// renewTicket renews a cache entry ticket.
|
||||||
|
// To renew from outside the client package use GetCachedTicket
|
||||||
|
func (cl *Client) renewTicket(e CacheEntry) (CacheEntry, error) {
|
||||||
|
spn := e.Ticket.SName
|
||||||
|
_, _, err := cl.TGSREQGenerateAndExchange(spn, e.Ticket.Realm, e.Ticket, e.SessionKey, true)
|
||||||
|
if err != nil {
|
||||||
|
return e, err
|
||||||
|
}
|
||||||
|
e, ok := cl.cache.getEntry(e.Ticket.SName.PrincipalNameString())
|
||||||
|
if !ok {
|
||||||
|
return e, errors.New("ticket was not added to cache")
|
||||||
|
}
|
||||||
|
cl.Log("ticket renewed for %s (EndTime: %v)", spn.PrincipalNameString(), e.EndTime)
|
||||||
|
return e, nil
|
||||||
|
}
|
329
vendor/github.com/jcmturner/gokrb5/v8/client/client.go
generated
vendored
Normal file
329
vendor/github.com/jcmturner/gokrb5/v8/client/client.go
generated
vendored
Normal file
@ -0,0 +1,329 @@
|
|||||||
|
// Package client provides a client library and methods for Kerberos 5 authentication.
|
||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/config"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/credentials"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/errorcode"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/nametype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/keytab"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/krberror"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Client side configuration and state.
|
||||||
|
type Client struct {
|
||||||
|
Credentials *credentials.Credentials
|
||||||
|
Config *config.Config
|
||||||
|
settings *Settings
|
||||||
|
sessions *sessions
|
||||||
|
cache *Cache
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewWithPassword creates a new client from a password credential.
|
||||||
|
// Set the realm to empty string to use the default realm from config.
|
||||||
|
func NewWithPassword(username, realm, password string, krb5conf *config.Config, settings ...func(*Settings)) *Client {
|
||||||
|
creds := credentials.New(username, realm)
|
||||||
|
return &Client{
|
||||||
|
Credentials: creds.WithPassword(password),
|
||||||
|
Config: krb5conf,
|
||||||
|
settings: NewSettings(settings...),
|
||||||
|
sessions: &sessions{
|
||||||
|
Entries: make(map[string]*session),
|
||||||
|
},
|
||||||
|
cache: NewCache(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewWithKeytab creates a new client from a keytab credential.
|
||||||
|
func NewWithKeytab(username, realm string, kt *keytab.Keytab, krb5conf *config.Config, settings ...func(*Settings)) *Client {
|
||||||
|
creds := credentials.New(username, realm)
|
||||||
|
return &Client{
|
||||||
|
Credentials: creds.WithKeytab(kt),
|
||||||
|
Config: krb5conf,
|
||||||
|
settings: NewSettings(settings...),
|
||||||
|
sessions: &sessions{
|
||||||
|
Entries: make(map[string]*session),
|
||||||
|
},
|
||||||
|
cache: NewCache(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewFromCCache create a client from a populated client cache.
|
||||||
|
//
|
||||||
|
// WARNING: A client created from CCache does not automatically renew TGTs and a failure will occur after the TGT expires.
|
||||||
|
func NewFromCCache(c *credentials.CCache, krb5conf *config.Config, settings ...func(*Settings)) (*Client, error) {
|
||||||
|
cl := &Client{
|
||||||
|
Credentials: c.GetClientCredentials(),
|
||||||
|
Config: krb5conf,
|
||||||
|
settings: NewSettings(settings...),
|
||||||
|
sessions: &sessions{
|
||||||
|
Entries: make(map[string]*session),
|
||||||
|
},
|
||||||
|
cache: NewCache(),
|
||||||
|
}
|
||||||
|
spn := types.PrincipalName{
|
||||||
|
NameType: nametype.KRB_NT_SRV_INST,
|
||||||
|
NameString: []string{"krbtgt", c.DefaultPrincipal.Realm},
|
||||||
|
}
|
||||||
|
cred, ok := c.GetEntry(spn)
|
||||||
|
if !ok {
|
||||||
|
return cl, errors.New("TGT not found in CCache")
|
||||||
|
}
|
||||||
|
var tgt messages.Ticket
|
||||||
|
err := tgt.Unmarshal(cred.Ticket)
|
||||||
|
if err != nil {
|
||||||
|
return cl, fmt.Errorf("TGT bytes in cache are not valid: %v", err)
|
||||||
|
}
|
||||||
|
cl.sessions.Entries[c.DefaultPrincipal.Realm] = &session{
|
||||||
|
realm: c.DefaultPrincipal.Realm,
|
||||||
|
authTime: cred.AuthTime,
|
||||||
|
endTime: cred.EndTime,
|
||||||
|
renewTill: cred.RenewTill,
|
||||||
|
tgt: tgt,
|
||||||
|
sessionKey: cred.Key,
|
||||||
|
}
|
||||||
|
for _, cred := range c.GetEntries() {
|
||||||
|
var tkt messages.Ticket
|
||||||
|
err = tkt.Unmarshal(cred.Ticket)
|
||||||
|
if err != nil {
|
||||||
|
return cl, fmt.Errorf("cache entry ticket bytes are not valid: %v", err)
|
||||||
|
}
|
||||||
|
cl.cache.addEntry(
|
||||||
|
tkt,
|
||||||
|
cred.AuthTime,
|
||||||
|
cred.StartTime,
|
||||||
|
cred.EndTime,
|
||||||
|
cred.RenewTill,
|
||||||
|
cred.Key,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
return cl, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Key returns the client's encryption key for the specified encryption type and its kvno (kvno of zero will find latest).
|
||||||
|
// The key can be retrieved either from the keytab or generated from the client's password.
|
||||||
|
// If the client has both a keytab and a password defined the keytab is favoured as the source for the key
|
||||||
|
// A KRBError can be passed in the event the KDC returns one of type KDC_ERR_PREAUTH_REQUIRED and is required to derive
|
||||||
|
// the key for pre-authentication from the client's password. If a KRBError is not available, pass nil to this argument.
|
||||||
|
func (cl *Client) Key(etype etype.EType, kvno int, krberr *messages.KRBError) (types.EncryptionKey, int, error) {
|
||||||
|
if cl.Credentials.HasKeytab() && etype != nil {
|
||||||
|
return cl.Credentials.Keytab().GetEncryptionKey(cl.Credentials.CName(), cl.Credentials.Domain(), kvno, etype.GetETypeID())
|
||||||
|
} else if cl.Credentials.HasPassword() {
|
||||||
|
if krberr != nil && krberr.ErrorCode == errorcode.KDC_ERR_PREAUTH_REQUIRED {
|
||||||
|
var pas types.PADataSequence
|
||||||
|
err := pas.Unmarshal(krberr.EData)
|
||||||
|
if err != nil {
|
||||||
|
return types.EncryptionKey{}, 0, fmt.Errorf("could not get PAData from KRBError to generate key from password: %v", err)
|
||||||
|
}
|
||||||
|
key, _, err := crypto.GetKeyFromPassword(cl.Credentials.Password(), krberr.CName, krberr.CRealm, etype.GetETypeID(), pas)
|
||||||
|
return key, 0, err
|
||||||
|
}
|
||||||
|
key, _, err := crypto.GetKeyFromPassword(cl.Credentials.Password(), cl.Credentials.CName(), cl.Credentials.Domain(), etype.GetETypeID(), types.PADataSequence{})
|
||||||
|
return key, 0, err
|
||||||
|
}
|
||||||
|
return types.EncryptionKey{}, 0, errors.New("credential has neither keytab or password to generate key")
|
||||||
|
}
|
||||||
|
|
||||||
|
// IsConfigured indicates if the client has the values required set.
|
||||||
|
func (cl *Client) IsConfigured() (bool, error) {
|
||||||
|
if cl.Credentials.UserName() == "" {
|
||||||
|
return false, errors.New("client does not have a username")
|
||||||
|
}
|
||||||
|
if cl.Credentials.Domain() == "" {
|
||||||
|
return false, errors.New("client does not have a define realm")
|
||||||
|
}
|
||||||
|
// Client needs to have either a password, keytab or a session already (later when loading from CCache)
|
||||||
|
if !cl.Credentials.HasPassword() && !cl.Credentials.HasKeytab() {
|
||||||
|
authTime, _, _, _, err := cl.sessionTimes(cl.Credentials.Domain())
|
||||||
|
if err != nil || authTime.IsZero() {
|
||||||
|
return false, errors.New("client has neither a keytab nor a password set and no session")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !cl.Config.LibDefaults.DNSLookupKDC {
|
||||||
|
for _, r := range cl.Config.Realms {
|
||||||
|
if r.Realm == cl.Credentials.Domain() {
|
||||||
|
if len(r.KDC) > 0 {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
return false, errors.New("client krb5 config does not have any defined KDCs for the default realm")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Login the client with the KDC via an AS exchange.
|
||||||
|
func (cl *Client) Login() error {
|
||||||
|
if ok, err := cl.IsConfigured(); !ok {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if !cl.Credentials.HasPassword() && !cl.Credentials.HasKeytab() {
|
||||||
|
_, endTime, _, _, err := cl.sessionTimes(cl.Credentials.Domain())
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.KRBMsgError, "no user credentials available and error getting any existing session")
|
||||||
|
}
|
||||||
|
if time.Now().UTC().After(endTime) {
|
||||||
|
return krberror.New(krberror.KRBMsgError, "cannot login, no user credentials available and no valid existing session")
|
||||||
|
}
|
||||||
|
// no credentials but there is a session with tgt already
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
ASReq, err := messages.NewASReqForTGT(cl.Credentials.Domain(), cl.Config, cl.Credentials.CName())
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.KRBMsgError, "error generating new AS_REQ")
|
||||||
|
}
|
||||||
|
ASRep, err := cl.ASExchange(cl.Credentials.Domain(), ASReq, 0)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
cl.addSession(ASRep.Ticket, ASRep.DecryptedEncPart)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// AffirmLogin will only perform an AS exchange with the KDC if the client does not already have a TGT.
|
||||||
|
func (cl *Client) AffirmLogin() error {
|
||||||
|
_, endTime, _, _, err := cl.sessionTimes(cl.Credentials.Domain())
|
||||||
|
if err != nil || time.Now().UTC().After(endTime) {
|
||||||
|
err := cl.Login()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("could not get valid TGT for client's realm: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// realmLogin obtains or renews a TGT and establishes a session for the realm specified.
|
||||||
|
func (cl *Client) realmLogin(realm string) error {
|
||||||
|
if realm == cl.Credentials.Domain() {
|
||||||
|
return cl.Login()
|
||||||
|
}
|
||||||
|
_, endTime, _, _, err := cl.sessionTimes(cl.Credentials.Domain())
|
||||||
|
if err != nil || time.Now().UTC().After(endTime) {
|
||||||
|
err := cl.Login()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("could not get valid TGT for client's realm: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
tgt, skey, err := cl.sessionTGT(cl.Credentials.Domain())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
spn := types.PrincipalName{
|
||||||
|
NameType: nametype.KRB_NT_SRV_INST,
|
||||||
|
NameString: []string{"krbtgt", realm},
|
||||||
|
}
|
||||||
|
|
||||||
|
_, tgsRep, err := cl.TGSREQGenerateAndExchange(spn, cl.Credentials.Domain(), tgt, skey, false)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
cl.addSession(tgsRep.Ticket, tgsRep.DecryptedEncPart)
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Destroy stops the auto-renewal of all sessions and removes the sessions and cache entries from the client.
|
||||||
|
func (cl *Client) Destroy() {
|
||||||
|
creds := credentials.New("", "")
|
||||||
|
cl.sessions.destroy()
|
||||||
|
cl.cache.clear()
|
||||||
|
cl.Credentials = creds
|
||||||
|
cl.Log("client destroyed")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Diagnostics runs a set of checks that the client is properly configured and writes details to the io.Writer provided.
|
||||||
|
func (cl *Client) Diagnostics(w io.Writer) error {
|
||||||
|
cl.Print(w)
|
||||||
|
var errs []string
|
||||||
|
if cl.Credentials.HasKeytab() {
|
||||||
|
var loginRealmEncTypes []int32
|
||||||
|
for _, e := range cl.Credentials.Keytab().Entries {
|
||||||
|
if e.Principal.Realm == cl.Credentials.Realm() {
|
||||||
|
loginRealmEncTypes = append(loginRealmEncTypes, e.Key.KeyType)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, et := range cl.Config.LibDefaults.DefaultTktEnctypeIDs {
|
||||||
|
var etInKt bool
|
||||||
|
for _, val := range loginRealmEncTypes {
|
||||||
|
if val == et {
|
||||||
|
etInKt = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !etInKt {
|
||||||
|
errs = append(errs, fmt.Sprintf("default_tkt_enctypes specifies %d but this enctype is not available in the client's keytab", et))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, et := range cl.Config.LibDefaults.PreferredPreauthTypes {
|
||||||
|
var etInKt bool
|
||||||
|
for _, val := range loginRealmEncTypes {
|
||||||
|
if int(val) == et {
|
||||||
|
etInKt = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !etInKt {
|
||||||
|
errs = append(errs, fmt.Sprintf("preferred_preauth_types specifies %d but this enctype is not available in the client's keytab", et))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
udpCnt, udpKDC, err := cl.Config.GetKDCs(cl.Credentials.Realm(), false)
|
||||||
|
if err != nil {
|
||||||
|
errs = append(errs, fmt.Sprintf("error when resolving KDCs for UDP communication: %v", err))
|
||||||
|
}
|
||||||
|
if udpCnt < 1 {
|
||||||
|
errs = append(errs, "no KDCs resolved for communication via UDP.")
|
||||||
|
} else {
|
||||||
|
b, _ := json.MarshalIndent(&udpKDC, "", " ")
|
||||||
|
fmt.Fprintf(w, "UDP KDCs: %s\n", string(b))
|
||||||
|
}
|
||||||
|
tcpCnt, tcpKDC, err := cl.Config.GetKDCs(cl.Credentials.Realm(), false)
|
||||||
|
if err != nil {
|
||||||
|
errs = append(errs, fmt.Sprintf("error when resolving KDCs for TCP communication: %v", err))
|
||||||
|
}
|
||||||
|
if tcpCnt < 1 {
|
||||||
|
errs = append(errs, "no KDCs resolved for communication via TCP.")
|
||||||
|
} else {
|
||||||
|
b, _ := json.MarshalIndent(&tcpKDC, "", " ")
|
||||||
|
fmt.Fprintf(w, "TCP KDCs: %s\n", string(b))
|
||||||
|
}
|
||||||
|
|
||||||
|
if errs == nil || len(errs) < 1 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
err = fmt.Errorf(strings.Join(errs, "\n"))
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print writes the details of the client to the io.Writer provided.
|
||||||
|
func (cl *Client) Print(w io.Writer) {
|
||||||
|
c, _ := cl.Credentials.JSON()
|
||||||
|
fmt.Fprintf(w, "Credentials:\n%s\n", c)
|
||||||
|
|
||||||
|
s, _ := cl.sessions.JSON()
|
||||||
|
fmt.Fprintf(w, "TGT Sessions:\n%s\n", s)
|
||||||
|
|
||||||
|
c, _ = cl.cache.JSON()
|
||||||
|
fmt.Fprintf(w, "Service ticket cache:\n%s\n", c)
|
||||||
|
|
||||||
|
s, _ = cl.settings.JSON()
|
||||||
|
fmt.Fprintf(w, "Settings:\n%s\n", s)
|
||||||
|
|
||||||
|
j, _ := cl.Config.JSON()
|
||||||
|
fmt.Fprintf(w, "Krb5 config:\n%s\n", j)
|
||||||
|
|
||||||
|
k, _ := cl.Credentials.Keytab().JSON()
|
||||||
|
fmt.Fprintf(w, "Keytab:\n%s\n", k)
|
||||||
|
}
|
213
vendor/github.com/jcmturner/gokrb5/v8/client/network.go
generated
vendored
Normal file
213
vendor/github.com/jcmturner/gokrb5/v8/client/network.go
generated
vendored
Normal file
@ -0,0 +1,213 @@
|
|||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/errorcode"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SendToKDC performs network actions to send data to the KDC.
|
||||||
|
func (cl *Client) sendToKDC(b []byte, realm string) ([]byte, error) {
|
||||||
|
var rb []byte
|
||||||
|
if cl.Config.LibDefaults.UDPPreferenceLimit == 1 {
|
||||||
|
//1 means we should always use TCP
|
||||||
|
rb, errtcp := cl.sendKDCTCP(realm, b)
|
||||||
|
if errtcp != nil {
|
||||||
|
if e, ok := errtcp.(messages.KRBError); ok {
|
||||||
|
return rb, e
|
||||||
|
}
|
||||||
|
return rb, fmt.Errorf("communication error with KDC via TCP: %v", errtcp)
|
||||||
|
}
|
||||||
|
return rb, nil
|
||||||
|
}
|
||||||
|
if len(b) <= cl.Config.LibDefaults.UDPPreferenceLimit {
|
||||||
|
//Try UDP first, TCP second
|
||||||
|
rb, errudp := cl.sendKDCUDP(realm, b)
|
||||||
|
if errudp != nil {
|
||||||
|
if e, ok := errudp.(messages.KRBError); ok && e.ErrorCode != errorcode.KRB_ERR_RESPONSE_TOO_BIG {
|
||||||
|
// Got a KRBError from KDC
|
||||||
|
// If this is not a KRB_ERR_RESPONSE_TOO_BIG we will return immediately otherwise will try TCP.
|
||||||
|
return rb, e
|
||||||
|
}
|
||||||
|
// Try TCP
|
||||||
|
r, errtcp := cl.sendKDCTCP(realm, b)
|
||||||
|
if errtcp != nil {
|
||||||
|
if e, ok := errtcp.(messages.KRBError); ok {
|
||||||
|
// Got a KRBError
|
||||||
|
return r, e
|
||||||
|
}
|
||||||
|
return r, fmt.Errorf("failed to communicate with KDC. Attempts made with UDP (%v) and then TCP (%v)", errudp, errtcp)
|
||||||
|
}
|
||||||
|
rb = r
|
||||||
|
}
|
||||||
|
return rb, nil
|
||||||
|
}
|
||||||
|
//Try TCP first, UDP second
|
||||||
|
rb, errtcp := cl.sendKDCTCP(realm, b)
|
||||||
|
if errtcp != nil {
|
||||||
|
if e, ok := errtcp.(messages.KRBError); ok {
|
||||||
|
// Got a KRBError from KDC so returning and not trying UDP.
|
||||||
|
return rb, e
|
||||||
|
}
|
||||||
|
rb, errudp := cl.sendKDCUDP(realm, b)
|
||||||
|
if errudp != nil {
|
||||||
|
if e, ok := errudp.(messages.KRBError); ok {
|
||||||
|
// Got a KRBError
|
||||||
|
return rb, e
|
||||||
|
}
|
||||||
|
return rb, fmt.Errorf("failed to communicate with KDC. Attempts made with TCP (%v) and then UDP (%v)", errtcp, errudp)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return rb, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// dialKDCTCP establishes a UDP connection to a KDC.
|
||||||
|
func dialKDCUDP(count int, kdcs map[int]string) (*net.UDPConn, error) {
|
||||||
|
i := 1
|
||||||
|
for i <= count {
|
||||||
|
udpAddr, err := net.ResolveUDPAddr("udp", kdcs[i])
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error resolving KDC address: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
conn, err := net.DialTimeout("udp", udpAddr.String(), 5*time.Second)
|
||||||
|
if err == nil {
|
||||||
|
if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
// conn is guaranteed to be a UDPConn
|
||||||
|
return conn.(*net.UDPConn), nil
|
||||||
|
}
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
return nil, errors.New("error in getting a UDP connection to any of the KDCs")
|
||||||
|
}
|
||||||
|
|
||||||
|
// dialKDCTCP establishes a TCP connection to a KDC.
|
||||||
|
func dialKDCTCP(count int, kdcs map[int]string) (*net.TCPConn, error) {
|
||||||
|
i := 1
|
||||||
|
for i <= count {
|
||||||
|
tcpAddr, err := net.ResolveTCPAddr("tcp", kdcs[i])
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error resolving KDC address: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
conn, err := net.DialTimeout("tcp", tcpAddr.String(), 5*time.Second)
|
||||||
|
if err == nil {
|
||||||
|
if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
// conn is guaranteed to be a TCPConn
|
||||||
|
return conn.(*net.TCPConn), nil
|
||||||
|
}
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
return nil, errors.New("error in getting a TCP connection to any of the KDCs")
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendKDCUDP sends bytes to the KDC via UDP.
|
||||||
|
func (cl *Client) sendKDCUDP(realm string, b []byte) ([]byte, error) {
|
||||||
|
var r []byte
|
||||||
|
count, kdcs, err := cl.Config.GetKDCs(realm, false)
|
||||||
|
if err != nil {
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
conn, err := dialKDCUDP(count, kdcs)
|
||||||
|
if err != nil {
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
r, err = cl.sendUDP(conn, b)
|
||||||
|
if err != nil {
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
return checkForKRBError(r)
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendKDCTCP sends bytes to the KDC via TCP.
|
||||||
|
func (cl *Client) sendKDCTCP(realm string, b []byte) ([]byte, error) {
|
||||||
|
var r []byte
|
||||||
|
count, kdcs, err := cl.Config.GetKDCs(realm, true)
|
||||||
|
if err != nil {
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
conn, err := dialKDCTCP(count, kdcs)
|
||||||
|
if err != nil {
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
rb, err := cl.sendTCP(conn, b)
|
||||||
|
if err != nil {
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
return checkForKRBError(rb)
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendUDP sends bytes to connection over UDP.
|
||||||
|
func (cl *Client) sendUDP(conn *net.UDPConn, b []byte) ([]byte, error) {
|
||||||
|
var r []byte
|
||||||
|
defer conn.Close()
|
||||||
|
_, err := conn.Write(b)
|
||||||
|
if err != nil {
|
||||||
|
return r, fmt.Errorf("error sending to (%s): %v", conn.RemoteAddr().String(), err)
|
||||||
|
}
|
||||||
|
udpbuf := make([]byte, 4096)
|
||||||
|
n, _, err := conn.ReadFrom(udpbuf)
|
||||||
|
r = udpbuf[:n]
|
||||||
|
if err != nil {
|
||||||
|
return r, fmt.Errorf("sending over UDP failed to %s: %v", conn.RemoteAddr().String(), err)
|
||||||
|
}
|
||||||
|
if len(r) < 1 {
|
||||||
|
return r, fmt.Errorf("no response data from %s", conn.RemoteAddr().String())
|
||||||
|
}
|
||||||
|
return r, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// sendTCP sends bytes to connection over TCP.
|
||||||
|
func (cl *Client) sendTCP(conn *net.TCPConn, b []byte) ([]byte, error) {
|
||||||
|
defer conn.Close()
|
||||||
|
var r []byte
|
||||||
|
// RFC 4120 7.2.2 specifies the first 4 bytes indicate the length of the message in big endian order.
|
||||||
|
var buf bytes.Buffer
|
||||||
|
err := binary.Write(&buf, binary.BigEndian, uint32(len(b)))
|
||||||
|
if err != nil {
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
b = append(buf.Bytes(), b...)
|
||||||
|
|
||||||
|
_, err = conn.Write(b)
|
||||||
|
if err != nil {
|
||||||
|
return r, fmt.Errorf("error sending to KDC (%s): %v", conn.RemoteAddr().String(), err)
|
||||||
|
}
|
||||||
|
|
||||||
|
sh := make([]byte, 4, 4)
|
||||||
|
_, err = conn.Read(sh)
|
||||||
|
if err != nil {
|
||||||
|
return r, fmt.Errorf("error reading response size header: %v", err)
|
||||||
|
}
|
||||||
|
s := binary.BigEndian.Uint32(sh)
|
||||||
|
|
||||||
|
rb := make([]byte, s, s)
|
||||||
|
_, err = io.ReadFull(conn, rb)
|
||||||
|
if err != nil {
|
||||||
|
return r, fmt.Errorf("error reading response: %v", err)
|
||||||
|
}
|
||||||
|
if len(rb) < 1 {
|
||||||
|
return r, fmt.Errorf("no response data from KDC %s", conn.RemoteAddr().String())
|
||||||
|
}
|
||||||
|
return rb, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// checkForKRBError checks if the response bytes from the KDC are a KRBError.
|
||||||
|
func checkForKRBError(b []byte) ([]byte, error) {
|
||||||
|
var KRBErr messages.KRBError
|
||||||
|
if err := KRBErr.Unmarshal(b); err == nil {
|
||||||
|
return b, KRBErr
|
||||||
|
}
|
||||||
|
return b, nil
|
||||||
|
}
|
95
vendor/github.com/jcmturner/gokrb5/v8/client/passwd.go
generated
vendored
Normal file
95
vendor/github.com/jcmturner/gokrb5/v8/client/passwd.go
generated
vendored
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/kadmin"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Kpasswd server response codes.
|
||||||
|
const (
|
||||||
|
KRB5_KPASSWD_SUCCESS = 0
|
||||||
|
KRB5_KPASSWD_MALFORMED = 1
|
||||||
|
KRB5_KPASSWD_HARDERROR = 2
|
||||||
|
KRB5_KPASSWD_AUTHERROR = 3
|
||||||
|
KRB5_KPASSWD_SOFTERROR = 4
|
||||||
|
KRB5_KPASSWD_ACCESSDENIED = 5
|
||||||
|
KRB5_KPASSWD_BAD_VERSION = 6
|
||||||
|
KRB5_KPASSWD_INITIAL_FLAG_NEEDED = 7
|
||||||
|
)
|
||||||
|
|
||||||
|
// ChangePasswd changes the password of the client to the value provided.
|
||||||
|
func (cl *Client) ChangePasswd(newPasswd string) (bool, error) {
|
||||||
|
ASReq, err := messages.NewASReqForChgPasswd(cl.Credentials.Domain(), cl.Config, cl.Credentials.CName())
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
ASRep, err := cl.ASExchange(cl.Credentials.Domain(), ASReq, 0)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
msg, key, err := kadmin.ChangePasswdMsg(cl.Credentials.CName(), cl.Credentials.Domain(), newPasswd, ASRep.Ticket, ASRep.DecryptedEncPart.Key)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
r, err := cl.sendToKPasswd(msg)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
err = r.Decrypt(key)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if r.ResultCode != KRB5_KPASSWD_SUCCESS {
|
||||||
|
return false, fmt.Errorf("error response from kadmin: code: %d; result: %s; krberror: %v", r.ResultCode, r.Result, r.KRBError)
|
||||||
|
}
|
||||||
|
cl.Credentials.WithPassword(newPasswd)
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cl *Client) sendToKPasswd(msg kadmin.Request) (r kadmin.Reply, err error) {
|
||||||
|
_, kps, err := cl.Config.GetKpasswdServers(cl.Credentials.Domain(), true)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
addr := kps[1]
|
||||||
|
b, err := msg.Marshal()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(b) <= cl.Config.LibDefaults.UDPPreferenceLimit {
|
||||||
|
return cl.sendKPasswdUDP(b, addr)
|
||||||
|
}
|
||||||
|
return cl.sendKPasswdTCP(b, addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cl *Client) sendKPasswdTCP(b []byte, kadmindAddr string) (r kadmin.Reply, err error) {
|
||||||
|
tcpAddr, err := net.ResolveTCPAddr("tcp", kadmindAddr)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
conn, err := net.DialTCP("tcp", nil, tcpAddr)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
rb, err := cl.sendTCP(conn, b)
|
||||||
|
err = r.Unmarshal(rb)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cl *Client) sendKPasswdUDP(b []byte, kadmindAddr string) (r kadmin.Reply, err error) {
|
||||||
|
udpAddr, err := net.ResolveUDPAddr("udp", kadmindAddr)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
conn, err := net.DialUDP("udp", nil, udpAddr)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
rb, err := cl.sendUDP(conn, b)
|
||||||
|
err = r.Unmarshal(rb)
|
||||||
|
return
|
||||||
|
}
|
295
vendor/github.com/jcmturner/gokrb5/v8/client/session.go
generated
vendored
Normal file
295
vendor/github.com/jcmturner/gokrb5/v8/client/session.go
generated
vendored
Normal file
@ -0,0 +1,295 @@
|
|||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"sort"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/nametype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/krberror"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// sessions hold TGTs and are keyed on the realm name
|
||||||
|
type sessions struct {
|
||||||
|
Entries map[string]*session
|
||||||
|
mux sync.RWMutex
|
||||||
|
}
|
||||||
|
|
||||||
|
// destroy erases all sessions
|
||||||
|
func (s *sessions) destroy() {
|
||||||
|
s.mux.Lock()
|
||||||
|
defer s.mux.Unlock()
|
||||||
|
for k, e := range s.Entries {
|
||||||
|
e.destroy()
|
||||||
|
delete(s.Entries, k)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// update replaces a session with the one provided or adds it as a new one
|
||||||
|
func (s *sessions) update(sess *session) {
|
||||||
|
s.mux.Lock()
|
||||||
|
defer s.mux.Unlock()
|
||||||
|
// if a session already exists for this, cancel its auto renew.
|
||||||
|
if i, ok := s.Entries[sess.realm]; ok {
|
||||||
|
if i != sess {
|
||||||
|
// Session in the sessions cache is not the same as one provided.
|
||||||
|
// Cancel the one in the cache and add this one.
|
||||||
|
i.mux.Lock()
|
||||||
|
defer i.mux.Unlock()
|
||||||
|
i.cancel <- true
|
||||||
|
s.Entries[sess.realm] = sess
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// No session for this realm was found so just add it
|
||||||
|
s.Entries[sess.realm] = sess
|
||||||
|
}
|
||||||
|
|
||||||
|
// get returns the session for the realm specified
|
||||||
|
func (s *sessions) get(realm string) (*session, bool) {
|
||||||
|
s.mux.RLock()
|
||||||
|
defer s.mux.RUnlock()
|
||||||
|
sess, ok := s.Entries[realm]
|
||||||
|
return sess, ok
|
||||||
|
}
|
||||||
|
|
||||||
|
// session holds the TGT details for a realm
|
||||||
|
type session struct {
|
||||||
|
realm string
|
||||||
|
authTime time.Time
|
||||||
|
endTime time.Time
|
||||||
|
renewTill time.Time
|
||||||
|
tgt messages.Ticket
|
||||||
|
sessionKey types.EncryptionKey
|
||||||
|
sessionKeyExpiration time.Time
|
||||||
|
cancel chan bool
|
||||||
|
mux sync.RWMutex
|
||||||
|
}
|
||||||
|
|
||||||
|
// jsonSession is used to enable marshaling some information of a session in a JSON format
|
||||||
|
type jsonSession struct {
|
||||||
|
Realm string
|
||||||
|
AuthTime time.Time
|
||||||
|
EndTime time.Time
|
||||||
|
RenewTill time.Time
|
||||||
|
SessionKeyExpiration time.Time
|
||||||
|
}
|
||||||
|
|
||||||
|
// AddSession adds a session for a realm with a TGT to the client's session cache.
|
||||||
|
// A goroutine is started to automatically renew the TGT before expiry.
|
||||||
|
func (cl *Client) addSession(tgt messages.Ticket, dep messages.EncKDCRepPart) {
|
||||||
|
if strings.ToLower(tgt.SName.NameString[0]) != "krbtgt" {
|
||||||
|
// Not a TGT
|
||||||
|
return
|
||||||
|
}
|
||||||
|
realm := tgt.SName.NameString[len(tgt.SName.NameString)-1]
|
||||||
|
s := &session{
|
||||||
|
realm: realm,
|
||||||
|
authTime: dep.AuthTime,
|
||||||
|
endTime: dep.EndTime,
|
||||||
|
renewTill: dep.RenewTill,
|
||||||
|
tgt: tgt,
|
||||||
|
sessionKey: dep.Key,
|
||||||
|
sessionKeyExpiration: dep.KeyExpiration,
|
||||||
|
}
|
||||||
|
cl.sessions.update(s)
|
||||||
|
cl.enableAutoSessionRenewal(s)
|
||||||
|
cl.Log("TGT session added for %s (EndTime: %v)", realm, dep.EndTime)
|
||||||
|
}
|
||||||
|
|
||||||
|
// update overwrites the session details with those from the TGT and decrypted encPart
|
||||||
|
func (s *session) update(tgt messages.Ticket, dep messages.EncKDCRepPart) {
|
||||||
|
s.mux.Lock()
|
||||||
|
defer s.mux.Unlock()
|
||||||
|
s.authTime = dep.AuthTime
|
||||||
|
s.endTime = dep.EndTime
|
||||||
|
s.renewTill = dep.RenewTill
|
||||||
|
s.tgt = tgt
|
||||||
|
s.sessionKey = dep.Key
|
||||||
|
s.sessionKeyExpiration = dep.KeyExpiration
|
||||||
|
}
|
||||||
|
|
||||||
|
// destroy will cancel any auto renewal of the session and set the expiration times to the current time
|
||||||
|
func (s *session) destroy() {
|
||||||
|
s.mux.Lock()
|
||||||
|
defer s.mux.Unlock()
|
||||||
|
if s.cancel != nil {
|
||||||
|
s.cancel <- true
|
||||||
|
}
|
||||||
|
s.endTime = time.Now().UTC()
|
||||||
|
s.renewTill = s.endTime
|
||||||
|
s.sessionKeyExpiration = s.endTime
|
||||||
|
}
|
||||||
|
|
||||||
|
// valid informs if the TGT is still within the valid time window
|
||||||
|
func (s *session) valid() bool {
|
||||||
|
s.mux.RLock()
|
||||||
|
defer s.mux.RUnlock()
|
||||||
|
t := time.Now().UTC()
|
||||||
|
if t.Before(s.endTime) && s.authTime.Before(t) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// tgtDetails is a thread safe way to get the session's realm, TGT and session key values
|
||||||
|
func (s *session) tgtDetails() (string, messages.Ticket, types.EncryptionKey) {
|
||||||
|
s.mux.RLock()
|
||||||
|
defer s.mux.RUnlock()
|
||||||
|
return s.realm, s.tgt, s.sessionKey
|
||||||
|
}
|
||||||
|
|
||||||
|
// timeDetails is a thread safe way to get the session's validity time values
|
||||||
|
func (s *session) timeDetails() (string, time.Time, time.Time, time.Time, time.Time) {
|
||||||
|
s.mux.RLock()
|
||||||
|
defer s.mux.RUnlock()
|
||||||
|
return s.realm, s.authTime, s.endTime, s.renewTill, s.sessionKeyExpiration
|
||||||
|
}
|
||||||
|
|
||||||
|
// JSON return information about the held sessions in a JSON format.
|
||||||
|
func (s *sessions) JSON() (string, error) {
|
||||||
|
s.mux.RLock()
|
||||||
|
defer s.mux.RUnlock()
|
||||||
|
var js []jsonSession
|
||||||
|
keys := make([]string, 0, len(s.Entries))
|
||||||
|
for k := range s.Entries {
|
||||||
|
keys = append(keys, k)
|
||||||
|
}
|
||||||
|
sort.Strings(keys)
|
||||||
|
for _, k := range keys {
|
||||||
|
r, at, et, rt, kt := s.Entries[k].timeDetails()
|
||||||
|
j := jsonSession{
|
||||||
|
Realm: r,
|
||||||
|
AuthTime: at,
|
||||||
|
EndTime: et,
|
||||||
|
RenewTill: rt,
|
||||||
|
SessionKeyExpiration: kt,
|
||||||
|
}
|
||||||
|
js = append(js, j)
|
||||||
|
}
|
||||||
|
b, err := json.MarshalIndent(js, "", " ")
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return string(b), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// enableAutoSessionRenewal turns on the automatic renewal for the client's TGT session.
|
||||||
|
func (cl *Client) enableAutoSessionRenewal(s *session) {
|
||||||
|
var timer *time.Timer
|
||||||
|
s.mux.Lock()
|
||||||
|
s.cancel = make(chan bool, 1)
|
||||||
|
s.mux.Unlock()
|
||||||
|
go func(s *session) {
|
||||||
|
for {
|
||||||
|
s.mux.RLock()
|
||||||
|
w := (s.endTime.Sub(time.Now().UTC()) * 5) / 6
|
||||||
|
s.mux.RUnlock()
|
||||||
|
if w < 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
timer = time.NewTimer(w)
|
||||||
|
select {
|
||||||
|
case <-timer.C:
|
||||||
|
renewal, err := cl.refreshSession(s)
|
||||||
|
if err != nil {
|
||||||
|
cl.Log("error refreshing session: %v", err)
|
||||||
|
}
|
||||||
|
if !renewal && err == nil {
|
||||||
|
// end this goroutine as there will have been a new login and new auto renewal goroutine created.
|
||||||
|
return
|
||||||
|
}
|
||||||
|
case <-s.cancel:
|
||||||
|
// cancel has been called. Stop the timer and exit.
|
||||||
|
timer.Stop()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}(s)
|
||||||
|
}
|
||||||
|
|
||||||
|
// renewTGT renews the client's TGT session.
|
||||||
|
func (cl *Client) renewTGT(s *session) error {
|
||||||
|
realm, tgt, skey := s.tgtDetails()
|
||||||
|
spn := types.PrincipalName{
|
||||||
|
NameType: nametype.KRB_NT_SRV_INST,
|
||||||
|
NameString: []string{"krbtgt", realm},
|
||||||
|
}
|
||||||
|
_, tgsRep, err := cl.TGSREQGenerateAndExchange(spn, cl.Credentials.Domain(), tgt, skey, true)
|
||||||
|
if err != nil {
|
||||||
|
return krberror.Errorf(err, krberror.KRBMsgError, "error renewing TGT for %s", realm)
|
||||||
|
}
|
||||||
|
s.update(tgsRep.Ticket, tgsRep.DecryptedEncPart)
|
||||||
|
cl.sessions.update(s)
|
||||||
|
cl.Log("TGT session renewed for %s (EndTime: %v)", realm, tgsRep.DecryptedEncPart.EndTime)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// refreshSession updates either through renewal or creating a new login.
|
||||||
|
// The boolean indicates if the update was a renewal.
|
||||||
|
func (cl *Client) refreshSession(s *session) (bool, error) {
|
||||||
|
s.mux.RLock()
|
||||||
|
realm := s.realm
|
||||||
|
renewTill := s.renewTill
|
||||||
|
s.mux.RUnlock()
|
||||||
|
cl.Log("refreshing TGT session for %s", realm)
|
||||||
|
if time.Now().UTC().Before(renewTill) {
|
||||||
|
err := cl.renewTGT(s)
|
||||||
|
return true, err
|
||||||
|
}
|
||||||
|
err := cl.realmLogin(realm)
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// ensureValidSession makes sure there is a valid session for the realm
|
||||||
|
func (cl *Client) ensureValidSession(realm string) error {
|
||||||
|
s, ok := cl.sessions.get(realm)
|
||||||
|
if ok {
|
||||||
|
s.mux.RLock()
|
||||||
|
d := s.endTime.Sub(s.authTime) / 6
|
||||||
|
if s.endTime.Sub(time.Now().UTC()) > d {
|
||||||
|
s.mux.RUnlock()
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
s.mux.RUnlock()
|
||||||
|
_, err := cl.refreshSession(s)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return cl.realmLogin(realm)
|
||||||
|
}
|
||||||
|
|
||||||
|
// sessionTGTDetails is a thread safe way to get the TGT and session key values for a realm
|
||||||
|
func (cl *Client) sessionTGT(realm string) (tgt messages.Ticket, sessionKey types.EncryptionKey, err error) {
|
||||||
|
err = cl.ensureValidSession(realm)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
s, ok := cl.sessions.get(realm)
|
||||||
|
if !ok {
|
||||||
|
err = fmt.Errorf("could not find TGT session for %s", realm)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, tgt, sessionKey = s.tgtDetails()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// sessionTimes provides the timing information with regards to a session for the realm specified.
|
||||||
|
func (cl *Client) sessionTimes(realm string) (authTime, endTime, renewTime, sessionExp time.Time, err error) {
|
||||||
|
s, ok := cl.sessions.get(realm)
|
||||||
|
if !ok {
|
||||||
|
err = fmt.Errorf("could not find TGT session for %s", realm)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, authTime, endTime, renewTime, sessionExp = s.timeDetails()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// spnRealm resolves the realm name of a service principal name
|
||||||
|
func (cl *Client) spnRealm(spn types.PrincipalName) string {
|
||||||
|
return cl.Config.ResolveRealm(spn.NameString[len(spn.NameString)-1])
|
||||||
|
}
|
93
vendor/github.com/jcmturner/gokrb5/v8/client/settings.go
generated
vendored
Normal file
93
vendor/github.com/jcmturner/gokrb5/v8/client/settings.go
generated
vendored
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
package client
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Settings holds optional client settings.
|
||||||
|
type Settings struct {
|
||||||
|
disablePAFXFast bool
|
||||||
|
assumePreAuthentication bool
|
||||||
|
preAuthEType int32
|
||||||
|
logger *log.Logger
|
||||||
|
}
|
||||||
|
|
||||||
|
// jsonSettings is used when marshaling the Settings details to JSON format.
|
||||||
|
type jsonSettings struct {
|
||||||
|
DisablePAFXFast bool
|
||||||
|
AssumePreAuthentication bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewSettings creates a new client settings struct.
|
||||||
|
func NewSettings(settings ...func(*Settings)) *Settings {
|
||||||
|
s := new(Settings)
|
||||||
|
for _, set := range settings {
|
||||||
|
set(s)
|
||||||
|
}
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
|
||||||
|
// DisablePAFXFAST used to configure the client to not use PA_FX_FAST.
|
||||||
|
//
|
||||||
|
// s := NewSettings(DisablePAFXFAST(true))
|
||||||
|
func DisablePAFXFAST(b bool) func(*Settings) {
|
||||||
|
return func(s *Settings) {
|
||||||
|
s.disablePAFXFast = b
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// DisablePAFXFAST indicates is the client should disable the use of PA_FX_FAST.
|
||||||
|
func (s *Settings) DisablePAFXFAST() bool {
|
||||||
|
return s.disablePAFXFast
|
||||||
|
}
|
||||||
|
|
||||||
|
// AssumePreAuthentication used to configure the client to assume pre-authentication is required.
|
||||||
|
//
|
||||||
|
// s := NewSettings(AssumePreAuthentication(true))
|
||||||
|
func AssumePreAuthentication(b bool) func(*Settings) {
|
||||||
|
return func(s *Settings) {
|
||||||
|
s.assumePreAuthentication = b
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// AssumePreAuthentication indicates if the client should proactively assume using pre-authentication.
|
||||||
|
func (s *Settings) AssumePreAuthentication() bool {
|
||||||
|
return s.assumePreAuthentication
|
||||||
|
}
|
||||||
|
|
||||||
|
// Logger used to configure client with a logger.
|
||||||
|
//
|
||||||
|
// s := NewSettings(kt, Logger(l))
|
||||||
|
func Logger(l *log.Logger) func(*Settings) {
|
||||||
|
return func(s *Settings) {
|
||||||
|
s.logger = l
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Logger returns the client logger instance.
|
||||||
|
func (s *Settings) Logger() *log.Logger {
|
||||||
|
return s.logger
|
||||||
|
}
|
||||||
|
|
||||||
|
// Log will write to the service's logger if it is configured.
|
||||||
|
func (cl *Client) Log(format string, v ...interface{}) {
|
||||||
|
if cl.settings.Logger() != nil {
|
||||||
|
cl.settings.Logger().Output(2, fmt.Sprintf(format, v...))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// JSON returns a JSON representation of the settings.
|
||||||
|
func (s *Settings) JSON() (string, error) {
|
||||||
|
js := jsonSettings{
|
||||||
|
DisablePAFXFast: s.disablePAFXFast,
|
||||||
|
AssumePreAuthentication: s.assumePreAuthentication,
|
||||||
|
}
|
||||||
|
b, err := json.MarshalIndent(js, "", " ")
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return string(b), nil
|
||||||
|
|
||||||
|
}
|
30
vendor/github.com/jcmturner/gokrb5/v8/config/error.go
generated
vendored
Normal file
30
vendor/github.com/jcmturner/gokrb5/v8/config/error.go
generated
vendored
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
package config
|
||||||
|
|
||||||
|
import "fmt"
|
||||||
|
|
||||||
|
// UnsupportedDirective error.
|
||||||
|
type UnsupportedDirective struct {
|
||||||
|
text string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Error implements the error interface for unsupported directives.
|
||||||
|
func (e UnsupportedDirective) Error() string {
|
||||||
|
return e.text
|
||||||
|
}
|
||||||
|
|
||||||
|
// Invalid config error.
|
||||||
|
type Invalid struct {
|
||||||
|
text string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Error implements the error interface for invalid config error.
|
||||||
|
func (e Invalid) Error() string {
|
||||||
|
return e.text
|
||||||
|
}
|
||||||
|
|
||||||
|
// InvalidErrorf creates a new Invalid error.
|
||||||
|
func InvalidErrorf(format string, a ...interface{}) Invalid {
|
||||||
|
return Invalid{
|
||||||
|
text: fmt.Sprintf("invalid krb5 config "+format, a...),
|
||||||
|
}
|
||||||
|
}
|
141
vendor/github.com/jcmturner/gokrb5/v8/config/hosts.go
generated
vendored
Normal file
141
vendor/github.com/jcmturner/gokrb5/v8/config/hosts.go
generated
vendored
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
package config
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"math/rand"
|
||||||
|
"net"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/jcmturner/dnsutils/v2"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GetKDCs returns the count of KDCs available and a map of KDC host names keyed on preference order.
|
||||||
|
func (c *Config) GetKDCs(realm string, tcp bool) (int, map[int]string, error) {
|
||||||
|
if realm == "" {
|
||||||
|
realm = c.LibDefaults.DefaultRealm
|
||||||
|
}
|
||||||
|
kdcs := make(map[int]string)
|
||||||
|
var count int
|
||||||
|
|
||||||
|
// Get the KDCs from the krb5.conf.
|
||||||
|
var ks []string
|
||||||
|
for _, r := range c.Realms {
|
||||||
|
if r.Realm != realm {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
ks = r.KDC
|
||||||
|
}
|
||||||
|
count = len(ks)
|
||||||
|
|
||||||
|
if count > 0 {
|
||||||
|
// Order the kdcs randomly for preference.
|
||||||
|
kdcs = randServOrder(ks)
|
||||||
|
return count, kdcs, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if !c.LibDefaults.DNSLookupKDC {
|
||||||
|
return count, kdcs, fmt.Errorf("no KDCs defined in configuration for realm %s", realm)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Use DNS to resolve kerberos SRV records.
|
||||||
|
proto := "udp"
|
||||||
|
if tcp {
|
||||||
|
proto = "tcp"
|
||||||
|
}
|
||||||
|
index, addrs, err := dnsutils.OrderedSRV("kerberos", proto, realm)
|
||||||
|
if err != nil {
|
||||||
|
return count, kdcs, err
|
||||||
|
}
|
||||||
|
if len(addrs) < 1 {
|
||||||
|
return count, kdcs, fmt.Errorf("no KDC SRV records found for realm %s", realm)
|
||||||
|
}
|
||||||
|
count = index
|
||||||
|
for k, v := range addrs {
|
||||||
|
kdcs[k] = strings.TrimRight(v.Target, ".") + ":" + strconv.Itoa(int(v.Port))
|
||||||
|
}
|
||||||
|
return count, kdcs, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKpasswdServers returns the count of kpasswd servers available and a map of kpasswd host names keyed on preference order.
|
||||||
|
// https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#realms - see kpasswd_server section
|
||||||
|
func (c *Config) GetKpasswdServers(realm string, tcp bool) (int, map[int]string, error) {
|
||||||
|
kdcs := make(map[int]string)
|
||||||
|
var count int
|
||||||
|
|
||||||
|
// Use DNS to resolve kerberos SRV records if configured to do so in krb5.conf.
|
||||||
|
if c.LibDefaults.DNSLookupKDC {
|
||||||
|
proto := "udp"
|
||||||
|
if tcp {
|
||||||
|
proto = "tcp"
|
||||||
|
}
|
||||||
|
c, addrs, err := dnsutils.OrderedSRV("kpasswd", proto, realm)
|
||||||
|
if err != nil {
|
||||||
|
return count, kdcs, err
|
||||||
|
}
|
||||||
|
if c < 1 {
|
||||||
|
c, addrs, err = dnsutils.OrderedSRV("kerberos-adm", proto, realm)
|
||||||
|
if err != nil {
|
||||||
|
return count, kdcs, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(addrs) < 1 {
|
||||||
|
return count, kdcs, fmt.Errorf("no kpasswd or kadmin SRV records found for realm %s", realm)
|
||||||
|
}
|
||||||
|
count = c
|
||||||
|
for k, v := range addrs {
|
||||||
|
kdcs[k] = strings.TrimRight(v.Target, ".") + ":" + strconv.Itoa(int(v.Port))
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Get the KDCs from the krb5.conf an order them randomly for preference.
|
||||||
|
var ks []string
|
||||||
|
var ka []string
|
||||||
|
for _, r := range c.Realms {
|
||||||
|
if r.Realm == realm {
|
||||||
|
ks = r.KPasswdServer
|
||||||
|
ka = r.AdminServer
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(ks) < 1 {
|
||||||
|
for _, k := range ka {
|
||||||
|
h, _, err := net.SplitHostPort(k)
|
||||||
|
if err != nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
ks = append(ks, h+":464")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
count = len(ks)
|
||||||
|
if count < 1 {
|
||||||
|
return count, kdcs, fmt.Errorf("no kpasswd or kadmin defined in configuration for realm %s", realm)
|
||||||
|
}
|
||||||
|
kdcs = randServOrder(ks)
|
||||||
|
}
|
||||||
|
return count, kdcs, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func randServOrder(ks []string) map[int]string {
|
||||||
|
kdcs := make(map[int]string)
|
||||||
|
count := len(ks)
|
||||||
|
i := 1
|
||||||
|
if count > 1 {
|
||||||
|
l := len(ks)
|
||||||
|
for l > 0 {
|
||||||
|
ri := rand.Intn(l)
|
||||||
|
kdcs[i] = ks[ri]
|
||||||
|
if l > 1 {
|
||||||
|
// Remove the entry from the source slice by swapping with the last entry and truncating
|
||||||
|
ks[len(ks)-1], ks[ri] = ks[ri], ks[len(ks)-1]
|
||||||
|
ks = ks[:len(ks)-1]
|
||||||
|
l = len(ks)
|
||||||
|
} else {
|
||||||
|
l = 0
|
||||||
|
}
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
kdcs[i] = ks[0]
|
||||||
|
}
|
||||||
|
return kdcs
|
||||||
|
}
|
728
vendor/github.com/jcmturner/gokrb5/v8/config/krb5conf.go
generated
vendored
Normal file
728
vendor/github.com/jcmturner/gokrb5/v8/config/krb5conf.go
generated
vendored
Normal file
@ -0,0 +1,728 @@
|
|||||||
|
// Package config implements KRB5 client and service configuration as described at https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
|
||||||
|
package config
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bufio"
|
||||||
|
"encoding/hex"
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net"
|
||||||
|
"os"
|
||||||
|
"os/user"
|
||||||
|
"regexp"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gofork/encoding/asn1"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Config represents the KRB5 configuration.
|
||||||
|
type Config struct {
|
||||||
|
LibDefaults LibDefaults
|
||||||
|
Realms []Realm
|
||||||
|
DomainRealm DomainRealm
|
||||||
|
//CaPaths
|
||||||
|
//AppDefaults
|
||||||
|
//Plugins
|
||||||
|
}
|
||||||
|
|
||||||
|
// WeakETypeList is a list of encryption types that have been deemed weak.
|
||||||
|
const WeakETypeList = "des-cbc-crc des-cbc-md4 des-cbc-md5 des-cbc-raw des3-cbc-raw des-hmac-sha1 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp des"
|
||||||
|
|
||||||
|
// New creates a new config struct instance.
|
||||||
|
func New() *Config {
|
||||||
|
d := make(DomainRealm)
|
||||||
|
return &Config{
|
||||||
|
LibDefaults: newLibDefaults(),
|
||||||
|
DomainRealm: d,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// LibDefaults represents the [libdefaults] section of the configuration.
|
||||||
|
type LibDefaults struct {
|
||||||
|
AllowWeakCrypto bool //default false
|
||||||
|
// ap_req_checksum_type int //unlikely to support this
|
||||||
|
Canonicalize bool //default false
|
||||||
|
CCacheType int //default is 4. unlikely to implement older
|
||||||
|
Clockskew time.Duration //max allowed skew in seconds, default 300
|
||||||
|
//Default_ccache_name string // default /tmp/krb5cc_%{uid} //Not implementing as will hold in memory
|
||||||
|
DefaultClientKeytabName string //default /usr/local/var/krb5/user/%{euid}/client.keytab
|
||||||
|
DefaultKeytabName string //default /etc/krb5.keytab
|
||||||
|
DefaultRealm string
|
||||||
|
DefaultTGSEnctypes []string //default aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
|
||||||
|
DefaultTktEnctypes []string //default aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
|
||||||
|
DefaultTGSEnctypeIDs []int32 //default aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
|
||||||
|
DefaultTktEnctypeIDs []int32 //default aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
|
||||||
|
DNSCanonicalizeHostname bool //default true
|
||||||
|
DNSLookupKDC bool //default false
|
||||||
|
DNSLookupRealm bool
|
||||||
|
ExtraAddresses []net.IP //Not implementing yet
|
||||||
|
Forwardable bool //default false
|
||||||
|
IgnoreAcceptorHostname bool //default false
|
||||||
|
K5LoginAuthoritative bool //default false
|
||||||
|
K5LoginDirectory string //default user's home directory. Must be owned by the user or root
|
||||||
|
KDCDefaultOptions asn1.BitString //default 0x00000010 (KDC_OPT_RENEWABLE_OK)
|
||||||
|
KDCTimeSync int //default 1
|
||||||
|
//kdc_req_checksum_type int //unlikely to implement as for very old KDCs
|
||||||
|
NoAddresses bool //default true
|
||||||
|
PermittedEnctypes []string //default aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
|
||||||
|
PermittedEnctypeIDs []int32
|
||||||
|
//plugin_base_dir string //not supporting plugins
|
||||||
|
PreferredPreauthTypes []int //default “17, 16, 15, 14”, which forces libkrb5 to attempt to use PKINIT if it is supported
|
||||||
|
Proxiable bool //default false
|
||||||
|
RDNS bool //default true
|
||||||
|
RealmTryDomains int //default -1
|
||||||
|
RenewLifetime time.Duration //default 0
|
||||||
|
SafeChecksumType int //default 8
|
||||||
|
TicketLifetime time.Duration //default 1 day
|
||||||
|
UDPPreferenceLimit int // 1 means to always use tcp. MIT krb5 has a default value of 1465, and it prevents user setting more than 32700.
|
||||||
|
VerifyAPReqNofail bool //default false
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create a new LibDefaults struct.
|
||||||
|
func newLibDefaults() LibDefaults {
|
||||||
|
uid := "0"
|
||||||
|
var hdir string
|
||||||
|
usr, _ := user.Current()
|
||||||
|
if usr != nil {
|
||||||
|
uid = usr.Uid
|
||||||
|
hdir = usr.HomeDir
|
||||||
|
}
|
||||||
|
opts := asn1.BitString{}
|
||||||
|
opts.Bytes, _ = hex.DecodeString("00000010")
|
||||||
|
opts.BitLength = len(opts.Bytes) * 8
|
||||||
|
return LibDefaults{
|
||||||
|
CCacheType: 4,
|
||||||
|
Clockskew: time.Duration(300) * time.Second,
|
||||||
|
DefaultClientKeytabName: fmt.Sprintf("/usr/local/var/krb5/user/%s/client.keytab", uid),
|
||||||
|
DefaultKeytabName: "/etc/krb5.keytab",
|
||||||
|
DefaultTGSEnctypes: []string{"aes256-cts-hmac-sha1-96", "aes128-cts-hmac-sha1-96", "des3-cbc-sha1", "arcfour-hmac-md5", "camellia256-cts-cmac", "camellia128-cts-cmac", "des-cbc-crc", "des-cbc-md5", "des-cbc-md4"},
|
||||||
|
DefaultTktEnctypes: []string{"aes256-cts-hmac-sha1-96", "aes128-cts-hmac-sha1-96", "des3-cbc-sha1", "arcfour-hmac-md5", "camellia256-cts-cmac", "camellia128-cts-cmac", "des-cbc-crc", "des-cbc-md5", "des-cbc-md4"},
|
||||||
|
DNSCanonicalizeHostname: true,
|
||||||
|
K5LoginDirectory: hdir,
|
||||||
|
KDCDefaultOptions: opts,
|
||||||
|
KDCTimeSync: 1,
|
||||||
|
NoAddresses: true,
|
||||||
|
PermittedEnctypes: []string{"aes256-cts-hmac-sha1-96", "aes128-cts-hmac-sha1-96", "des3-cbc-sha1", "arcfour-hmac-md5", "camellia256-cts-cmac", "camellia128-cts-cmac", "des-cbc-crc", "des-cbc-md5", "des-cbc-md4"},
|
||||||
|
RDNS: true,
|
||||||
|
RealmTryDomains: -1,
|
||||||
|
SafeChecksumType: 8,
|
||||||
|
TicketLifetime: time.Duration(24) * time.Hour,
|
||||||
|
UDPPreferenceLimit: 1465,
|
||||||
|
PreferredPreauthTypes: []int{17, 16, 15, 14},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the lines of the [libdefaults] section of the configuration into the LibDefaults struct.
|
||||||
|
func (l *LibDefaults) parseLines(lines []string) error {
|
||||||
|
for _, line := range lines {
|
||||||
|
//Remove comments after the values
|
||||||
|
if idx := strings.IndexAny(line, "#;"); idx != -1 {
|
||||||
|
line = line[:idx]
|
||||||
|
}
|
||||||
|
line = strings.TrimSpace(line)
|
||||||
|
if line == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if !strings.Contains(line, "=") {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s)", line)
|
||||||
|
}
|
||||||
|
|
||||||
|
p := strings.Split(line, "=")
|
||||||
|
key := strings.TrimSpace(strings.ToLower(p[0]))
|
||||||
|
switch key {
|
||||||
|
case "allow_weak_crypto":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.AllowWeakCrypto = v
|
||||||
|
case "canonicalize":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.Canonicalize = v
|
||||||
|
case "ccache_type":
|
||||||
|
p[1] = strings.TrimSpace(p[1])
|
||||||
|
v, err := strconv.ParseUint(p[1], 10, 32)
|
||||||
|
if err != nil || v < 0 || v > 4 {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s)", line)
|
||||||
|
}
|
||||||
|
l.CCacheType = int(v)
|
||||||
|
case "clockskew":
|
||||||
|
d, err := parseDuration(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.Clockskew = d
|
||||||
|
case "default_client_keytab_name":
|
||||||
|
l.DefaultClientKeytabName = strings.TrimSpace(p[1])
|
||||||
|
case "default_keytab_name":
|
||||||
|
l.DefaultKeytabName = strings.TrimSpace(p[1])
|
||||||
|
case "default_realm":
|
||||||
|
l.DefaultRealm = strings.TrimSpace(p[1])
|
||||||
|
case "default_tgs_enctypes":
|
||||||
|
l.DefaultTGSEnctypes = strings.Fields(p[1])
|
||||||
|
case "default_tkt_enctypes":
|
||||||
|
l.DefaultTktEnctypes = strings.Fields(p[1])
|
||||||
|
case "dns_canonicalize_hostname":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.DNSCanonicalizeHostname = v
|
||||||
|
case "dns_lookup_kdc":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.DNSLookupKDC = v
|
||||||
|
case "dns_lookup_realm":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.DNSLookupRealm = v
|
||||||
|
case "extra_addresses":
|
||||||
|
ipStr := strings.TrimSpace(p[1])
|
||||||
|
for _, ip := range strings.Split(ipStr, ",") {
|
||||||
|
if eip := net.ParseIP(ip); eip != nil {
|
||||||
|
l.ExtraAddresses = append(l.ExtraAddresses, eip)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case "forwardable":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.Forwardable = v
|
||||||
|
case "ignore_acceptor_hostname":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.IgnoreAcceptorHostname = v
|
||||||
|
case "k5login_authoritative":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.K5LoginAuthoritative = v
|
||||||
|
case "k5login_directory":
|
||||||
|
l.K5LoginDirectory = strings.TrimSpace(p[1])
|
||||||
|
case "kdc_default_options":
|
||||||
|
v := strings.TrimSpace(p[1])
|
||||||
|
v = strings.Replace(v, "0x", "", -1)
|
||||||
|
b, err := hex.DecodeString(v)
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.KDCDefaultOptions.Bytes = b
|
||||||
|
l.KDCDefaultOptions.BitLength = len(b) * 8
|
||||||
|
case "kdc_timesync":
|
||||||
|
p[1] = strings.TrimSpace(p[1])
|
||||||
|
v, err := strconv.ParseInt(p[1], 10, 32)
|
||||||
|
if err != nil || v < 0 {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s)", line)
|
||||||
|
}
|
||||||
|
l.KDCTimeSync = int(v)
|
||||||
|
case "noaddresses":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.NoAddresses = v
|
||||||
|
case "permitted_enctypes":
|
||||||
|
l.PermittedEnctypes = strings.Fields(p[1])
|
||||||
|
case "preferred_preauth_types":
|
||||||
|
p[1] = strings.TrimSpace(p[1])
|
||||||
|
t := strings.Split(p[1], ",")
|
||||||
|
var v []int
|
||||||
|
for _, s := range t {
|
||||||
|
i, err := strconv.ParseInt(s, 10, 32)
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
v = append(v, int(i))
|
||||||
|
}
|
||||||
|
l.PreferredPreauthTypes = v
|
||||||
|
case "proxiable":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.Proxiable = v
|
||||||
|
case "rdns":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.RDNS = v
|
||||||
|
case "realm_try_domains":
|
||||||
|
p[1] = strings.TrimSpace(p[1])
|
||||||
|
v, err := strconv.ParseInt(p[1], 10, 32)
|
||||||
|
if err != nil || v < -1 {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s)", line)
|
||||||
|
}
|
||||||
|
l.RealmTryDomains = int(v)
|
||||||
|
case "renew_lifetime":
|
||||||
|
d, err := parseDuration(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.RenewLifetime = d
|
||||||
|
case "safe_checksum_type":
|
||||||
|
p[1] = strings.TrimSpace(p[1])
|
||||||
|
v, err := strconv.ParseInt(p[1], 10, 32)
|
||||||
|
if err != nil || v < 0 {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s)", line)
|
||||||
|
}
|
||||||
|
l.SafeChecksumType = int(v)
|
||||||
|
case "ticket_lifetime":
|
||||||
|
d, err := parseDuration(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.TicketLifetime = d
|
||||||
|
case "udp_preference_limit":
|
||||||
|
p[1] = strings.TrimSpace(p[1])
|
||||||
|
v, err := strconv.ParseUint(p[1], 10, 32)
|
||||||
|
if err != nil || v > 32700 {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s)", line)
|
||||||
|
}
|
||||||
|
l.UDPPreferenceLimit = int(v)
|
||||||
|
case "verify_ap_req_nofail":
|
||||||
|
v, err := parseBoolean(p[1])
|
||||||
|
if err != nil {
|
||||||
|
return InvalidErrorf("libdefaults section line (%s): %v", line, err)
|
||||||
|
}
|
||||||
|
l.VerifyAPReqNofail = v
|
||||||
|
}
|
||||||
|
}
|
||||||
|
l.DefaultTGSEnctypeIDs = parseETypes(l.DefaultTGSEnctypes, l.AllowWeakCrypto)
|
||||||
|
l.DefaultTktEnctypeIDs = parseETypes(l.DefaultTktEnctypes, l.AllowWeakCrypto)
|
||||||
|
l.PermittedEnctypeIDs = parseETypes(l.PermittedEnctypes, l.AllowWeakCrypto)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Realm represents an entry in the [realms] section of the configuration.
|
||||||
|
type Realm struct {
|
||||||
|
Realm string
|
||||||
|
AdminServer []string
|
||||||
|
//auth_to_local //Not implementing for now
|
||||||
|
//auth_to_local_names //Not implementing for now
|
||||||
|
DefaultDomain string
|
||||||
|
KDC []string
|
||||||
|
KPasswdServer []string //default admin_server:464
|
||||||
|
MasterKDC []string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the lines of a [realms] entry into the Realm struct.
|
||||||
|
func (r *Realm) parseLines(name string, lines []string) (err error) {
|
||||||
|
r.Realm = name
|
||||||
|
var adminServerFinal bool
|
||||||
|
var KDCFinal bool
|
||||||
|
var kpasswdServerFinal bool
|
||||||
|
var masterKDCFinal bool
|
||||||
|
var ignore bool
|
||||||
|
var c int // counts the depth of blocks within brackets { }
|
||||||
|
for _, line := range lines {
|
||||||
|
if ignore && c > 0 && !strings.Contains(line, "{") && !strings.Contains(line, "}") {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
//Remove comments after the values
|
||||||
|
if idx := strings.IndexAny(line, "#;"); idx != -1 {
|
||||||
|
line = line[:idx]
|
||||||
|
}
|
||||||
|
line = strings.TrimSpace(line)
|
||||||
|
if line == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if !strings.Contains(line, "=") && !strings.Contains(line, "}") {
|
||||||
|
return InvalidErrorf("realms section line (%s)", line)
|
||||||
|
}
|
||||||
|
if strings.Contains(line, "v4_") {
|
||||||
|
ignore = true
|
||||||
|
err = UnsupportedDirective{"v4 configurations are not supported"}
|
||||||
|
}
|
||||||
|
if strings.Contains(line, "{") {
|
||||||
|
c++
|
||||||
|
if ignore {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if strings.Contains(line, "}") {
|
||||||
|
c--
|
||||||
|
if c < 0 {
|
||||||
|
return InvalidErrorf("unpaired curly brackets")
|
||||||
|
}
|
||||||
|
if ignore {
|
||||||
|
if c < 1 {
|
||||||
|
c = 0
|
||||||
|
ignore = false
|
||||||
|
}
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
p := strings.Split(line, "=")
|
||||||
|
key := strings.TrimSpace(strings.ToLower(p[0]))
|
||||||
|
v := strings.TrimSpace(p[1])
|
||||||
|
switch key {
|
||||||
|
case "admin_server":
|
||||||
|
appendUntilFinal(&r.AdminServer, v, &adminServerFinal)
|
||||||
|
case "default_domain":
|
||||||
|
r.DefaultDomain = v
|
||||||
|
case "kdc":
|
||||||
|
if !strings.Contains(v, ":") {
|
||||||
|
// No port number specified default to 88
|
||||||
|
if strings.HasSuffix(v, `*`) {
|
||||||
|
v = strings.TrimSpace(strings.TrimSuffix(v, `*`)) + ":88*"
|
||||||
|
} else {
|
||||||
|
v = strings.TrimSpace(v) + ":88"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
appendUntilFinal(&r.KDC, v, &KDCFinal)
|
||||||
|
case "kpasswd_server":
|
||||||
|
appendUntilFinal(&r.KPasswdServer, v, &kpasswdServerFinal)
|
||||||
|
case "master_kdc":
|
||||||
|
appendUntilFinal(&r.MasterKDC, v, &masterKDCFinal)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
//default for Kpasswd_server = admin_server:464
|
||||||
|
if len(r.KPasswdServer) < 1 {
|
||||||
|
for _, a := range r.AdminServer {
|
||||||
|
s := strings.Split(a, ":")
|
||||||
|
r.KPasswdServer = append(r.KPasswdServer, s[0]+":464")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the lines of the [realms] section of the configuration into an slice of Realm structs.
|
||||||
|
func parseRealms(lines []string) (realms []Realm, err error) {
|
||||||
|
var name string
|
||||||
|
var start int
|
||||||
|
var c int
|
||||||
|
for i, l := range lines {
|
||||||
|
//Remove comments after the values
|
||||||
|
if idx := strings.IndexAny(l, "#;"); idx != -1 {
|
||||||
|
l = l[:idx]
|
||||||
|
}
|
||||||
|
l = strings.TrimSpace(l)
|
||||||
|
if l == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
//if strings.Contains(l, "v4_") {
|
||||||
|
// return nil, errors.New("v4 configurations are not supported in Realms section")
|
||||||
|
//}
|
||||||
|
if strings.Contains(l, "{") {
|
||||||
|
c++
|
||||||
|
if !strings.Contains(l, "=") {
|
||||||
|
return nil, fmt.Errorf("realm configuration line invalid: %s", l)
|
||||||
|
}
|
||||||
|
if c == 1 {
|
||||||
|
start = i
|
||||||
|
p := strings.Split(l, "=")
|
||||||
|
name = strings.TrimSpace(p[0])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if strings.Contains(l, "}") {
|
||||||
|
if c < 1 {
|
||||||
|
// but not started a block!!!
|
||||||
|
return nil, errors.New("invalid Realms section in configuration")
|
||||||
|
}
|
||||||
|
c--
|
||||||
|
if c == 0 {
|
||||||
|
var r Realm
|
||||||
|
e := r.parseLines(name, lines[start+1:i])
|
||||||
|
if e != nil {
|
||||||
|
if _, ok := e.(UnsupportedDirective); !ok {
|
||||||
|
err = e
|
||||||
|
return
|
||||||
|
}
|
||||||
|
err = e
|
||||||
|
}
|
||||||
|
realms = append(realms, r)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DomainRealm maps the domains to realms representing the [domain_realm] section of the configuration.
|
||||||
|
type DomainRealm map[string]string
|
||||||
|
|
||||||
|
// Parse the lines of the [domain_realm] section of the configuration and add to the mapping.
|
||||||
|
func (d *DomainRealm) parseLines(lines []string) error {
|
||||||
|
for _, line := range lines {
|
||||||
|
//Remove comments after the values
|
||||||
|
if idx := strings.IndexAny(line, "#;"); idx != -1 {
|
||||||
|
line = line[:idx]
|
||||||
|
}
|
||||||
|
if strings.TrimSpace(line) == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if !strings.Contains(line, "=") {
|
||||||
|
return InvalidErrorf("realm line (%s)", line)
|
||||||
|
}
|
||||||
|
p := strings.Split(line, "=")
|
||||||
|
domain := strings.TrimSpace(strings.ToLower(p[0]))
|
||||||
|
realm := strings.TrimSpace(p[1])
|
||||||
|
d.addMapping(domain, realm)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add a domain to realm mapping.
|
||||||
|
func (d *DomainRealm) addMapping(domain, realm string) {
|
||||||
|
(*d)[domain] = realm
|
||||||
|
}
|
||||||
|
|
||||||
|
// Delete a domain to realm mapping.
|
||||||
|
func (d *DomainRealm) deleteMapping(domain, realm string) {
|
||||||
|
delete(*d, domain)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ResolveRealm resolves the kerberos realm for the specified domain name from the domain to realm mapping.
|
||||||
|
// The most specific mapping is returned.
|
||||||
|
func (c *Config) ResolveRealm(domainName string) string {
|
||||||
|
domainName = strings.TrimSuffix(domainName, ".")
|
||||||
|
|
||||||
|
// Try to match the entire hostname first
|
||||||
|
if r, ok := c.DomainRealm[domainName]; ok {
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try to match all DNS domain parts
|
||||||
|
periods := strings.Count(domainName, ".") + 1
|
||||||
|
for i := 2; i <= periods; i++ {
|
||||||
|
z := strings.SplitN(domainName, ".", i)
|
||||||
|
if r, ok := c.DomainRealm["."+z[len(z)-1]]; ok {
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return c.LibDefaults.DefaultRealm
|
||||||
|
}
|
||||||
|
|
||||||
|
// Load the KRB5 configuration from the specified file path.
|
||||||
|
func Load(cfgPath string) (*Config, error) {
|
||||||
|
fh, err := os.Open(cfgPath)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.New("configuration file could not be opened: " + cfgPath + " " + err.Error())
|
||||||
|
}
|
||||||
|
defer fh.Close()
|
||||||
|
scanner := bufio.NewScanner(fh)
|
||||||
|
return NewFromScanner(scanner)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewFromString creates a new Config struct from a string.
|
||||||
|
func NewFromString(s string) (*Config, error) {
|
||||||
|
reader := strings.NewReader(s)
|
||||||
|
return NewFromReader(reader)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewFromReader creates a new Config struct from an io.Reader.
|
||||||
|
func NewFromReader(r io.Reader) (*Config, error) {
|
||||||
|
scanner := bufio.NewScanner(r)
|
||||||
|
return NewFromScanner(scanner)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewFromScanner creates a new Config struct from a bufio.Scanner.
|
||||||
|
func NewFromScanner(scanner *bufio.Scanner) (*Config, error) {
|
||||||
|
c := New()
|
||||||
|
var e error
|
||||||
|
sections := make(map[int]string)
|
||||||
|
var sectionLineNum []int
|
||||||
|
var lines []string
|
||||||
|
for scanner.Scan() {
|
||||||
|
// Skip comments and blank lines
|
||||||
|
if matched, _ := regexp.MatchString(`^\s*(#|;|\n)`, scanner.Text()); matched {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if matched, _ := regexp.MatchString(`^\s*\[libdefaults\]\s*`, scanner.Text()); matched {
|
||||||
|
sections[len(lines)] = "libdefaults"
|
||||||
|
sectionLineNum = append(sectionLineNum, len(lines))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if matched, _ := regexp.MatchString(`^\s*\[realms\]\s*`, scanner.Text()); matched {
|
||||||
|
sections[len(lines)] = "realms"
|
||||||
|
sectionLineNum = append(sectionLineNum, len(lines))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if matched, _ := regexp.MatchString(`^\s*\[domain_realm\]\s*`, scanner.Text()); matched {
|
||||||
|
sections[len(lines)] = "domain_realm"
|
||||||
|
sectionLineNum = append(sectionLineNum, len(lines))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if matched, _ := regexp.MatchString(`^\s*\[.*\]\s*`, scanner.Text()); matched {
|
||||||
|
sections[len(lines)] = "unknown_section"
|
||||||
|
sectionLineNum = append(sectionLineNum, len(lines))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
lines = append(lines, scanner.Text())
|
||||||
|
}
|
||||||
|
for i, start := range sectionLineNum {
|
||||||
|
var end int
|
||||||
|
if i+1 >= len(sectionLineNum) {
|
||||||
|
end = len(lines)
|
||||||
|
} else {
|
||||||
|
end = sectionLineNum[i+1]
|
||||||
|
}
|
||||||
|
switch section := sections[start]; section {
|
||||||
|
case "libdefaults":
|
||||||
|
err := c.LibDefaults.parseLines(lines[start:end])
|
||||||
|
if err != nil {
|
||||||
|
if _, ok := err.(UnsupportedDirective); !ok {
|
||||||
|
return nil, fmt.Errorf("error processing libdefaults section: %v", err)
|
||||||
|
}
|
||||||
|
e = err
|
||||||
|
}
|
||||||
|
case "realms":
|
||||||
|
realms, err := parseRealms(lines[start:end])
|
||||||
|
if err != nil {
|
||||||
|
if _, ok := err.(UnsupportedDirective); !ok {
|
||||||
|
return nil, fmt.Errorf("error processing realms section: %v", err)
|
||||||
|
}
|
||||||
|
e = err
|
||||||
|
}
|
||||||
|
c.Realms = realms
|
||||||
|
case "domain_realm":
|
||||||
|
err := c.DomainRealm.parseLines(lines[start:end])
|
||||||
|
if err != nil {
|
||||||
|
if _, ok := err.(UnsupportedDirective); !ok {
|
||||||
|
return nil, fmt.Errorf("error processing domaain_realm section: %v", err)
|
||||||
|
}
|
||||||
|
e = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return c, e
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse a space delimited list of ETypes into a list of EType numbers optionally filtering out weak ETypes.
|
||||||
|
func parseETypes(s []string, w bool) []int32 {
|
||||||
|
var eti []int32
|
||||||
|
for _, et := range s {
|
||||||
|
if !w {
|
||||||
|
var weak bool
|
||||||
|
for _, wet := range strings.Fields(WeakETypeList) {
|
||||||
|
if et == wet {
|
||||||
|
weak = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if weak {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
i := etypeID.EtypeSupported(et)
|
||||||
|
if i != 0 {
|
||||||
|
eti = append(eti, i)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return eti
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse a time duration string in the configuration to a golang time.Duration.
|
||||||
|
func parseDuration(s string) (time.Duration, error) {
|
||||||
|
s = strings.Replace(strings.TrimSpace(s), " ", "", -1)
|
||||||
|
|
||||||
|
// handle Nd[NmNs]
|
||||||
|
if strings.Contains(s, "d") {
|
||||||
|
ds := strings.SplitN(s, "d", 2)
|
||||||
|
dn, err := strconv.ParseUint(ds[0], 10, 32)
|
||||||
|
if err != nil {
|
||||||
|
return time.Duration(0), errors.New("invalid time duration")
|
||||||
|
}
|
||||||
|
d := time.Duration(dn*24) * time.Hour
|
||||||
|
if ds[1] != "" {
|
||||||
|
dp, err := time.ParseDuration(ds[1])
|
||||||
|
if err != nil {
|
||||||
|
return time.Duration(0), errors.New("invalid time duration")
|
||||||
|
}
|
||||||
|
d = d + dp
|
||||||
|
}
|
||||||
|
return d, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// handle Nm[Ns]
|
||||||
|
d, err := time.ParseDuration(s)
|
||||||
|
if err == nil {
|
||||||
|
return d, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// handle N
|
||||||
|
v, err := strconv.ParseUint(s, 10, 32)
|
||||||
|
if err == nil && v > 0 {
|
||||||
|
return time.Duration(v) * time.Second, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// handle h:m[:s]
|
||||||
|
if strings.Contains(s, ":") {
|
||||||
|
t := strings.Split(s, ":")
|
||||||
|
if 2 > len(t) || len(t) > 3 {
|
||||||
|
return time.Duration(0), errors.New("invalid time duration value")
|
||||||
|
}
|
||||||
|
var i []int
|
||||||
|
for _, n := range t {
|
||||||
|
j, err := strconv.ParseInt(n, 10, 16)
|
||||||
|
if err != nil {
|
||||||
|
return time.Duration(0), errors.New("invalid time duration value")
|
||||||
|
}
|
||||||
|
i = append(i, int(j))
|
||||||
|
}
|
||||||
|
d := time.Duration(i[0])*time.Hour + time.Duration(i[1])*time.Minute
|
||||||
|
if len(i) == 3 {
|
||||||
|
d = d + time.Duration(i[2])*time.Second
|
||||||
|
}
|
||||||
|
return d, nil
|
||||||
|
}
|
||||||
|
return time.Duration(0), errors.New("invalid time duration value")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse possible boolean values to golang bool.
|
||||||
|
func parseBoolean(s string) (bool, error) {
|
||||||
|
s = strings.TrimSpace(s)
|
||||||
|
v, err := strconv.ParseBool(s)
|
||||||
|
if err == nil {
|
||||||
|
return v, nil
|
||||||
|
}
|
||||||
|
switch strings.ToLower(s) {
|
||||||
|
case "yes":
|
||||||
|
return true, nil
|
||||||
|
case "y":
|
||||||
|
return true, nil
|
||||||
|
case "no":
|
||||||
|
return false, nil
|
||||||
|
case "n":
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
return false, errors.New("invalid boolean value")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse array of strings but stop if an asterisk is placed at the end of a line.
|
||||||
|
func appendUntilFinal(s *[]string, value string, final *bool) {
|
||||||
|
if *final {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if last := len(value) - 1; last >= 0 && value[last] == '*' {
|
||||||
|
*final = true
|
||||||
|
value = value[:len(value)-1]
|
||||||
|
}
|
||||||
|
*s = append(*s, value)
|
||||||
|
}
|
||||||
|
|
||||||
|
// JSON return details of the config in a JSON format.
|
||||||
|
func (c *Config) JSON() (string, error) {
|
||||||
|
b, err := json.MarshalIndent(c, "", " ")
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return string(b), nil
|
||||||
|
}
|
333
vendor/github.com/jcmturner/gokrb5/v8/credentials/ccache.go
generated
vendored
Normal file
333
vendor/github.com/jcmturner/gokrb5/v8/credentials/ccache.go
generated
vendored
Normal file
@ -0,0 +1,333 @@
|
|||||||
|
package credentials
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"io/ioutil"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
"unsafe"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gofork/encoding/asn1"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
headerFieldTagKDCOffset = 1
|
||||||
|
)
|
||||||
|
|
||||||
|
// CCache is the file credentials cache as define here: https://web.mit.edu/kerberos/krb5-latest/doc/formats/ccache_file_format.html
|
||||||
|
type CCache struct {
|
||||||
|
Version uint8
|
||||||
|
Header header
|
||||||
|
DefaultPrincipal principal
|
||||||
|
Credentials []*Credential
|
||||||
|
Path string
|
||||||
|
}
|
||||||
|
|
||||||
|
type header struct {
|
||||||
|
length uint16
|
||||||
|
fields []headerField
|
||||||
|
}
|
||||||
|
|
||||||
|
type headerField struct {
|
||||||
|
tag uint16
|
||||||
|
length uint16
|
||||||
|
value []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// Credential cache entry principal struct.
|
||||||
|
type principal struct {
|
||||||
|
Realm string
|
||||||
|
PrincipalName types.PrincipalName
|
||||||
|
}
|
||||||
|
|
||||||
|
// Credential holds a Kerberos client's ccache credential information.
|
||||||
|
type Credential struct {
|
||||||
|
Client principal
|
||||||
|
Server principal
|
||||||
|
Key types.EncryptionKey
|
||||||
|
AuthTime time.Time
|
||||||
|
StartTime time.Time
|
||||||
|
EndTime time.Time
|
||||||
|
RenewTill time.Time
|
||||||
|
IsSKey bool
|
||||||
|
TicketFlags asn1.BitString
|
||||||
|
Addresses []types.HostAddress
|
||||||
|
AuthData []types.AuthorizationDataEntry
|
||||||
|
Ticket []byte
|
||||||
|
SecondTicket []byte
|
||||||
|
}
|
||||||
|
|
||||||
|
// LoadCCache loads a credential cache file into a CCache type.
|
||||||
|
func LoadCCache(cpath string) (*CCache, error) {
|
||||||
|
c := new(CCache)
|
||||||
|
b, err := ioutil.ReadFile(cpath)
|
||||||
|
if err != nil {
|
||||||
|
return c, err
|
||||||
|
}
|
||||||
|
err = c.Unmarshal(b)
|
||||||
|
return c, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unmarshal a byte slice of credential cache data into CCache type.
|
||||||
|
func (c *CCache) Unmarshal(b []byte) error {
|
||||||
|
p := 0
|
||||||
|
//The first byte of the file always has the value 5
|
||||||
|
if int8(b[p]) != 5 {
|
||||||
|
return errors.New("Invalid credential cache data. First byte does not equal 5")
|
||||||
|
}
|
||||||
|
p++
|
||||||
|
//Get credential cache version
|
||||||
|
//The second byte contains the version number (1 to 4)
|
||||||
|
c.Version = b[p]
|
||||||
|
if c.Version < 1 || c.Version > 4 {
|
||||||
|
return errors.New("Invalid credential cache data. Keytab version is not within 1 to 4")
|
||||||
|
}
|
||||||
|
p++
|
||||||
|
//Version 1 or 2 of the file format uses native byte order for integer representations. Versions 3 & 4 always uses big-endian byte order
|
||||||
|
var endian binary.ByteOrder
|
||||||
|
endian = binary.BigEndian
|
||||||
|
if (c.Version == 1 || c.Version == 2) && isNativeEndianLittle() {
|
||||||
|
endian = binary.LittleEndian
|
||||||
|
}
|
||||||
|
if c.Version == 4 {
|
||||||
|
err := parseHeader(b, &p, c, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
c.DefaultPrincipal = parsePrincipal(b, &p, c, &endian)
|
||||||
|
for p < len(b) {
|
||||||
|
cred, err := parseCredential(b, &p, c, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
c.Credentials = append(c.Credentials, cred)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseHeader(b []byte, p *int, c *CCache, e *binary.ByteOrder) error {
|
||||||
|
if c.Version != 4 {
|
||||||
|
return errors.New("Credentials cache version is not 4 so there is no header to parse.")
|
||||||
|
}
|
||||||
|
h := header{}
|
||||||
|
h.length = uint16(readInt16(b, p, e))
|
||||||
|
for *p <= int(h.length) {
|
||||||
|
f := headerField{}
|
||||||
|
f.tag = uint16(readInt16(b, p, e))
|
||||||
|
f.length = uint16(readInt16(b, p, e))
|
||||||
|
f.value = b[*p : *p+int(f.length)]
|
||||||
|
*p += int(f.length)
|
||||||
|
if !f.valid() {
|
||||||
|
return errors.New("Invalid credential cache header found")
|
||||||
|
}
|
||||||
|
h.fields = append(h.fields, f)
|
||||||
|
}
|
||||||
|
c.Header = h
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the Keytab bytes of a principal into a Keytab entry's principal.
|
||||||
|
func parsePrincipal(b []byte, p *int, c *CCache, e *binary.ByteOrder) (princ principal) {
|
||||||
|
if c.Version != 1 {
|
||||||
|
//Name Type is omitted in version 1
|
||||||
|
princ.PrincipalName.NameType = readInt32(b, p, e)
|
||||||
|
}
|
||||||
|
nc := int(readInt32(b, p, e))
|
||||||
|
if c.Version == 1 {
|
||||||
|
//In version 1 the number of components includes the realm. Minus 1 to make consistent with version 2
|
||||||
|
nc--
|
||||||
|
}
|
||||||
|
lenRealm := readInt32(b, p, e)
|
||||||
|
princ.Realm = string(readBytes(b, p, int(lenRealm), e))
|
||||||
|
for i := 0; i < nc; i++ {
|
||||||
|
l := readInt32(b, p, e)
|
||||||
|
princ.PrincipalName.NameString = append(princ.PrincipalName.NameString, string(readBytes(b, p, int(l), e)))
|
||||||
|
}
|
||||||
|
return princ
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseCredential(b []byte, p *int, c *CCache, e *binary.ByteOrder) (cred *Credential, err error) {
|
||||||
|
cred = new(Credential)
|
||||||
|
cred.Client = parsePrincipal(b, p, c, e)
|
||||||
|
cred.Server = parsePrincipal(b, p, c, e)
|
||||||
|
key := types.EncryptionKey{}
|
||||||
|
key.KeyType = int32(readInt16(b, p, e))
|
||||||
|
if c.Version == 3 {
|
||||||
|
//repeated twice in version 3
|
||||||
|
key.KeyType = int32(readInt16(b, p, e))
|
||||||
|
}
|
||||||
|
key.KeyValue = readData(b, p, e)
|
||||||
|
cred.Key = key
|
||||||
|
cred.AuthTime = readTimestamp(b, p, e)
|
||||||
|
cred.StartTime = readTimestamp(b, p, e)
|
||||||
|
cred.EndTime = readTimestamp(b, p, e)
|
||||||
|
cred.RenewTill = readTimestamp(b, p, e)
|
||||||
|
if ik := readInt8(b, p, e); ik == 0 {
|
||||||
|
cred.IsSKey = false
|
||||||
|
} else {
|
||||||
|
cred.IsSKey = true
|
||||||
|
}
|
||||||
|
cred.TicketFlags = types.NewKrbFlags()
|
||||||
|
cred.TicketFlags.Bytes = readBytes(b, p, 4, e)
|
||||||
|
l := int(readInt32(b, p, e))
|
||||||
|
cred.Addresses = make([]types.HostAddress, l, l)
|
||||||
|
for i := range cred.Addresses {
|
||||||
|
cred.Addresses[i] = readAddress(b, p, e)
|
||||||
|
}
|
||||||
|
l = int(readInt32(b, p, e))
|
||||||
|
cred.AuthData = make([]types.AuthorizationDataEntry, l, l)
|
||||||
|
for i := range cred.AuthData {
|
||||||
|
cred.AuthData[i] = readAuthDataEntry(b, p, e)
|
||||||
|
}
|
||||||
|
cred.Ticket = readData(b, p, e)
|
||||||
|
cred.SecondTicket = readData(b, p, e)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetClientPrincipalName returns a PrincipalName type for the client the credentials cache is for.
|
||||||
|
func (c *CCache) GetClientPrincipalName() types.PrincipalName {
|
||||||
|
return c.DefaultPrincipal.PrincipalName
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetClientRealm returns the reals of the client the credentials cache is for.
|
||||||
|
func (c *CCache) GetClientRealm() string {
|
||||||
|
return c.DefaultPrincipal.Realm
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetClientCredentials returns a Credentials object representing the client of the credentials cache.
|
||||||
|
func (c *CCache) GetClientCredentials() *Credentials {
|
||||||
|
return &Credentials{
|
||||||
|
username: c.DefaultPrincipal.PrincipalName.PrincipalNameString(),
|
||||||
|
realm: c.GetClientRealm(),
|
||||||
|
cname: c.DefaultPrincipal.PrincipalName,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Contains tests if the cache contains a credential for the provided server PrincipalName
|
||||||
|
func (c *CCache) Contains(p types.PrincipalName) bool {
|
||||||
|
for _, cred := range c.Credentials {
|
||||||
|
if cred.Server.PrincipalName.Equal(p) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEntry returns a specific credential for the PrincipalName provided.
|
||||||
|
func (c *CCache) GetEntry(p types.PrincipalName) (*Credential, bool) {
|
||||||
|
cred := new(Credential)
|
||||||
|
var found bool
|
||||||
|
for i := range c.Credentials {
|
||||||
|
if c.Credentials[i].Server.PrincipalName.Equal(p) {
|
||||||
|
cred = c.Credentials[i]
|
||||||
|
found = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !found {
|
||||||
|
return cred, false
|
||||||
|
}
|
||||||
|
return cred, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEntries filters out configuration entries an returns a slice of credentials.
|
||||||
|
func (c *CCache) GetEntries() []*Credential {
|
||||||
|
creds := make([]*Credential, 0)
|
||||||
|
for _, cred := range c.Credentials {
|
||||||
|
// Filter out configuration entries
|
||||||
|
if strings.HasPrefix(cred.Server.Realm, "X-CACHECONF") {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
creds = append(creds, cred)
|
||||||
|
}
|
||||||
|
return creds
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h *headerField) valid() bool {
|
||||||
|
// See https://web.mit.edu/kerberos/krb5-latest/doc/formats/ccache_file_format.html - Header format
|
||||||
|
switch h.tag {
|
||||||
|
case headerFieldTagKDCOffset:
|
||||||
|
if h.length != 8 || len(h.value) != 8 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func readData(b []byte, p *int, e *binary.ByteOrder) []byte {
|
||||||
|
l := readInt32(b, p, e)
|
||||||
|
return readBytes(b, p, int(l), e)
|
||||||
|
}
|
||||||
|
|
||||||
|
func readAddress(b []byte, p *int, e *binary.ByteOrder) types.HostAddress {
|
||||||
|
a := types.HostAddress{}
|
||||||
|
a.AddrType = int32(readInt16(b, p, e))
|
||||||
|
a.Address = readData(b, p, e)
|
||||||
|
return a
|
||||||
|
}
|
||||||
|
|
||||||
|
func readAuthDataEntry(b []byte, p *int, e *binary.ByteOrder) types.AuthorizationDataEntry {
|
||||||
|
a := types.AuthorizationDataEntry{}
|
||||||
|
a.ADType = int32(readInt16(b, p, e))
|
||||||
|
a.ADData = readData(b, p, e)
|
||||||
|
return a
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read bytes representing a timestamp.
|
||||||
|
func readTimestamp(b []byte, p *int, e *binary.ByteOrder) time.Time {
|
||||||
|
return time.Unix(int64(readInt32(b, p, e)), 0)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read bytes representing an eight bit integer.
|
||||||
|
func readInt8(b []byte, p *int, e *binary.ByteOrder) (i int8) {
|
||||||
|
buf := bytes.NewBuffer(b[*p : *p+1])
|
||||||
|
binary.Read(buf, *e, &i)
|
||||||
|
*p++
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read bytes representing a sixteen bit integer.
|
||||||
|
func readInt16(b []byte, p *int, e *binary.ByteOrder) (i int16) {
|
||||||
|
buf := bytes.NewBuffer(b[*p : *p+2])
|
||||||
|
binary.Read(buf, *e, &i)
|
||||||
|
*p += 2
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read bytes representing a thirty two bit integer.
|
||||||
|
func readInt32(b []byte, p *int, e *binary.ByteOrder) (i int32) {
|
||||||
|
buf := bytes.NewBuffer(b[*p : *p+4])
|
||||||
|
binary.Read(buf, *e, &i)
|
||||||
|
*p += 4
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func readBytes(b []byte, p *int, s int, e *binary.ByteOrder) []byte {
|
||||||
|
buf := bytes.NewBuffer(b[*p : *p+s])
|
||||||
|
r := make([]byte, s)
|
||||||
|
binary.Read(buf, *e, &r)
|
||||||
|
*p += s
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
func isNativeEndianLittle() bool {
|
||||||
|
var x = 0x012345678
|
||||||
|
var p = unsafe.Pointer(&x)
|
||||||
|
var bp = (*[4]byte)(p)
|
||||||
|
|
||||||
|
var endian bool
|
||||||
|
if 0x01 == bp[0] {
|
||||||
|
endian = false
|
||||||
|
} else if (0x78 & 0xff) == (bp[0] & 0xff) {
|
||||||
|
endian = true
|
||||||
|
} else {
|
||||||
|
// Default to big endian
|
||||||
|
endian = false
|
||||||
|
}
|
||||||
|
return endian
|
||||||
|
}
|
405
vendor/github.com/jcmturner/gokrb5/v8/credentials/credentials.go
generated
vendored
Normal file
405
vendor/github.com/jcmturner/gokrb5/v8/credentials/credentials.go
generated
vendored
Normal file
@ -0,0 +1,405 @@
|
|||||||
|
// Package credentials provides credentials management for Kerberos 5 authentication.
|
||||||
|
package credentials
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/gob"
|
||||||
|
"encoding/json"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/hashicorp/go-uuid"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/nametype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/keytab"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// AttributeKeyADCredentials assigned number for AD credentials.
|
||||||
|
AttributeKeyADCredentials = "gokrb5AttributeKeyADCredentials"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Credentials struct for a user.
|
||||||
|
// Contains either a keytab, password or both.
|
||||||
|
// Keytabs are used over passwords if both are defined.
|
||||||
|
type Credentials struct {
|
||||||
|
username string
|
||||||
|
displayName string
|
||||||
|
realm string
|
||||||
|
cname types.PrincipalName
|
||||||
|
keytab *keytab.Keytab
|
||||||
|
password string
|
||||||
|
attributes map[string]interface{}
|
||||||
|
validUntil time.Time
|
||||||
|
authenticated bool
|
||||||
|
human bool
|
||||||
|
authTime time.Time
|
||||||
|
groupMembership map[string]bool
|
||||||
|
sessionID string
|
||||||
|
}
|
||||||
|
|
||||||
|
// marshalCredentials is used to enable marshaling and unmarshaling of credentials
|
||||||
|
// without having exported fields on the Credentials struct
|
||||||
|
type marshalCredentials struct {
|
||||||
|
Username string
|
||||||
|
DisplayName string
|
||||||
|
Realm string
|
||||||
|
CName types.PrincipalName `json:"-"`
|
||||||
|
Keytab bool
|
||||||
|
Password bool
|
||||||
|
Attributes map[string]interface{} `json:"-"`
|
||||||
|
ValidUntil time.Time
|
||||||
|
Authenticated bool
|
||||||
|
Human bool
|
||||||
|
AuthTime time.Time
|
||||||
|
GroupMembership map[string]bool `json:"-"`
|
||||||
|
SessionID string
|
||||||
|
}
|
||||||
|
|
||||||
|
// ADCredentials contains information obtained from the PAC.
|
||||||
|
type ADCredentials struct {
|
||||||
|
EffectiveName string
|
||||||
|
FullName string
|
||||||
|
UserID int
|
||||||
|
PrimaryGroupID int
|
||||||
|
LogOnTime time.Time
|
||||||
|
LogOffTime time.Time
|
||||||
|
PasswordLastSet time.Time
|
||||||
|
GroupMembershipSIDs []string
|
||||||
|
LogonDomainName string
|
||||||
|
LogonDomainID string
|
||||||
|
LogonServer string
|
||||||
|
}
|
||||||
|
|
||||||
|
// New creates a new Credentials instance.
|
||||||
|
func New(username string, realm string) *Credentials {
|
||||||
|
uid, err := uuid.GenerateUUID()
|
||||||
|
if err != nil {
|
||||||
|
uid = "00unique-sess-ions-uuid-unavailable0"
|
||||||
|
}
|
||||||
|
return &Credentials{
|
||||||
|
username: username,
|
||||||
|
displayName: username,
|
||||||
|
realm: realm,
|
||||||
|
cname: types.NewPrincipalName(nametype.KRB_NT_PRINCIPAL, username),
|
||||||
|
keytab: keytab.New(),
|
||||||
|
attributes: make(map[string]interface{}),
|
||||||
|
groupMembership: make(map[string]bool),
|
||||||
|
sessionID: uid,
|
||||||
|
human: true,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewFromPrincipalName creates a new Credentials instance with the user details provides as a PrincipalName type.
|
||||||
|
func NewFromPrincipalName(cname types.PrincipalName, realm string) *Credentials {
|
||||||
|
c := New(cname.PrincipalNameString(), realm)
|
||||||
|
c.cname = cname
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
|
||||||
|
// WithKeytab sets the Keytab in the Credentials struct.
|
||||||
|
func (c *Credentials) WithKeytab(kt *keytab.Keytab) *Credentials {
|
||||||
|
c.keytab = kt
|
||||||
|
c.password = ""
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
|
||||||
|
// Keytab returns the credential's Keytab.
|
||||||
|
func (c *Credentials) Keytab() *keytab.Keytab {
|
||||||
|
return c.keytab
|
||||||
|
}
|
||||||
|
|
||||||
|
// HasKeytab queries if the Credentials has a keytab defined.
|
||||||
|
func (c *Credentials) HasKeytab() bool {
|
||||||
|
if c.keytab != nil && len(c.keytab.Entries) > 0 {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// WithPassword sets the password in the Credentials struct.
|
||||||
|
func (c *Credentials) WithPassword(password string) *Credentials {
|
||||||
|
c.password = password
|
||||||
|
c.keytab = keytab.New() // clear any keytab
|
||||||
|
return c
|
||||||
|
}
|
||||||
|
|
||||||
|
// Password returns the credential's password.
|
||||||
|
func (c *Credentials) Password() string {
|
||||||
|
return c.password
|
||||||
|
}
|
||||||
|
|
||||||
|
// HasPassword queries if the Credentials has a password defined.
|
||||||
|
func (c *Credentials) HasPassword() bool {
|
||||||
|
if c.password != "" {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetValidUntil sets the expiry time of the credentials
|
||||||
|
func (c *Credentials) SetValidUntil(t time.Time) {
|
||||||
|
c.validUntil = t
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetADCredentials adds ADCredentials attributes to the credentials
|
||||||
|
func (c *Credentials) SetADCredentials(a ADCredentials) {
|
||||||
|
c.SetAttribute(AttributeKeyADCredentials, a)
|
||||||
|
if a.FullName != "" {
|
||||||
|
c.SetDisplayName(a.FullName)
|
||||||
|
}
|
||||||
|
if a.EffectiveName != "" {
|
||||||
|
c.SetUserName(a.EffectiveName)
|
||||||
|
}
|
||||||
|
for i := range a.GroupMembershipSIDs {
|
||||||
|
c.AddAuthzAttribute(a.GroupMembershipSIDs[i])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetADCredentials returns ADCredentials attributes sorted in the credential
|
||||||
|
func (c *Credentials) GetADCredentials() ADCredentials {
|
||||||
|
if a, ok := c.attributes[AttributeKeyADCredentials].(ADCredentials); ok {
|
||||||
|
return a
|
||||||
|
}
|
||||||
|
return ADCredentials{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Methods to implement goidentity.Identity interface
|
||||||
|
|
||||||
|
// UserName returns the credential's username.
|
||||||
|
func (c *Credentials) UserName() string {
|
||||||
|
return c.username
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetUserName sets the username value on the credential.
|
||||||
|
func (c *Credentials) SetUserName(s string) {
|
||||||
|
c.username = s
|
||||||
|
}
|
||||||
|
|
||||||
|
// CName returns the credential's client principal name.
|
||||||
|
func (c *Credentials) CName() types.PrincipalName {
|
||||||
|
return c.cname
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetCName sets the client principal name on the credential.
|
||||||
|
func (c *Credentials) SetCName(pn types.PrincipalName) {
|
||||||
|
c.cname = pn
|
||||||
|
}
|
||||||
|
|
||||||
|
// Domain returns the credential's domain.
|
||||||
|
func (c *Credentials) Domain() string {
|
||||||
|
return c.realm
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetDomain sets the domain value on the credential.
|
||||||
|
func (c *Credentials) SetDomain(s string) {
|
||||||
|
c.realm = s
|
||||||
|
}
|
||||||
|
|
||||||
|
// Realm returns the credential's realm. Same as the domain.
|
||||||
|
func (c *Credentials) Realm() string {
|
||||||
|
return c.Domain()
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetRealm sets the realm value on the credential. Same as the domain
|
||||||
|
func (c *Credentials) SetRealm(s string) {
|
||||||
|
c.SetDomain(s)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DisplayName returns the credential's display name.
|
||||||
|
func (c *Credentials) DisplayName() string {
|
||||||
|
return c.displayName
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetDisplayName sets the display name value on the credential.
|
||||||
|
func (c *Credentials) SetDisplayName(s string) {
|
||||||
|
c.displayName = s
|
||||||
|
}
|
||||||
|
|
||||||
|
// Human returns if the credential represents a human or not.
|
||||||
|
func (c *Credentials) Human() bool {
|
||||||
|
return c.human
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetHuman sets the credential as human.
|
||||||
|
func (c *Credentials) SetHuman(b bool) {
|
||||||
|
c.human = b
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthTime returns the time the credential was authenticated.
|
||||||
|
func (c *Credentials) AuthTime() time.Time {
|
||||||
|
return c.authTime
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetAuthTime sets the time the credential was authenticated.
|
||||||
|
func (c *Credentials) SetAuthTime(t time.Time) {
|
||||||
|
c.authTime = t
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthzAttributes returns the credentials authorizing attributes.
|
||||||
|
func (c *Credentials) AuthzAttributes() []string {
|
||||||
|
s := make([]string, len(c.groupMembership))
|
||||||
|
i := 0
|
||||||
|
for a := range c.groupMembership {
|
||||||
|
s[i] = a
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
|
||||||
|
// Authenticated indicates if the credential has been successfully authenticated or not.
|
||||||
|
func (c *Credentials) Authenticated() bool {
|
||||||
|
return c.authenticated
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetAuthenticated sets the credential as having been successfully authenticated.
|
||||||
|
func (c *Credentials) SetAuthenticated(b bool) {
|
||||||
|
c.authenticated = b
|
||||||
|
}
|
||||||
|
|
||||||
|
// AddAuthzAttribute adds an authorization attribute to the credential.
|
||||||
|
func (c *Credentials) AddAuthzAttribute(a string) {
|
||||||
|
c.groupMembership[a] = true
|
||||||
|
}
|
||||||
|
|
||||||
|
// RemoveAuthzAttribute removes an authorization attribute from the credential.
|
||||||
|
func (c *Credentials) RemoveAuthzAttribute(a string) {
|
||||||
|
if _, ok := c.groupMembership[a]; !ok {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
delete(c.groupMembership, a)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EnableAuthzAttribute toggles an authorization attribute to an enabled state on the credential.
|
||||||
|
func (c *Credentials) EnableAuthzAttribute(a string) {
|
||||||
|
if enabled, ok := c.groupMembership[a]; ok && !enabled {
|
||||||
|
c.groupMembership[a] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// DisableAuthzAttribute toggles an authorization attribute to a disabled state on the credential.
|
||||||
|
func (c *Credentials) DisableAuthzAttribute(a string) {
|
||||||
|
if enabled, ok := c.groupMembership[a]; ok && enabled {
|
||||||
|
c.groupMembership[a] = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Authorized indicates if the credential has the specified authorizing attribute.
|
||||||
|
func (c *Credentials) Authorized(a string) bool {
|
||||||
|
if enabled, ok := c.groupMembership[a]; ok && enabled {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// SessionID returns the credential's session ID.
|
||||||
|
func (c *Credentials) SessionID() string {
|
||||||
|
return c.sessionID
|
||||||
|
}
|
||||||
|
|
||||||
|
// Expired indicates if the credential has expired.
|
||||||
|
func (c *Credentials) Expired() bool {
|
||||||
|
if !c.validUntil.IsZero() && time.Now().UTC().After(c.validUntil) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// ValidUntil returns the credential's valid until date
|
||||||
|
func (c *Credentials) ValidUntil() time.Time {
|
||||||
|
return c.validUntil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Attributes returns the Credentials' attributes map.
|
||||||
|
func (c *Credentials) Attributes() map[string]interface{} {
|
||||||
|
return c.attributes
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetAttribute sets the value of an attribute.
|
||||||
|
func (c *Credentials) SetAttribute(k string, v interface{}) {
|
||||||
|
c.attributes[k] = v
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetAttributes replaces the attributes map with the one provided.
|
||||||
|
func (c *Credentials) SetAttributes(a map[string]interface{}) {
|
||||||
|
c.attributes = a
|
||||||
|
}
|
||||||
|
|
||||||
|
// RemoveAttribute deletes an attribute from the attribute map that has the key provided.
|
||||||
|
func (c *Credentials) RemoveAttribute(k string) {
|
||||||
|
delete(c.attributes, k)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal the Credentials into a byte slice
|
||||||
|
func (c *Credentials) Marshal() ([]byte, error) {
|
||||||
|
gob.Register(map[string]interface{}{})
|
||||||
|
gob.Register(ADCredentials{})
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
enc := gob.NewEncoder(buf)
|
||||||
|
mc := marshalCredentials{
|
||||||
|
Username: c.username,
|
||||||
|
DisplayName: c.displayName,
|
||||||
|
Realm: c.realm,
|
||||||
|
CName: c.cname,
|
||||||
|
Keytab: c.HasKeytab(),
|
||||||
|
Password: c.HasPassword(),
|
||||||
|
Attributes: c.attributes,
|
||||||
|
ValidUntil: c.validUntil,
|
||||||
|
Authenticated: c.authenticated,
|
||||||
|
Human: c.human,
|
||||||
|
AuthTime: c.authTime,
|
||||||
|
GroupMembership: c.groupMembership,
|
||||||
|
SessionID: c.sessionID,
|
||||||
|
}
|
||||||
|
err := enc.Encode(&mc)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, err
|
||||||
|
}
|
||||||
|
return buf.Bytes(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unmarshal a byte slice into Credentials
|
||||||
|
func (c *Credentials) Unmarshal(b []byte) error {
|
||||||
|
gob.Register(map[string]interface{}{})
|
||||||
|
gob.Register(ADCredentials{})
|
||||||
|
mc := new(marshalCredentials)
|
||||||
|
buf := bytes.NewBuffer(b)
|
||||||
|
dec := gob.NewDecoder(buf)
|
||||||
|
err := dec.Decode(mc)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
c.username = mc.Username
|
||||||
|
c.displayName = mc.DisplayName
|
||||||
|
c.realm = mc.Realm
|
||||||
|
c.cname = mc.CName
|
||||||
|
c.attributes = mc.Attributes
|
||||||
|
c.validUntil = mc.ValidUntil
|
||||||
|
c.authenticated = mc.Authenticated
|
||||||
|
c.human = mc.Human
|
||||||
|
c.authTime = mc.AuthTime
|
||||||
|
c.groupMembership = mc.GroupMembership
|
||||||
|
c.sessionID = mc.SessionID
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// JSON return details of the Credentials in a JSON format.
|
||||||
|
func (c *Credentials) JSON() (string, error) {
|
||||||
|
mc := marshalCredentials{
|
||||||
|
Username: c.username,
|
||||||
|
DisplayName: c.displayName,
|
||||||
|
Realm: c.realm,
|
||||||
|
CName: c.cname,
|
||||||
|
Keytab: c.HasKeytab(),
|
||||||
|
Password: c.HasPassword(),
|
||||||
|
ValidUntil: c.validUntil,
|
||||||
|
Authenticated: c.authenticated,
|
||||||
|
Human: c.human,
|
||||||
|
AuthTime: c.authTime,
|
||||||
|
SessionID: c.sessionID,
|
||||||
|
}
|
||||||
|
b, err := json.MarshalIndent(mc, "", " ")
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return string(b), nil
|
||||||
|
}
|
129
vendor/github.com/jcmturner/gokrb5/v8/crypto/aes128-cts-hmac-sha1-96.go
generated
vendored
Normal file
129
vendor/github.com/jcmturner/gokrb5/v8/crypto/aes128-cts-hmac-sha1-96.go
generated
vendored
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
package crypto
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/sha1"
|
||||||
|
"hash"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/common"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc3961"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc3962"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RFC 3962
|
||||||
|
|
||||||
|
// Aes128CtsHmacSha96 implements Kerberos encryption type aes128-cts-hmac-sha1-96
|
||||||
|
type Aes128CtsHmacSha96 struct {
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetETypeID returns the EType ID number.
|
||||||
|
func (e Aes128CtsHmacSha96) GetETypeID() int32 {
|
||||||
|
return etypeID.AES128_CTS_HMAC_SHA1_96
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashID returns the checksum type ID number.
|
||||||
|
func (e Aes128CtsHmacSha96) GetHashID() int32 {
|
||||||
|
return chksumtype.HMAC_SHA1_96_AES128
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyByteSize returns the number of bytes for key of this etype.
|
||||||
|
func (e Aes128CtsHmacSha96) GetKeyByteSize() int {
|
||||||
|
return 128 / 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeySeedBitLength returns the number of bits for the seed for key generation.
|
||||||
|
func (e Aes128CtsHmacSha96) GetKeySeedBitLength() int {
|
||||||
|
return e.GetKeyByteSize() * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashFunc returns the hash function for this etype.
|
||||||
|
func (e Aes128CtsHmacSha96) GetHashFunc() func() hash.Hash {
|
||||||
|
return sha1.New
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMessageBlockByteSize returns the block size for the etype's messages.
|
||||||
|
func (e Aes128CtsHmacSha96) GetMessageBlockByteSize() int {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetDefaultStringToKeyParams returns the default key derivation parameters in string form.
|
||||||
|
func (e Aes128CtsHmacSha96) GetDefaultStringToKeyParams() string {
|
||||||
|
return "00001000"
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetConfounderByteSize returns the byte count for confounder to be used during cryptographic operations.
|
||||||
|
func (e Aes128CtsHmacSha96) GetConfounderByteSize() int {
|
||||||
|
return aes.BlockSize
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHMACBitLength returns the bit count size of the integrity hash.
|
||||||
|
func (e Aes128CtsHmacSha96) GetHMACBitLength() int {
|
||||||
|
return 96
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetCypherBlockBitLength returns the bit count size of the cypher block.
|
||||||
|
func (e Aes128CtsHmacSha96) GetCypherBlockBitLength() int {
|
||||||
|
return aes.BlockSize * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided.
|
||||||
|
func (e Aes128CtsHmacSha96) StringToKey(secret string, salt string, s2kparams string) ([]byte, error) {
|
||||||
|
return rfc3962.StringToKey(secret, salt, s2kparams, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RandomToKey returns a key from the bytes provided.
|
||||||
|
func (e Aes128CtsHmacSha96) RandomToKey(b []byte) []byte {
|
||||||
|
return rfc3961.RandomToKey(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided.
|
||||||
|
func (e Aes128CtsHmacSha96) EncryptData(key, data []byte) ([]byte, []byte, error) {
|
||||||
|
return rfc3962.EncryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided and concatenates it with the integrity hash to create an encrypted message.
|
||||||
|
func (e Aes128CtsHmacSha96) EncryptMessage(key, message []byte, usage uint32) ([]byte, []byte, error) {
|
||||||
|
return rfc3962.EncryptMessage(key, message, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided.
|
||||||
|
func (e Aes128CtsHmacSha96) DecryptData(key, data []byte) ([]byte, error) {
|
||||||
|
return rfc3962.DecryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided and verifies the integrity of the message.
|
||||||
|
func (e Aes128CtsHmacSha96) DecryptMessage(key, ciphertext []byte, usage uint32) ([]byte, error) {
|
||||||
|
return rfc3962.DecryptMessage(key, ciphertext, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveKey derives a key from the protocol key based on the usage value.
|
||||||
|
func (e Aes128CtsHmacSha96) DeriveKey(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc3961.DeriveKey(protocolKey, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveRandom generates data needed for key generation.
|
||||||
|
func (e Aes128CtsHmacSha96) DeriveRandom(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc3961.DeriveRandom(protocolKey, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity checks the integrity of the plaintext message.
|
||||||
|
func (e Aes128CtsHmacSha96) VerifyIntegrity(protocolKey, ct, pt []byte, usage uint32) bool {
|
||||||
|
return rfc3961.VerifyIntegrity(protocolKey, ct, pt, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetChecksumHash returns a keyed checksum hash of the bytes provided.
|
||||||
|
func (e Aes128CtsHmacSha96) GetChecksumHash(protocolKey, data []byte, usage uint32) ([]byte, error) {
|
||||||
|
return common.GetHash(data, protocolKey, common.GetUsageKc(usage), e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyChecksum compares the checksum of the message bytes is the same as the checksum provided.
|
||||||
|
func (e Aes128CtsHmacSha96) VerifyChecksum(protocolKey, data, chksum []byte, usage uint32) bool {
|
||||||
|
c, err := e.GetChecksumHash(protocolKey, data, usage)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return hmac.Equal(chksum, c)
|
||||||
|
}
|
132
vendor/github.com/jcmturner/gokrb5/v8/crypto/aes128-cts-hmac-sha256-128.go
generated
vendored
Normal file
132
vendor/github.com/jcmturner/gokrb5/v8/crypto/aes128-cts-hmac-sha256-128.go
generated
vendored
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
package crypto
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/sha256"
|
||||||
|
"hash"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/common"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc8009"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RFC https://tools.ietf.org/html/rfc8009
|
||||||
|
|
||||||
|
// Aes128CtsHmacSha256128 implements Kerberos encryption type aes128-cts-hmac-sha256-128
|
||||||
|
type Aes128CtsHmacSha256128 struct {
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetETypeID returns the EType ID number.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetETypeID() int32 {
|
||||||
|
return etypeID.AES128_CTS_HMAC_SHA256_128
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashID returns the checksum type ID number.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetHashID() int32 {
|
||||||
|
return chksumtype.HMAC_SHA256_128_AES128
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyByteSize returns the number of bytes for key of this etype.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetKeyByteSize() int {
|
||||||
|
return 128 / 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeySeedBitLength returns the number of bits for the seed for key generation.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetKeySeedBitLength() int {
|
||||||
|
return e.GetKeyByteSize() * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashFunc returns the hash function for this etype.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetHashFunc() func() hash.Hash {
|
||||||
|
return sha256.New
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMessageBlockByteSize returns the block size for the etype's messages.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetMessageBlockByteSize() int {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetDefaultStringToKeyParams returns the default key derivation parameters in string form.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetDefaultStringToKeyParams() string {
|
||||||
|
return "00008000"
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetConfounderByteSize returns the byte count for confounder to be used during cryptographic operations.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetConfounderByteSize() int {
|
||||||
|
return aes.BlockSize
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHMACBitLength returns the bit count size of the integrity hash.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetHMACBitLength() int {
|
||||||
|
return 128
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetCypherBlockBitLength returns the bit count size of the cypher block.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetCypherBlockBitLength() int {
|
||||||
|
return aes.BlockSize * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided.
|
||||||
|
func (e Aes128CtsHmacSha256128) StringToKey(secret string, salt string, s2kparams string) ([]byte, error) {
|
||||||
|
saltp := rfc8009.GetSaltP(salt, "aes128-cts-hmac-sha256-128")
|
||||||
|
return rfc8009.StringToKey(secret, saltp, s2kparams, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RandomToKey returns a key from the bytes provided.
|
||||||
|
func (e Aes128CtsHmacSha256128) RandomToKey(b []byte) []byte {
|
||||||
|
return rfc8009.RandomToKey(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided.
|
||||||
|
func (e Aes128CtsHmacSha256128) EncryptData(key, data []byte) ([]byte, []byte, error) {
|
||||||
|
return rfc8009.EncryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided and concatenates it with the integrity hash to create an encrypted message.
|
||||||
|
func (e Aes128CtsHmacSha256128) EncryptMessage(key, message []byte, usage uint32) ([]byte, []byte, error) {
|
||||||
|
return rfc8009.EncryptMessage(key, message, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided.
|
||||||
|
func (e Aes128CtsHmacSha256128) DecryptData(key, data []byte) ([]byte, error) {
|
||||||
|
return rfc8009.DecryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided and verifies the integrity of the message.
|
||||||
|
func (e Aes128CtsHmacSha256128) DecryptMessage(key, ciphertext []byte, usage uint32) ([]byte, error) {
|
||||||
|
return rfc8009.DecryptMessage(key, ciphertext, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveKey derives a key from the protocol key based on the usage value.
|
||||||
|
func (e Aes128CtsHmacSha256128) DeriveKey(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc8009.DeriveKey(protocolKey, usage, e), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveRandom generates data needed for key generation.
|
||||||
|
func (e Aes128CtsHmacSha256128) DeriveRandom(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc8009.DeriveRandom(protocolKey, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity checks the integrity of the ciphertext message.
|
||||||
|
// As the hash is calculated over the iv concatenated with the AES cipher output not the plaintext the pt value to this
|
||||||
|
// interface method is not use. Pass any []byte.
|
||||||
|
func (e Aes128CtsHmacSha256128) VerifyIntegrity(protocolKey, ct, pt []byte, usage uint32) bool {
|
||||||
|
// We don't need ib just there for the interface
|
||||||
|
return rfc8009.VerifyIntegrity(protocolKey, ct, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetChecksumHash returns a keyed checksum hash of the bytes provided.
|
||||||
|
func (e Aes128CtsHmacSha256128) GetChecksumHash(protocolKey, data []byte, usage uint32) ([]byte, error) {
|
||||||
|
return common.GetHash(data, protocolKey, common.GetUsageKc(usage), e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyChecksum compares the checksum of the message bytes is the same as the checksum provided.
|
||||||
|
func (e Aes128CtsHmacSha256128) VerifyChecksum(protocolKey, data, chksum []byte, usage uint32) bool {
|
||||||
|
c, err := e.GetChecksumHash(protocolKey, data, usage)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return hmac.Equal(chksum, c)
|
||||||
|
}
|
129
vendor/github.com/jcmturner/gokrb5/v8/crypto/aes256-cts-hmac-sha1-96.go
generated
vendored
Normal file
129
vendor/github.com/jcmturner/gokrb5/v8/crypto/aes256-cts-hmac-sha1-96.go
generated
vendored
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
package crypto
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/sha1"
|
||||||
|
"hash"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/common"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc3961"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc3962"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RFC 3962
|
||||||
|
|
||||||
|
// Aes256CtsHmacSha96 implements Kerberos encryption type aes256-cts-hmac-sha1-96
|
||||||
|
type Aes256CtsHmacSha96 struct {
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetETypeID returns the EType ID number.
|
||||||
|
func (e Aes256CtsHmacSha96) GetETypeID() int32 {
|
||||||
|
return etypeID.AES256_CTS_HMAC_SHA1_96
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashID returns the checksum type ID number.
|
||||||
|
func (e Aes256CtsHmacSha96) GetHashID() int32 {
|
||||||
|
return chksumtype.HMAC_SHA1_96_AES256
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyByteSize returns the number of bytes for key of this etype.
|
||||||
|
func (e Aes256CtsHmacSha96) GetKeyByteSize() int {
|
||||||
|
return 256 / 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeySeedBitLength returns the number of bits for the seed for key generation.
|
||||||
|
func (e Aes256CtsHmacSha96) GetKeySeedBitLength() int {
|
||||||
|
return e.GetKeyByteSize() * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashFunc returns the hash function for this etype.
|
||||||
|
func (e Aes256CtsHmacSha96) GetHashFunc() func() hash.Hash {
|
||||||
|
return sha1.New
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMessageBlockByteSize returns the block size for the etype's messages.
|
||||||
|
func (e Aes256CtsHmacSha96) GetMessageBlockByteSize() int {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetDefaultStringToKeyParams returns the default key derivation parameters in string form.
|
||||||
|
func (e Aes256CtsHmacSha96) GetDefaultStringToKeyParams() string {
|
||||||
|
return "00001000"
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetConfounderByteSize returns the byte count for confounder to be used during cryptographic operations.
|
||||||
|
func (e Aes256CtsHmacSha96) GetConfounderByteSize() int {
|
||||||
|
return aes.BlockSize
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHMACBitLength returns the bit count size of the integrity hash.
|
||||||
|
func (e Aes256CtsHmacSha96) GetHMACBitLength() int {
|
||||||
|
return 96
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetCypherBlockBitLength returns the bit count size of the cypher block.
|
||||||
|
func (e Aes256CtsHmacSha96) GetCypherBlockBitLength() int {
|
||||||
|
return aes.BlockSize * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided.
|
||||||
|
func (e Aes256CtsHmacSha96) StringToKey(secret string, salt string, s2kparams string) ([]byte, error) {
|
||||||
|
return rfc3962.StringToKey(secret, salt, s2kparams, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RandomToKey returns a key from the bytes provided.
|
||||||
|
func (e Aes256CtsHmacSha96) RandomToKey(b []byte) []byte {
|
||||||
|
return rfc3961.RandomToKey(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided.
|
||||||
|
func (e Aes256CtsHmacSha96) EncryptData(key, data []byte) ([]byte, []byte, error) {
|
||||||
|
return rfc3962.EncryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided and concatenates it with the integrity hash to create an encrypted message.
|
||||||
|
func (e Aes256CtsHmacSha96) EncryptMessage(key, message []byte, usage uint32) ([]byte, []byte, error) {
|
||||||
|
return rfc3962.EncryptMessage(key, message, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided.
|
||||||
|
func (e Aes256CtsHmacSha96) DecryptData(key, data []byte) ([]byte, error) {
|
||||||
|
return rfc3962.DecryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided and verifies the integrity of the message.
|
||||||
|
func (e Aes256CtsHmacSha96) DecryptMessage(key, ciphertext []byte, usage uint32) ([]byte, error) {
|
||||||
|
return rfc3962.DecryptMessage(key, ciphertext, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveKey derives a key from the protocol key based on the usage value.
|
||||||
|
func (e Aes256CtsHmacSha96) DeriveKey(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc3961.DeriveKey(protocolKey, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveRandom generates data needed for key generation.
|
||||||
|
func (e Aes256CtsHmacSha96) DeriveRandom(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc3961.DeriveRandom(protocolKey, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity checks the integrity of the plaintext message.
|
||||||
|
func (e Aes256CtsHmacSha96) VerifyIntegrity(protocolKey, ct, pt []byte, usage uint32) bool {
|
||||||
|
return rfc3961.VerifyIntegrity(protocolKey, ct, pt, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetChecksumHash returns a keyed checksum hash of the bytes provided.
|
||||||
|
func (e Aes256CtsHmacSha96) GetChecksumHash(protocolKey, data []byte, usage uint32) ([]byte, error) {
|
||||||
|
return common.GetHash(data, protocolKey, common.GetUsageKc(usage), e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyChecksum compares the checksum of the message bytes is the same as the checksum provided.
|
||||||
|
func (e Aes256CtsHmacSha96) VerifyChecksum(protocolKey, data, chksum []byte, usage uint32) bool {
|
||||||
|
c, err := e.GetChecksumHash(protocolKey, data, usage)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return hmac.Equal(chksum, c)
|
||||||
|
}
|
132
vendor/github.com/jcmturner/gokrb5/v8/crypto/aes256-cts-hmac-sha384-192.go
generated
vendored
Normal file
132
vendor/github.com/jcmturner/gokrb5/v8/crypto/aes256-cts-hmac-sha384-192.go
generated
vendored
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
package crypto
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/sha512"
|
||||||
|
"hash"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/common"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc8009"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RFC https://tools.ietf.org/html/rfc8009
|
||||||
|
|
||||||
|
// Aes256CtsHmacSha384192 implements Kerberos encryption type aes256-cts-hmac-sha384-192
|
||||||
|
type Aes256CtsHmacSha384192 struct {
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetETypeID returns the EType ID number.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetETypeID() int32 {
|
||||||
|
return etypeID.AES256_CTS_HMAC_SHA384_192
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashID returns the checksum type ID number.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetHashID() int32 {
|
||||||
|
return chksumtype.HMAC_SHA384_192_AES256
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyByteSize returns the number of bytes for key of this etype.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetKeyByteSize() int {
|
||||||
|
return 192 / 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeySeedBitLength returns the number of bits for the seed for key generation.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetKeySeedBitLength() int {
|
||||||
|
return e.GetKeyByteSize() * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashFunc returns the hash function for this etype.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetHashFunc() func() hash.Hash {
|
||||||
|
return sha512.New384
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMessageBlockByteSize returns the block size for the etype's messages.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetMessageBlockByteSize() int {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetDefaultStringToKeyParams returns the default key derivation parameters in string form.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetDefaultStringToKeyParams() string {
|
||||||
|
return "00008000"
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetConfounderByteSize returns the byte count for confounder to be used during cryptographic operations.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetConfounderByteSize() int {
|
||||||
|
return aes.BlockSize
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHMACBitLength returns the bit count size of the integrity hash.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetHMACBitLength() int {
|
||||||
|
return 192
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetCypherBlockBitLength returns the bit count size of the cypher block.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetCypherBlockBitLength() int {
|
||||||
|
return aes.BlockSize * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided.
|
||||||
|
func (e Aes256CtsHmacSha384192) StringToKey(secret string, salt string, s2kparams string) ([]byte, error) {
|
||||||
|
saltp := rfc8009.GetSaltP(salt, "aes256-cts-hmac-sha384-192")
|
||||||
|
return rfc8009.StringToKey(secret, saltp, s2kparams, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RandomToKey returns a key from the bytes provided.
|
||||||
|
func (e Aes256CtsHmacSha384192) RandomToKey(b []byte) []byte {
|
||||||
|
return rfc8009.RandomToKey(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided.
|
||||||
|
func (e Aes256CtsHmacSha384192) EncryptData(key, data []byte) ([]byte, []byte, error) {
|
||||||
|
return rfc8009.EncryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided and concatenates it with the integrity hash to create an encrypted message.
|
||||||
|
func (e Aes256CtsHmacSha384192) EncryptMessage(key, message []byte, usage uint32) ([]byte, []byte, error) {
|
||||||
|
return rfc8009.EncryptMessage(key, message, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided.
|
||||||
|
func (e Aes256CtsHmacSha384192) DecryptData(key, data []byte) ([]byte, error) {
|
||||||
|
return rfc8009.DecryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided and verifies the integrity of the message.
|
||||||
|
func (e Aes256CtsHmacSha384192) DecryptMessage(key, ciphertext []byte, usage uint32) ([]byte, error) {
|
||||||
|
return rfc8009.DecryptMessage(key, ciphertext, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveKey derives a key from the protocol key based on the usage value.
|
||||||
|
func (e Aes256CtsHmacSha384192) DeriveKey(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc8009.DeriveKey(protocolKey, usage, e), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveRandom generates data needed for key generation.
|
||||||
|
func (e Aes256CtsHmacSha384192) DeriveRandom(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc8009.DeriveRandom(protocolKey, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity checks the integrity of the ciphertext message.
|
||||||
|
// As the hash is calculated over the iv concatenated with the AES cipher output not the plaintext the pt value to this
|
||||||
|
// interface method is not use. Pass any []byte.
|
||||||
|
func (e Aes256CtsHmacSha384192) VerifyIntegrity(protocolKey, ct, pt []byte, usage uint32) bool {
|
||||||
|
// We don't need ib just there for the interface
|
||||||
|
return rfc8009.VerifyIntegrity(protocolKey, ct, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetChecksumHash returns a keyed checksum hash of the bytes provided.
|
||||||
|
func (e Aes256CtsHmacSha384192) GetChecksumHash(protocolKey, data []byte, usage uint32) ([]byte, error) {
|
||||||
|
return common.GetHash(data, protocolKey, common.GetUsageKc(usage), e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyChecksum compares the checksum of the message bytes is the same as the checksum provided.
|
||||||
|
func (e Aes256CtsHmacSha384192) VerifyChecksum(protocolKey, data, chksum []byte, usage uint32) bool {
|
||||||
|
c, err := e.GetChecksumHash(protocolKey, data, usage)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return hmac.Equal(chksum, c)
|
||||||
|
}
|
132
vendor/github.com/jcmturner/gokrb5/v8/crypto/common/common.go
generated
vendored
Normal file
132
vendor/github.com/jcmturner/gokrb5/v8/crypto/common/common.go
generated
vendored
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
// Package common provides encryption methods common across encryption types
|
||||||
|
package common
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"encoding/binary"
|
||||||
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ZeroPad pads bytes with zeros to nearest multiple of message size m.
|
||||||
|
func ZeroPad(b []byte, m int) ([]byte, error) {
|
||||||
|
if m <= 0 {
|
||||||
|
return nil, errors.New("Invalid message block size when padding")
|
||||||
|
}
|
||||||
|
if b == nil || len(b) == 0 {
|
||||||
|
return nil, errors.New("Data not valid to pad: Zero size")
|
||||||
|
}
|
||||||
|
if l := len(b) % m; l != 0 {
|
||||||
|
n := m - l
|
||||||
|
z := make([]byte, n)
|
||||||
|
b = append(b, z...)
|
||||||
|
}
|
||||||
|
return b, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// PKCS7Pad pads bytes according to RFC 2315 to nearest multiple of message size m.
|
||||||
|
func PKCS7Pad(b []byte, m int) ([]byte, error) {
|
||||||
|
if m <= 0 {
|
||||||
|
return nil, errors.New("Invalid message block size when padding")
|
||||||
|
}
|
||||||
|
if b == nil || len(b) == 0 {
|
||||||
|
return nil, errors.New("Data not valid to pad: Zero size")
|
||||||
|
}
|
||||||
|
n := m - (len(b) % m)
|
||||||
|
pb := make([]byte, len(b)+n)
|
||||||
|
copy(pb, b)
|
||||||
|
copy(pb[len(b):], bytes.Repeat([]byte{byte(n)}, n))
|
||||||
|
return pb, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// PKCS7Unpad removes RFC 2315 padding from byes where message size is m.
|
||||||
|
func PKCS7Unpad(b []byte, m int) ([]byte, error) {
|
||||||
|
if m <= 0 {
|
||||||
|
return nil, errors.New("invalid message block size when unpadding")
|
||||||
|
}
|
||||||
|
if b == nil || len(b) == 0 {
|
||||||
|
return nil, errors.New("padded data not valid: Zero size")
|
||||||
|
}
|
||||||
|
if len(b)%m != 0 {
|
||||||
|
return nil, errors.New("padded data not valid: Not multiple of message block size")
|
||||||
|
}
|
||||||
|
c := b[len(b)-1]
|
||||||
|
n := int(c)
|
||||||
|
if n == 0 || n > len(b) {
|
||||||
|
return nil, errors.New("padded data not valid: Data may not have been padded")
|
||||||
|
}
|
||||||
|
for i := 0; i < n; i++ {
|
||||||
|
if b[len(b)-n+i] != c {
|
||||||
|
return nil, errors.New("padded data not valid")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return b[:len(b)-n], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHash generates the keyed hash value according to the etype's hash function.
|
||||||
|
func GetHash(pt, key []byte, usage []byte, etype etype.EType) ([]byte, error) {
|
||||||
|
k, err := etype.DeriveKey(key, usage)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("unable to derive key for checksum: %v", err)
|
||||||
|
}
|
||||||
|
mac := hmac.New(etype.GetHashFunc(), k)
|
||||||
|
p := make([]byte, len(pt))
|
||||||
|
copy(p, pt)
|
||||||
|
mac.Write(p)
|
||||||
|
return mac.Sum(nil)[:etype.GetHMACBitLength()/8], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetChecksumHash returns a keyed checksum hash of the bytes provided.
|
||||||
|
func GetChecksumHash(b, key []byte, usage uint32, etype etype.EType) ([]byte, error) {
|
||||||
|
return GetHash(b, key, GetUsageKc(usage), etype)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetIntegrityHash returns a keyed integrity hash of the bytes provided.
|
||||||
|
func GetIntegrityHash(b, key []byte, usage uint32, etype etype.EType) ([]byte, error) {
|
||||||
|
return GetHash(b, key, GetUsageKi(usage), etype)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyChecksum compares the checksum of the msg bytes is the same as the checksum provided.
|
||||||
|
func VerifyChecksum(key, chksum, msg []byte, usage uint32, etype etype.EType) bool {
|
||||||
|
//The encrypted message is a concatenation of the encrypted output and the hash HMAC.
|
||||||
|
expectedMAC, _ := GetChecksumHash(msg, key, usage, etype)
|
||||||
|
return hmac.Equal(chksum, expectedMAC)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetUsageKc returns the checksum key usage value for the usage number un.
|
||||||
|
//
|
||||||
|
// See RFC 3961 5.3 key-derivation function definition.
|
||||||
|
func GetUsageKc(un uint32) []byte {
|
||||||
|
return getUsage(un, 0x99)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetUsageKe returns the encryption key usage value for the usage number un
|
||||||
|
//
|
||||||
|
// See RFC 3961 5.3 key-derivation function definition.
|
||||||
|
func GetUsageKe(un uint32) []byte {
|
||||||
|
return getUsage(un, 0xAA)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetUsageKi returns the integrity key usage value for the usage number un
|
||||||
|
//
|
||||||
|
// See RFC 3961 5.3 key-derivation function definition.
|
||||||
|
func GetUsageKi(un uint32) []byte {
|
||||||
|
return getUsage(un, 0x55)
|
||||||
|
}
|
||||||
|
|
||||||
|
func getUsage(un uint32, o byte) []byte {
|
||||||
|
var buf bytes.Buffer
|
||||||
|
binary.Write(&buf, binary.BigEndian, un)
|
||||||
|
return append(buf.Bytes(), o)
|
||||||
|
}
|
||||||
|
|
||||||
|
// IterationsToS2Kparams converts the number of iterations as an integer to a string representation.
|
||||||
|
func IterationsToS2Kparams(i uint32) string {
|
||||||
|
b := make([]byte, 4, 4)
|
||||||
|
binary.BigEndian.PutUint32(b, i)
|
||||||
|
return hex.EncodeToString(b)
|
||||||
|
}
|
175
vendor/github.com/jcmturner/gokrb5/v8/crypto/crypto.go
generated
vendored
Normal file
175
vendor/github.com/jcmturner/gokrb5/v8/crypto/crypto.go
generated
vendored
Normal file
@ -0,0 +1,175 @@
|
|||||||
|
// Package crypto implements cryptographic functions for Kerberos 5 implementation.
|
||||||
|
package crypto
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/hex"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/patype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GetEtype returns an instances of the required etype struct for the etype ID.
|
||||||
|
func GetEtype(id int32) (etype.EType, error) {
|
||||||
|
switch id {
|
||||||
|
case etypeID.AES128_CTS_HMAC_SHA1_96:
|
||||||
|
var et Aes128CtsHmacSha96
|
||||||
|
return et, nil
|
||||||
|
case etypeID.AES256_CTS_HMAC_SHA1_96:
|
||||||
|
var et Aes256CtsHmacSha96
|
||||||
|
return et, nil
|
||||||
|
case etypeID.AES128_CTS_HMAC_SHA256_128:
|
||||||
|
var et Aes128CtsHmacSha256128
|
||||||
|
return et, nil
|
||||||
|
case etypeID.AES256_CTS_HMAC_SHA384_192:
|
||||||
|
var et Aes256CtsHmacSha384192
|
||||||
|
return et, nil
|
||||||
|
case etypeID.DES3_CBC_SHA1_KD:
|
||||||
|
var et Des3CbcSha1Kd
|
||||||
|
return et, nil
|
||||||
|
case etypeID.RC4_HMAC:
|
||||||
|
var et RC4HMAC
|
||||||
|
return et, nil
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("unknown or unsupported EType: %d", id)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetChksumEtype returns an instances of the required etype struct for the checksum ID.
|
||||||
|
func GetChksumEtype(id int32) (etype.EType, error) {
|
||||||
|
switch id {
|
||||||
|
case chksumtype.HMAC_SHA1_96_AES128:
|
||||||
|
var et Aes128CtsHmacSha96
|
||||||
|
return et, nil
|
||||||
|
case chksumtype.HMAC_SHA1_96_AES256:
|
||||||
|
var et Aes256CtsHmacSha96
|
||||||
|
return et, nil
|
||||||
|
case chksumtype.HMAC_SHA256_128_AES128:
|
||||||
|
var et Aes128CtsHmacSha256128
|
||||||
|
return et, nil
|
||||||
|
case chksumtype.HMAC_SHA384_192_AES256:
|
||||||
|
var et Aes256CtsHmacSha384192
|
||||||
|
return et, nil
|
||||||
|
case chksumtype.HMAC_SHA1_DES3_KD:
|
||||||
|
var et Des3CbcSha1Kd
|
||||||
|
return et, nil
|
||||||
|
case chksumtype.KERB_CHECKSUM_HMAC_MD5:
|
||||||
|
var et RC4HMAC
|
||||||
|
return et, nil
|
||||||
|
//case chksumtype.KERB_CHECKSUM_HMAC_MD5_UNSIGNED:
|
||||||
|
// var et RC4HMAC
|
||||||
|
// return et, nil
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("unknown or unsupported checksum type: %d", id)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyFromPassword generates an encryption key from the principal's password.
|
||||||
|
func GetKeyFromPassword(passwd string, cname types.PrincipalName, realm string, etypeID int32, pas types.PADataSequence) (types.EncryptionKey, etype.EType, error) {
|
||||||
|
var key types.EncryptionKey
|
||||||
|
et, err := GetEtype(etypeID)
|
||||||
|
if err != nil {
|
||||||
|
return key, et, fmt.Errorf("error getting encryption type: %v", err)
|
||||||
|
}
|
||||||
|
sk2p := et.GetDefaultStringToKeyParams()
|
||||||
|
var salt string
|
||||||
|
var paID int32
|
||||||
|
for _, pa := range pas {
|
||||||
|
switch pa.PADataType {
|
||||||
|
case patype.PA_PW_SALT:
|
||||||
|
if paID > pa.PADataType {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
salt = string(pa.PADataValue)
|
||||||
|
case patype.PA_ETYPE_INFO:
|
||||||
|
if paID > pa.PADataType {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
var eti types.ETypeInfo
|
||||||
|
err := eti.Unmarshal(pa.PADataValue)
|
||||||
|
if err != nil {
|
||||||
|
return key, et, fmt.Errorf("error unmashaling PA Data to PA-ETYPE-INFO2: %v", err)
|
||||||
|
}
|
||||||
|
if etypeID != eti[0].EType {
|
||||||
|
et, err = GetEtype(eti[0].EType)
|
||||||
|
if err != nil {
|
||||||
|
return key, et, fmt.Errorf("error getting encryption type: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
salt = string(eti[0].Salt)
|
||||||
|
case patype.PA_ETYPE_INFO2:
|
||||||
|
if paID > pa.PADataType {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
var et2 types.ETypeInfo2
|
||||||
|
err := et2.Unmarshal(pa.PADataValue)
|
||||||
|
if err != nil {
|
||||||
|
return key, et, fmt.Errorf("error unmashalling PA Data to PA-ETYPE-INFO2: %v", err)
|
||||||
|
}
|
||||||
|
if etypeID != et2[0].EType {
|
||||||
|
et, err = GetEtype(et2[0].EType)
|
||||||
|
if err != nil {
|
||||||
|
return key, et, fmt.Errorf("error getting encryption type: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(et2[0].S2KParams) == 4 {
|
||||||
|
sk2p = hex.EncodeToString(et2[0].S2KParams)
|
||||||
|
}
|
||||||
|
salt = et2[0].Salt
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if salt == "" {
|
||||||
|
salt = cname.GetSalt(realm)
|
||||||
|
}
|
||||||
|
k, err := et.StringToKey(passwd, salt, sk2p)
|
||||||
|
if err != nil {
|
||||||
|
return key, et, fmt.Errorf("error deriving key from string: %+v", err)
|
||||||
|
}
|
||||||
|
key = types.EncryptionKey{
|
||||||
|
KeyType: etypeID,
|
||||||
|
KeyValue: k,
|
||||||
|
}
|
||||||
|
return key, et, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEncryptedData encrypts the data provided and returns and EncryptedData type.
|
||||||
|
// Pass a usage value of zero to use the key provided directly rather than deriving one.
|
||||||
|
func GetEncryptedData(plainBytes []byte, key types.EncryptionKey, usage uint32, kvno int) (types.EncryptedData, error) {
|
||||||
|
var ed types.EncryptedData
|
||||||
|
et, err := GetEtype(key.KeyType)
|
||||||
|
if err != nil {
|
||||||
|
return ed, fmt.Errorf("error getting etype: %v", err)
|
||||||
|
}
|
||||||
|
_, b, err := et.EncryptMessage(key.KeyValue, plainBytes, usage)
|
||||||
|
if err != nil {
|
||||||
|
return ed, err
|
||||||
|
}
|
||||||
|
|
||||||
|
ed = types.EncryptedData{
|
||||||
|
EType: key.KeyType,
|
||||||
|
Cipher: b,
|
||||||
|
KVNO: kvno,
|
||||||
|
}
|
||||||
|
return ed, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptEncPart decrypts the EncryptedData.
|
||||||
|
func DecryptEncPart(ed types.EncryptedData, key types.EncryptionKey, usage uint32) ([]byte, error) {
|
||||||
|
return DecryptMessage(ed.Cipher, key, usage)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the ciphertext and verifies the integrity.
|
||||||
|
func DecryptMessage(ciphertext []byte, key types.EncryptionKey, usage uint32) ([]byte, error) {
|
||||||
|
et, err := GetEtype(key.KeyType)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, fmt.Errorf("error decrypting: %v", err)
|
||||||
|
}
|
||||||
|
b, err := et.DecryptMessage(key.KeyValue, ciphertext, usage)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error decrypting: %v", err)
|
||||||
|
}
|
||||||
|
return b, nil
|
||||||
|
}
|
139
vendor/github.com/jcmturner/gokrb5/v8/crypto/des3-cbc-sha1-kd.go
generated
vendored
Normal file
139
vendor/github.com/jcmturner/gokrb5/v8/crypto/des3-cbc-sha1-kd.go
generated
vendored
Normal file
@ -0,0 +1,139 @@
|
|||||||
|
package crypto
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/des"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/sha1"
|
||||||
|
"errors"
|
||||||
|
"hash"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/common"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc3961"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
)
|
||||||
|
|
||||||
|
//RFC: 3961 Section 6.3
|
||||||
|
|
||||||
|
// Des3CbcSha1Kd implements Kerberos encryption type des3-cbc-hmac-sha1-kd
|
||||||
|
type Des3CbcSha1Kd struct {
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetETypeID returns the EType ID number.
|
||||||
|
func (e Des3CbcSha1Kd) GetETypeID() int32 {
|
||||||
|
return etypeID.DES3_CBC_SHA1_KD
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashID returns the checksum type ID number.
|
||||||
|
func (e Des3CbcSha1Kd) GetHashID() int32 {
|
||||||
|
return chksumtype.HMAC_SHA1_DES3_KD
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyByteSize returns the number of bytes for key of this etype.
|
||||||
|
func (e Des3CbcSha1Kd) GetKeyByteSize() int {
|
||||||
|
return 24
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeySeedBitLength returns the number of bits for the seed for key generation.
|
||||||
|
func (e Des3CbcSha1Kd) GetKeySeedBitLength() int {
|
||||||
|
return 21 * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashFunc returns the hash function for this etype.
|
||||||
|
func (e Des3CbcSha1Kd) GetHashFunc() func() hash.Hash {
|
||||||
|
return sha1.New
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMessageBlockByteSize returns the block size for the etype's messages.
|
||||||
|
func (e Des3CbcSha1Kd) GetMessageBlockByteSize() int {
|
||||||
|
//For traditional CBC mode with padding, it would be the underlying cipher's block size
|
||||||
|
return des.BlockSize
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetDefaultStringToKeyParams returns the default key derivation parameters in string form.
|
||||||
|
func (e Des3CbcSha1Kd) GetDefaultStringToKeyParams() string {
|
||||||
|
var s string
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetConfounderByteSize returns the byte count for confounder to be used during cryptographic operations.
|
||||||
|
func (e Des3CbcSha1Kd) GetConfounderByteSize() int {
|
||||||
|
return des.BlockSize
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHMACBitLength returns the bit count size of the integrity hash.
|
||||||
|
func (e Des3CbcSha1Kd) GetHMACBitLength() int {
|
||||||
|
return e.GetHashFunc()().Size() * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetCypherBlockBitLength returns the bit count size of the cypher block.
|
||||||
|
func (e Des3CbcSha1Kd) GetCypherBlockBitLength() int {
|
||||||
|
return des.BlockSize * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided.
|
||||||
|
func (e Des3CbcSha1Kd) StringToKey(secret string, salt string, s2kparams string) ([]byte, error) {
|
||||||
|
if s2kparams != "" {
|
||||||
|
return []byte{}, errors.New("s2kparams must be an empty string")
|
||||||
|
}
|
||||||
|
return rfc3961.DES3StringToKey(secret, salt, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RandomToKey returns a key from the bytes provided.
|
||||||
|
func (e Des3CbcSha1Kd) RandomToKey(b []byte) []byte {
|
||||||
|
return rfc3961.DES3RandomToKey(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveRandom generates data needed for key generation.
|
||||||
|
func (e Des3CbcSha1Kd) DeriveRandom(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
r, err := rfc3961.DeriveRandom(protocolKey, usage, e)
|
||||||
|
return r, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveKey derives a key from the protocol key based on the usage value.
|
||||||
|
func (e Des3CbcSha1Kd) DeriveKey(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
r, err := e.DeriveRandom(protocolKey, usage)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return e.RandomToKey(r), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided.
|
||||||
|
func (e Des3CbcSha1Kd) EncryptData(key, data []byte) ([]byte, []byte, error) {
|
||||||
|
return rfc3961.DES3EncryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided and concatenates it with the integrity hash to create an encrypted message.
|
||||||
|
func (e Des3CbcSha1Kd) EncryptMessage(key, message []byte, usage uint32) ([]byte, []byte, error) {
|
||||||
|
return rfc3961.DES3EncryptMessage(key, message, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided.
|
||||||
|
func (e Des3CbcSha1Kd) DecryptData(key, data []byte) ([]byte, error) {
|
||||||
|
return rfc3961.DES3DecryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided and verifies the integrity of the message.
|
||||||
|
func (e Des3CbcSha1Kd) DecryptMessage(key, ciphertext []byte, usage uint32) ([]byte, error) {
|
||||||
|
return rfc3961.DES3DecryptMessage(key, ciphertext, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity checks the integrity of the plaintext message.
|
||||||
|
func (e Des3CbcSha1Kd) VerifyIntegrity(protocolKey, ct, pt []byte, usage uint32) bool {
|
||||||
|
return rfc3961.VerifyIntegrity(protocolKey, ct, pt, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetChecksumHash returns a keyed checksum hash of the bytes provided.
|
||||||
|
func (e Des3CbcSha1Kd) GetChecksumHash(protocolKey, data []byte, usage uint32) ([]byte, error) {
|
||||||
|
return common.GetHash(data, protocolKey, common.GetUsageKc(usage), e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyChecksum compares the checksum of the message bytes is the same as the checksum provided.
|
||||||
|
func (e Des3CbcSha1Kd) VerifyChecksum(protocolKey, data, chksum []byte, usage uint32) bool {
|
||||||
|
c, err := e.GetChecksumHash(protocolKey, data, usage)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return hmac.Equal(chksum, c)
|
||||||
|
}
|
29
vendor/github.com/jcmturner/gokrb5/v8/crypto/etype/etype.go
generated
vendored
Normal file
29
vendor/github.com/jcmturner/gokrb5/v8/crypto/etype/etype.go
generated
vendored
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
// Package etype provides the Kerberos Encryption Type interface
|
||||||
|
package etype
|
||||||
|
|
||||||
|
import "hash"
|
||||||
|
|
||||||
|
// EType is the interface defining the Encryption Type.
|
||||||
|
type EType interface {
|
||||||
|
GetETypeID() int32
|
||||||
|
GetHashID() int32
|
||||||
|
GetKeyByteSize() int
|
||||||
|
GetKeySeedBitLength() int
|
||||||
|
GetDefaultStringToKeyParams() string
|
||||||
|
StringToKey(string, salt, s2kparams string) ([]byte, error)
|
||||||
|
RandomToKey(b []byte) []byte
|
||||||
|
GetHMACBitLength() int
|
||||||
|
GetMessageBlockByteSize() int
|
||||||
|
EncryptData(key, data []byte) ([]byte, []byte, error)
|
||||||
|
EncryptMessage(key, message []byte, usage uint32) ([]byte, []byte, error)
|
||||||
|
DecryptData(key, data []byte) ([]byte, error)
|
||||||
|
DecryptMessage(key, ciphertext []byte, usage uint32) ([]byte, error)
|
||||||
|
GetCypherBlockBitLength() int
|
||||||
|
GetConfounderByteSize() int
|
||||||
|
DeriveKey(protocolKey, usage []byte) ([]byte, error)
|
||||||
|
DeriveRandom(protocolKey, usage []byte) ([]byte, error)
|
||||||
|
VerifyIntegrity(protocolKey, ct, pt []byte, usage uint32) bool
|
||||||
|
GetChecksumHash(protocolKey, data []byte, usage uint32) ([]byte, error)
|
||||||
|
VerifyChecksum(protocolKey, data, chksum []byte, usage uint32) bool
|
||||||
|
GetHashFunc() func() hash.Hash
|
||||||
|
}
|
133
vendor/github.com/jcmturner/gokrb5/v8/crypto/rc4-hmac.go
generated
vendored
Normal file
133
vendor/github.com/jcmturner/gokrb5/v8/crypto/rc4-hmac.go
generated
vendored
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
package crypto
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/md5"
|
||||||
|
"hash"
|
||||||
|
"io"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc3961"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/rfc4757"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
"golang.org/x/crypto/md4"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RC4HMAC implements Kerberos encryption type rc4-hmac
|
||||||
|
type RC4HMAC struct {
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetETypeID returns the EType ID number.
|
||||||
|
func (e RC4HMAC) GetETypeID() int32 {
|
||||||
|
return etypeID.RC4_HMAC
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashID returns the checksum type ID number.
|
||||||
|
func (e RC4HMAC) GetHashID() int32 {
|
||||||
|
return chksumtype.KERB_CHECKSUM_HMAC_MD5
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyByteSize returns the number of bytes for key of this etype.
|
||||||
|
func (e RC4HMAC) GetKeyByteSize() int {
|
||||||
|
return 16
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeySeedBitLength returns the number of bits for the seed for key generation.
|
||||||
|
func (e RC4HMAC) GetKeySeedBitLength() int {
|
||||||
|
return e.GetKeyByteSize() * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHashFunc returns the hash function for this etype.
|
||||||
|
func (e RC4HMAC) GetHashFunc() func() hash.Hash {
|
||||||
|
return md5.New
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetMessageBlockByteSize returns the block size for the etype's messages.
|
||||||
|
func (e RC4HMAC) GetMessageBlockByteSize() int {
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetDefaultStringToKeyParams returns the default key derivation parameters in string form.
|
||||||
|
func (e RC4HMAC) GetDefaultStringToKeyParams() string {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetConfounderByteSize returns the byte count for confounder to be used during cryptographic operations.
|
||||||
|
func (e RC4HMAC) GetConfounderByteSize() int {
|
||||||
|
return 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetHMACBitLength returns the bit count size of the integrity hash.
|
||||||
|
func (e RC4HMAC) GetHMACBitLength() int {
|
||||||
|
return md5.Size * 8
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetCypherBlockBitLength returns the bit count size of the cypher block.
|
||||||
|
func (e RC4HMAC) GetCypherBlockBitLength() int {
|
||||||
|
return 8 // doesn't really apply
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided.
|
||||||
|
func (e RC4HMAC) StringToKey(secret string, salt string, s2kparams string) ([]byte, error) {
|
||||||
|
return rfc4757.StringToKey(secret)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RandomToKey returns a key from the bytes provided.
|
||||||
|
func (e RC4HMAC) RandomToKey(b []byte) []byte {
|
||||||
|
r := bytes.NewReader(b)
|
||||||
|
h := md4.New()
|
||||||
|
io.Copy(h, r)
|
||||||
|
return h.Sum(nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided.
|
||||||
|
func (e RC4HMAC) EncryptData(key, data []byte) ([]byte, []byte, error) {
|
||||||
|
b, err := rfc4757.EncryptData(key, data, e)
|
||||||
|
return []byte{}, b, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided and concatenates it with the integrity hash to create an encrypted message.
|
||||||
|
func (e RC4HMAC) EncryptMessage(key, message []byte, usage uint32) ([]byte, []byte, error) {
|
||||||
|
b, err := rfc4757.EncryptMessage(key, message, usage, false, e)
|
||||||
|
return []byte{}, b, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided.
|
||||||
|
func (e RC4HMAC) DecryptData(key, data []byte) ([]byte, error) {
|
||||||
|
return rfc4757.DecryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided and verifies the integrity of the message.
|
||||||
|
func (e RC4HMAC) DecryptMessage(key, ciphertext []byte, usage uint32) ([]byte, error) {
|
||||||
|
return rfc4757.DecryptMessage(key, ciphertext, usage, false, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveKey derives a key from the protocol key based on the usage value.
|
||||||
|
func (e RC4HMAC) DeriveKey(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc4757.HMAC(protocolKey, usage), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveRandom generates data needed for key generation.
|
||||||
|
func (e RC4HMAC) DeriveRandom(protocolKey, usage []byte) ([]byte, error) {
|
||||||
|
return rfc3961.DeriveRandom(protocolKey, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity checks the integrity of the plaintext message.
|
||||||
|
func (e RC4HMAC) VerifyIntegrity(protocolKey, ct, pt []byte, usage uint32) bool {
|
||||||
|
return rfc4757.VerifyIntegrity(protocolKey, pt, ct, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetChecksumHash returns a keyed checksum hash of the bytes provided.
|
||||||
|
func (e RC4HMAC) GetChecksumHash(protocolKey, data []byte, usage uint32) ([]byte, error) {
|
||||||
|
return rfc4757.Checksum(protocolKey, usage, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyChecksum compares the checksum of the message bytes is the same as the checksum provided.
|
||||||
|
func (e RC4HMAC) VerifyChecksum(protocolKey, data, chksum []byte, usage uint32) bool {
|
||||||
|
checksum, err := rfc4757.Checksum(protocolKey, usage, data)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return hmac.Equal(checksum, chksum)
|
||||||
|
}
|
119
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3961/encryption.go
generated
vendored
Normal file
119
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3961/encryption.go
generated
vendored
Normal file
@ -0,0 +1,119 @@
|
|||||||
|
// Package rfc3961 provides encryption and checksum methods as specified in RFC 3961
|
||||||
|
package rfc3961
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/cipher"
|
||||||
|
"crypto/des"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/rand"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/common"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
)
|
||||||
|
|
||||||
|
// DES3EncryptData encrypts the data provided using DES3 and methods specific to the etype provided.
|
||||||
|
func DES3EncryptData(key, data []byte, e etype.EType) ([]byte, []byte, error) {
|
||||||
|
if len(key) != e.GetKeyByteSize() {
|
||||||
|
return nil, nil, fmt.Errorf("incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key))
|
||||||
|
}
|
||||||
|
data, _ = common.ZeroPad(data, e.GetMessageBlockByteSize())
|
||||||
|
|
||||||
|
block, err := des.NewTripleDESCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, fmt.Errorf("error creating cipher: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
//RFC 3961: initial cipher state All bits zero
|
||||||
|
ivz := make([]byte, des.BlockSize)
|
||||||
|
|
||||||
|
ct := make([]byte, len(data))
|
||||||
|
mode := cipher.NewCBCEncrypter(block, ivz)
|
||||||
|
mode.CryptBlocks(ct, data)
|
||||||
|
return ct[len(ct)-e.GetMessageBlockByteSize():], ct, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DES3EncryptMessage encrypts the message provided using DES3 and methods specific to the etype provided.
|
||||||
|
// The encrypted data is concatenated with its integrity hash to create an encrypted message.
|
||||||
|
func DES3EncryptMessage(key, message []byte, usage uint32, e etype.EType) ([]byte, []byte, error) {
|
||||||
|
//confounder
|
||||||
|
c := make([]byte, e.GetConfounderByteSize())
|
||||||
|
_, err := rand.Read(c)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("could not generate random confounder: %v", err)
|
||||||
|
}
|
||||||
|
plainBytes := append(c, message...)
|
||||||
|
plainBytes, _ = common.ZeroPad(plainBytes, e.GetMessageBlockByteSize())
|
||||||
|
|
||||||
|
// Derive key for encryption from usage
|
||||||
|
var k []byte
|
||||||
|
if usage != 0 {
|
||||||
|
k, err = e.DeriveKey(key, common.GetUsageKe(usage))
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("error deriving key for encryption: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
iv, b, err := e.EncryptData(k, plainBytes)
|
||||||
|
if err != nil {
|
||||||
|
return iv, b, fmt.Errorf("error encrypting data: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate and append integrity hash
|
||||||
|
ih, err := common.GetIntegrityHash(plainBytes, key, usage, e)
|
||||||
|
if err != nil {
|
||||||
|
return iv, b, fmt.Errorf("error encrypting data: %v", err)
|
||||||
|
}
|
||||||
|
b = append(b, ih...)
|
||||||
|
return iv, b, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DES3DecryptData decrypts the data provided using DES3 and methods specific to the etype provided.
|
||||||
|
func DES3DecryptData(key, data []byte, e etype.EType) ([]byte, error) {
|
||||||
|
if len(key) != e.GetKeyByteSize() {
|
||||||
|
return []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key))
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(data) < des.BlockSize || len(data)%des.BlockSize != 0 {
|
||||||
|
return []byte{}, errors.New("ciphertext is not a multiple of the block size")
|
||||||
|
}
|
||||||
|
block, err := des.NewTripleDESCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, fmt.Errorf("error creating cipher: %v", err)
|
||||||
|
}
|
||||||
|
pt := make([]byte, len(data))
|
||||||
|
ivz := make([]byte, des.BlockSize)
|
||||||
|
mode := cipher.NewCBCDecrypter(block, ivz)
|
||||||
|
mode.CryptBlocks(pt, data)
|
||||||
|
return pt, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DES3DecryptMessage decrypts the message provided using DES3 and methods specific to the etype provided.
|
||||||
|
// The integrity of the message is also verified.
|
||||||
|
func DES3DecryptMessage(key, ciphertext []byte, usage uint32, e etype.EType) ([]byte, error) {
|
||||||
|
//Derive the key
|
||||||
|
k, err := e.DeriveKey(key, common.GetUsageKe(usage))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error deriving key: %v", err)
|
||||||
|
}
|
||||||
|
// Strip off the checksum from the end
|
||||||
|
b, err := e.DecryptData(k, ciphertext[:len(ciphertext)-e.GetHMACBitLength()/8])
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error decrypting: %v", err)
|
||||||
|
}
|
||||||
|
//Verify checksum
|
||||||
|
if !e.VerifyIntegrity(key, ciphertext, b, usage) {
|
||||||
|
return nil, errors.New("error decrypting: integrity verification failed")
|
||||||
|
}
|
||||||
|
//Remove the confounder bytes
|
||||||
|
return b[e.GetConfounderByteSize():], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity verifies the integrity of cipertext bytes ct.
|
||||||
|
func VerifyIntegrity(key, ct, pt []byte, usage uint32, etype etype.EType) bool {
|
||||||
|
h := make([]byte, etype.GetHMACBitLength()/8)
|
||||||
|
copy(h, ct[len(ct)-etype.GetHMACBitLength()/8:])
|
||||||
|
expectedMAC, _ := common.GetIntegrityHash(pt, key, usage, etype)
|
||||||
|
return hmac.Equal(h, expectedMAC)
|
||||||
|
}
|
169
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3961/keyDerivation.go
generated
vendored
Normal file
169
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3961/keyDerivation.go
generated
vendored
Normal file
@ -0,0 +1,169 @@
|
|||||||
|
package rfc3961
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
prfconstant = "prf"
|
||||||
|
)
|
||||||
|
|
||||||
|
// DeriveRandom implements the RFC 3961 defined function: DR(Key, Constant) = k-truncate(E(Key, Constant, initial-cipher-state)).
|
||||||
|
//
|
||||||
|
// key: base key or protocol key. Likely to be a key from a keytab file.
|
||||||
|
//
|
||||||
|
// usage: a constant.
|
||||||
|
//
|
||||||
|
// n: block size in bits (not bytes) - note if you use something like aes.BlockSize this is in bytes.
|
||||||
|
//
|
||||||
|
// k: key length / key seed length in bits. Eg. for AES256 this value is 256.
|
||||||
|
//
|
||||||
|
// e: the encryption etype function to use.
|
||||||
|
func DeriveRandom(key, usage []byte, e etype.EType) ([]byte, error) {
|
||||||
|
n := e.GetCypherBlockBitLength()
|
||||||
|
k := e.GetKeySeedBitLength()
|
||||||
|
//Ensure the usage constant is at least the size of the cypher block size. Pass it through the nfold algorithm that will "stretch" it if needs be.
|
||||||
|
nFoldUsage := Nfold(usage, n)
|
||||||
|
//k-truncate implemented by creating a byte array the size of k (k is in bits hence /8)
|
||||||
|
out := make([]byte, k/8)
|
||||||
|
// Keep feeding the output back into the encryption function until it is no longer short than k.
|
||||||
|
_, K, err := e.EncryptData(key, nFoldUsage)
|
||||||
|
if err != nil {
|
||||||
|
return out, err
|
||||||
|
}
|
||||||
|
for i := copy(out, K); i < len(out); {
|
||||||
|
_, K, _ = e.EncryptData(key, K)
|
||||||
|
i = i + copy(out[i:], K)
|
||||||
|
}
|
||||||
|
return out, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveKey derives a key from the protocol key based on the usage and the etype's specific methods.
|
||||||
|
func DeriveKey(protocolKey, usage []byte, e etype.EType) ([]byte, error) {
|
||||||
|
r, err := e.DeriveRandom(protocolKey, usage)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return e.RandomToKey(r), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// RandomToKey returns a key from the bytes provided according to the definition in RFC 3961.
|
||||||
|
func RandomToKey(b []byte) []byte {
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
// DES3RandomToKey returns a key from the bytes provided according to the definition in RFC 3961 for DES3 etypes.
|
||||||
|
func DES3RandomToKey(b []byte) []byte {
|
||||||
|
r := fixWeakKey(stretch56Bits(b[:7]))
|
||||||
|
r2 := fixWeakKey(stretch56Bits(b[7:14]))
|
||||||
|
r = append(r, r2...)
|
||||||
|
r3 := fixWeakKey(stretch56Bits(b[14:21]))
|
||||||
|
r = append(r, r3...)
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
|
// DES3StringToKey returns a key derived from the string provided according to the definition in RFC 3961 for DES3 etypes.
|
||||||
|
func DES3StringToKey(secret, salt string, e etype.EType) ([]byte, error) {
|
||||||
|
s := secret + salt
|
||||||
|
tkey := e.RandomToKey(Nfold([]byte(s), e.GetKeySeedBitLength()))
|
||||||
|
return e.DeriveKey(tkey, []byte("kerberos"))
|
||||||
|
}
|
||||||
|
|
||||||
|
// PseudoRandom function as defined in RFC 3961
|
||||||
|
func PseudoRandom(key, b []byte, e etype.EType) ([]byte, error) {
|
||||||
|
h := e.GetHashFunc()()
|
||||||
|
h.Write(b)
|
||||||
|
tmp := h.Sum(nil)[:e.GetMessageBlockByteSize()]
|
||||||
|
k, err := e.DeriveKey(key, []byte(prfconstant))
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, err
|
||||||
|
}
|
||||||
|
_, prf, err := e.EncryptData(k, tmp)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, err
|
||||||
|
}
|
||||||
|
return prf, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func stretch56Bits(b []byte) []byte {
|
||||||
|
d := make([]byte, len(b), len(b))
|
||||||
|
copy(d, b)
|
||||||
|
var lb byte
|
||||||
|
for i, v := range d {
|
||||||
|
bv, nb := calcEvenParity(v)
|
||||||
|
d[i] = nb
|
||||||
|
if bv != 0 {
|
||||||
|
lb = lb | (1 << uint(i+1))
|
||||||
|
} else {
|
||||||
|
lb = lb &^ (1 << uint(i+1))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
_, lb = calcEvenParity(lb)
|
||||||
|
d = append(d, lb)
|
||||||
|
return d
|
||||||
|
}
|
||||||
|
|
||||||
|
func calcEvenParity(b byte) (uint8, uint8) {
|
||||||
|
lowestbit := b & 0x01
|
||||||
|
// c counter of 1s in the first 7 bits of the byte
|
||||||
|
var c int
|
||||||
|
// Iterate over the highest 7 bits (hence p starts at 1 not zero) and count the 1s.
|
||||||
|
for p := 1; p < 8; p++ {
|
||||||
|
v := b & (1 << uint(p))
|
||||||
|
if v != 0 {
|
||||||
|
c++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if c%2 == 0 {
|
||||||
|
//Even number of 1s so set parity to 1
|
||||||
|
b = b | 1
|
||||||
|
} else {
|
||||||
|
//Odd number of 1s so set parity to 0
|
||||||
|
b = b &^ 1
|
||||||
|
}
|
||||||
|
return lowestbit, b
|
||||||
|
}
|
||||||
|
|
||||||
|
func fixWeakKey(b []byte) []byte {
|
||||||
|
if weak(b) {
|
||||||
|
b[7] ^= 0xF0
|
||||||
|
}
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
func weak(b []byte) bool {
|
||||||
|
// weak keys from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-67r1.pdf
|
||||||
|
weakKeys := [4][]byte{
|
||||||
|
{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01},
|
||||||
|
{0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE},
|
||||||
|
{0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1},
|
||||||
|
{0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E},
|
||||||
|
}
|
||||||
|
semiWeakKeys := [12][]byte{
|
||||||
|
{0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E},
|
||||||
|
{0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01},
|
||||||
|
{0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1},
|
||||||
|
{0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01},
|
||||||
|
{0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE},
|
||||||
|
{0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01},
|
||||||
|
{0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1},
|
||||||
|
{0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E},
|
||||||
|
{0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE},
|
||||||
|
{0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E},
|
||||||
|
{0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE},
|
||||||
|
{0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1},
|
||||||
|
}
|
||||||
|
for _, k := range weakKeys {
|
||||||
|
if bytes.Equal(b, k) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, k := range semiWeakKeys {
|
||||||
|
if bytes.Equal(b, k) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
107
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3961/nfold.go
generated
vendored
Normal file
107
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3961/nfold.go
generated
vendored
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
package rfc3961
|
||||||
|
|
||||||
|
// Implementation of the n-fold algorithm as defined in RFC 3961.
|
||||||
|
|
||||||
|
/* Credits
|
||||||
|
This golang implementation of nfold used the following project for help with implementation detail.
|
||||||
|
Although their source is in java it was helpful as a reference implementation of the RFC.
|
||||||
|
You can find the source code of their open source project along with license information below.
|
||||||
|
We acknowledge and are grateful to these developers for their contributions to open source
|
||||||
|
|
||||||
|
Project: Apache Directory (http://http://directory.apache.org/)
|
||||||
|
https://svn.apache.org/repos/asf/directory/apacheds/tags/1.5.1/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/NFold.java
|
||||||
|
License: http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Nfold expands the key to ensure it is not smaller than one cipher block.
|
||||||
|
// Defined in RFC 3961.
|
||||||
|
//
|
||||||
|
// m input bytes that will be "stretched" to the least common multiple of n bits and the bit length of m.
|
||||||
|
func Nfold(m []byte, n int) []byte {
|
||||||
|
k := len(m) * 8
|
||||||
|
|
||||||
|
//Get the lowest common multiple of the two bit sizes
|
||||||
|
lcm := lcm(n, k)
|
||||||
|
relicate := lcm / k
|
||||||
|
var sumBytes []byte
|
||||||
|
|
||||||
|
for i := 0; i < relicate; i++ {
|
||||||
|
rotation := 13 * i
|
||||||
|
sumBytes = append(sumBytes, rotateRight(m, rotation)...)
|
||||||
|
}
|
||||||
|
|
||||||
|
nfold := make([]byte, n/8)
|
||||||
|
sum := make([]byte, n/8)
|
||||||
|
for i := 0; i < lcm/n; i++ {
|
||||||
|
for j := 0; j < n/8; j++ {
|
||||||
|
sum[j] = sumBytes[j+(i*len(sum))]
|
||||||
|
}
|
||||||
|
nfold = onesComplementAddition(nfold, sum)
|
||||||
|
}
|
||||||
|
return nfold
|
||||||
|
}
|
||||||
|
|
||||||
|
func onesComplementAddition(n1, n2 []byte) []byte {
|
||||||
|
numBits := len(n1) * 8
|
||||||
|
out := make([]byte, numBits/8)
|
||||||
|
carry := 0
|
||||||
|
for i := numBits - 1; i > -1; i-- {
|
||||||
|
n1b := getBit(&n1, i)
|
||||||
|
n2b := getBit(&n2, i)
|
||||||
|
s := n1b + n2b + carry
|
||||||
|
|
||||||
|
if s == 0 || s == 1 {
|
||||||
|
setBit(&out, i, s)
|
||||||
|
carry = 0
|
||||||
|
} else if s == 2 {
|
||||||
|
carry = 1
|
||||||
|
} else if s == 3 {
|
||||||
|
setBit(&out, i, 1)
|
||||||
|
carry = 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if carry == 1 {
|
||||||
|
carryArray := make([]byte, len(n1))
|
||||||
|
carryArray[len(carryArray)-1] = 1
|
||||||
|
out = onesComplementAddition(out, carryArray)
|
||||||
|
}
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
func rotateRight(b []byte, step int) []byte {
|
||||||
|
out := make([]byte, len(b))
|
||||||
|
bitLen := len(b) * 8
|
||||||
|
for i := 0; i < bitLen; i++ {
|
||||||
|
v := getBit(&b, i)
|
||||||
|
setBit(&out, (i+step)%bitLen, v)
|
||||||
|
}
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
func lcm(x, y int) int {
|
||||||
|
return (x * y) / gcd(x, y)
|
||||||
|
}
|
||||||
|
|
||||||
|
func gcd(x, y int) int {
|
||||||
|
for y != 0 {
|
||||||
|
x, y = y, x%y
|
||||||
|
}
|
||||||
|
return x
|
||||||
|
}
|
||||||
|
|
||||||
|
func getBit(b *[]byte, p int) int {
|
||||||
|
pByte := p / 8
|
||||||
|
pBit := uint(p % 8)
|
||||||
|
vByte := (*b)[pByte]
|
||||||
|
vInt := int(vByte >> (8 - (pBit + 1)) & 0x0001)
|
||||||
|
return vInt
|
||||||
|
}
|
||||||
|
|
||||||
|
func setBit(b *[]byte, p, v int) {
|
||||||
|
pByte := p / 8
|
||||||
|
pBit := uint(p % 8)
|
||||||
|
oldByte := (*b)[pByte]
|
||||||
|
var newByte byte
|
||||||
|
newByte = byte(v<<(8-(pBit+1))) | oldByte
|
||||||
|
(*b)[pByte] = newByte
|
||||||
|
}
|
89
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3962/encryption.go
generated
vendored
Normal file
89
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3962/encryption.go
generated
vendored
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
// Package rfc3962 provides encryption and checksum methods as specified in RFC 3962
|
||||||
|
package rfc3962
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/aescts/v2"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/common"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
)
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided using methods specific to the etype provided as defined in RFC 3962.
|
||||||
|
func EncryptData(key, data []byte, e etype.EType) ([]byte, []byte, error) {
|
||||||
|
if len(key) != e.GetKeyByteSize() {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key))
|
||||||
|
}
|
||||||
|
ivz := make([]byte, e.GetCypherBlockBitLength()/8)
|
||||||
|
return aescts.Encrypt(key, ivz, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided using the methods specific to the etype provided as defined in RFC 3962.
|
||||||
|
// The encrypted data is concatenated with its integrity hash to create an encrypted message.
|
||||||
|
func EncryptMessage(key, message []byte, usage uint32, e etype.EType) ([]byte, []byte, error) {
|
||||||
|
if len(key) != e.GetKeyByteSize() {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key))
|
||||||
|
}
|
||||||
|
//confounder
|
||||||
|
c := make([]byte, e.GetConfounderByteSize())
|
||||||
|
_, err := rand.Read(c)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("could not generate random confounder: %v", err)
|
||||||
|
}
|
||||||
|
plainBytes := append(c, message...)
|
||||||
|
|
||||||
|
// Derive key for encryption from usage
|
||||||
|
var k []byte
|
||||||
|
if usage != 0 {
|
||||||
|
k, err = e.DeriveKey(key, common.GetUsageKe(usage))
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("error deriving key for encryption: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encrypt the data
|
||||||
|
iv, b, err := e.EncryptData(k, plainBytes)
|
||||||
|
if err != nil {
|
||||||
|
return iv, b, fmt.Errorf("error encrypting data: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate and append integrity hash
|
||||||
|
ih, err := common.GetIntegrityHash(plainBytes, key, usage, e)
|
||||||
|
if err != nil {
|
||||||
|
return iv, b, fmt.Errorf("error encrypting data: %v", err)
|
||||||
|
}
|
||||||
|
b = append(b, ih...)
|
||||||
|
return iv, b, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided using the methods specific to the etype provided as defined in RFC 3962.
|
||||||
|
func DecryptData(key, data []byte, e etype.EType) ([]byte, error) {
|
||||||
|
if len(key) != e.GetKeyByteSize() {
|
||||||
|
return []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key))
|
||||||
|
}
|
||||||
|
ivz := make([]byte, e.GetCypherBlockBitLength()/8)
|
||||||
|
return aescts.Decrypt(key, ivz, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided using the methods specific to the etype provided as defined in RFC 3962.
|
||||||
|
// The integrity of the message is also verified.
|
||||||
|
func DecryptMessage(key, ciphertext []byte, usage uint32, e etype.EType) ([]byte, error) {
|
||||||
|
//Derive the key
|
||||||
|
k, err := e.DeriveKey(key, common.GetUsageKe(usage))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error deriving key: %v", err)
|
||||||
|
}
|
||||||
|
// Strip off the checksum from the end
|
||||||
|
b, err := e.DecryptData(k, ciphertext[:len(ciphertext)-e.GetHMACBitLength()/8])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
//Verify checksum
|
||||||
|
if !e.VerifyIntegrity(key, ciphertext, b, usage) {
|
||||||
|
return nil, errors.New("integrity verification failed")
|
||||||
|
}
|
||||||
|
//Remove the confounder bytes
|
||||||
|
return b[e.GetConfounderByteSize():], nil
|
||||||
|
}
|
51
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3962/keyDerivation.go
generated
vendored
Normal file
51
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc3962/keyDerivation.go
generated
vendored
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
package rfc3962
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gofork/x/crypto/pbkdf2"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
s2kParamsZero = 4294967296
|
||||||
|
)
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided according to the definition in RFC 3961.
|
||||||
|
func StringToKey(secret, salt, s2kparams string, e etype.EType) ([]byte, error) {
|
||||||
|
i, err := S2KparamsToItertions(s2kparams)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return StringToKeyIter(secret, salt, i, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToPBKDF2 generates an encryption key from a pass phrase and salt string using the PBKDF2 function from PKCS #5 v2.0
|
||||||
|
func StringToPBKDF2(secret, salt string, iterations int64, e etype.EType) []byte {
|
||||||
|
return pbkdf2.Key64([]byte(secret), []byte(salt), iterations, int64(e.GetKeyByteSize()), e.GetHashFunc())
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKeyIter returns a key derived from the string provided according to the definition in RFC 3961.
|
||||||
|
func StringToKeyIter(secret, salt string, iterations int64, e etype.EType) ([]byte, error) {
|
||||||
|
tkey := e.RandomToKey(StringToPBKDF2(secret, salt, iterations, e))
|
||||||
|
return e.DeriveKey(tkey, []byte("kerberos"))
|
||||||
|
}
|
||||||
|
|
||||||
|
// S2KparamsToItertions converts the string representation of iterations to an integer
|
||||||
|
func S2KparamsToItertions(s2kparams string) (int64, error) {
|
||||||
|
//The s2kparams string should be hex string representing 4 bytes
|
||||||
|
//The 4 bytes represent a number in big endian order
|
||||||
|
//If the value is zero then the number of iterations should be 4,294,967,296 (2^32)
|
||||||
|
var i uint32
|
||||||
|
if len(s2kparams) != 8 {
|
||||||
|
return int64(s2kParamsZero), errors.New("invalid s2kparams length")
|
||||||
|
}
|
||||||
|
b, err := hex.DecodeString(s2kparams)
|
||||||
|
if err != nil {
|
||||||
|
return int64(s2kParamsZero), errors.New("invalid s2kparams, cannot decode string to bytes")
|
||||||
|
}
|
||||||
|
i = binary.BigEndian.Uint32(b)
|
||||||
|
return int64(i), nil
|
||||||
|
}
|
40
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc4757/checksum.go
generated
vendored
Normal file
40
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc4757/checksum.go
generated
vendored
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
package rfc4757
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/md5"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Checksum returns a hash of the data in accordance with RFC 4757
|
||||||
|
func Checksum(key []byte, usage uint32, data []byte) ([]byte, error) {
|
||||||
|
// Create hashing key
|
||||||
|
s := append([]byte(`signaturekey`), byte(0x00)) //includes zero octet at end
|
||||||
|
mac := hmac.New(md5.New, key)
|
||||||
|
mac.Write(s)
|
||||||
|
Ksign := mac.Sum(nil)
|
||||||
|
|
||||||
|
// Format data
|
||||||
|
tb := UsageToMSMsgType(usage)
|
||||||
|
p := append(tb, data...)
|
||||||
|
h := md5.New()
|
||||||
|
rb := bytes.NewReader(p)
|
||||||
|
_, err := io.Copy(h, rb)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, err
|
||||||
|
}
|
||||||
|
tmp := h.Sum(nil)
|
||||||
|
|
||||||
|
// Generate HMAC
|
||||||
|
mac = hmac.New(md5.New, Ksign)
|
||||||
|
mac.Write(tmp)
|
||||||
|
return mac.Sum(nil), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// HMAC returns a keyed MD5 checksum of the data
|
||||||
|
func HMAC(key []byte, data []byte) []byte {
|
||||||
|
mac := hmac.New(md5.New, key)
|
||||||
|
mac.Write(data)
|
||||||
|
return mac.Sum(nil)
|
||||||
|
}
|
80
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc4757/encryption.go
generated
vendored
Normal file
80
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc4757/encryption.go
generated
vendored
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
// Package rfc4757 provides encryption and checksum methods as specified in RFC 4757
|
||||||
|
package rfc4757
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/rc4"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
)
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided using methods specific to the etype provided as defined in RFC 4757.
|
||||||
|
func EncryptData(key, data []byte, e etype.EType) ([]byte, error) {
|
||||||
|
if len(key) != e.GetKeyByteSize() {
|
||||||
|
return []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key))
|
||||||
|
}
|
||||||
|
rc4Cipher, err := rc4.NewCipher(key)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, fmt.Errorf("error creating RC4 cipher: %v", err)
|
||||||
|
}
|
||||||
|
ed := make([]byte, len(data))
|
||||||
|
copy(ed, data)
|
||||||
|
rc4Cipher.XORKeyStream(ed, ed)
|
||||||
|
rc4Cipher.Reset()
|
||||||
|
return ed, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided using the methods specific to the etype provided as defined in RFC 4757.
|
||||||
|
func DecryptData(key, data []byte, e etype.EType) ([]byte, error) {
|
||||||
|
return EncryptData(key, data, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided using the methods specific to the etype provided as defined in RFC 4757.
|
||||||
|
// The encrypted data is concatenated with its RC4 header containing integrity checksum and confounder to create an encrypted message.
|
||||||
|
func EncryptMessage(key, data []byte, usage uint32, export bool, e etype.EType) ([]byte, error) {
|
||||||
|
confounder := make([]byte, e.GetConfounderByteSize()) // size = 8
|
||||||
|
_, err := rand.Read(confounder)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, fmt.Errorf("error generating confounder: %v", err)
|
||||||
|
}
|
||||||
|
k1 := key
|
||||||
|
k2 := HMAC(k1, UsageToMSMsgType(usage))
|
||||||
|
toenc := append(confounder, data...)
|
||||||
|
chksum := HMAC(k2, toenc)
|
||||||
|
k3 := HMAC(k2, chksum)
|
||||||
|
|
||||||
|
ed, err := EncryptData(k3, toenc, e)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, fmt.Errorf("error encrypting data: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
msg := append(chksum, ed...)
|
||||||
|
return msg, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided using the methods specific to the etype provided as defined in RFC 4757.
|
||||||
|
// The integrity of the message is also verified.
|
||||||
|
func DecryptMessage(key, data []byte, usage uint32, export bool, e etype.EType) ([]byte, error) {
|
||||||
|
checksum := data[:e.GetHMACBitLength()/8]
|
||||||
|
ct := data[e.GetHMACBitLength()/8:]
|
||||||
|
_, k2, k3 := deriveKeys(key, checksum, usage, export)
|
||||||
|
|
||||||
|
pt, err := DecryptData(k3, ct, e)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, fmt.Errorf("error decrypting data: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !VerifyIntegrity(k2, pt, data, e) {
|
||||||
|
return []byte{}, errors.New("integrity checksum incorrect")
|
||||||
|
}
|
||||||
|
return pt[e.GetConfounderByteSize():], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity checks the integrity checksum of the data matches that calculated from the decrypted data.
|
||||||
|
func VerifyIntegrity(key, pt, data []byte, e etype.EType) bool {
|
||||||
|
chksum := HMAC(key, pt)
|
||||||
|
return hmac.Equal(chksum, data[:e.GetHMACBitLength()/8])
|
||||||
|
}
|
40
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc4757/keyDerivation.go
generated
vendored
Normal file
40
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc4757/keyDerivation.go
generated
vendored
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
package rfc4757
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/md4"
|
||||||
|
)
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided according to the definition in RFC 4757.
|
||||||
|
func StringToKey(secret string) ([]byte, error) {
|
||||||
|
b := make([]byte, len(secret)*2, len(secret)*2)
|
||||||
|
for i, r := range secret {
|
||||||
|
u := fmt.Sprintf("%04x", r)
|
||||||
|
c, err := hex.DecodeString(u)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, errors.New("character could not be encoded")
|
||||||
|
}
|
||||||
|
// Swap round the two bytes to make little endian as we put into byte slice
|
||||||
|
b[2*i] = c[1]
|
||||||
|
b[2*i+1] = c[0]
|
||||||
|
}
|
||||||
|
r := bytes.NewReader(b)
|
||||||
|
h := md4.New()
|
||||||
|
_, err := io.Copy(h, r)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, err
|
||||||
|
}
|
||||||
|
return h.Sum(nil), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func deriveKeys(key, checksum []byte, usage uint32, export bool) (k1, k2, k3 []byte) {
|
||||||
|
k1 = key
|
||||||
|
k2 = HMAC(k1, UsageToMSMsgType(usage))
|
||||||
|
k3 = HMAC(k2, checksum)
|
||||||
|
return
|
||||||
|
}
|
20
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc4757/msgtype.go
generated
vendored
Normal file
20
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc4757/msgtype.go
generated
vendored
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
package rfc4757
|
||||||
|
|
||||||
|
import "encoding/binary"
|
||||||
|
|
||||||
|
// UsageToMSMsgType converts Kerberos key usage numbers to Microsoft message type encoded as a little-endian four byte slice.
|
||||||
|
func UsageToMSMsgType(usage uint32) []byte {
|
||||||
|
// Translate usage numbers to the Microsoft T numbers
|
||||||
|
switch usage {
|
||||||
|
case 3:
|
||||||
|
usage = 8
|
||||||
|
case 9:
|
||||||
|
usage = 8
|
||||||
|
case 23:
|
||||||
|
usage = 13
|
||||||
|
}
|
||||||
|
// Now convert to bytes
|
||||||
|
tb := make([]byte, 4) // We force an int32 input so we can't go over 4 bytes
|
||||||
|
binary.PutUvarint(tb, uint64(usage))
|
||||||
|
return tb
|
||||||
|
}
|
125
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc8009/encryption.go
generated
vendored
Normal file
125
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc8009/encryption.go
generated
vendored
Normal file
@ -0,0 +1,125 @@
|
|||||||
|
// Package rfc8009 provides encryption and checksum methods as specified in RFC 8009
|
||||||
|
package rfc8009
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/aes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"crypto/rand"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/aescts/v2"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/common"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
)
|
||||||
|
|
||||||
|
// EncryptData encrypts the data provided using methods specific to the etype provided as defined in RFC 8009.
|
||||||
|
func EncryptData(key, data []byte, e etype.EType) ([]byte, []byte, error) {
|
||||||
|
kl := e.GetKeyByteSize()
|
||||||
|
if e.GetETypeID() == etypeID.AES256_CTS_HMAC_SHA384_192 {
|
||||||
|
kl = 32
|
||||||
|
}
|
||||||
|
if len(key) != kl {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key))
|
||||||
|
}
|
||||||
|
ivz := make([]byte, aes.BlockSize)
|
||||||
|
return aescts.Encrypt(key, ivz, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EncryptMessage encrypts the message provided using the methods specific to the etype provided as defined in RFC 8009.
|
||||||
|
// The encrypted data is concatenated with its integrity hash to create an encrypted message.
|
||||||
|
func EncryptMessage(key, message []byte, usage uint32, e etype.EType) ([]byte, []byte, error) {
|
||||||
|
kl := e.GetKeyByteSize()
|
||||||
|
if e.GetETypeID() == etypeID.AES256_CTS_HMAC_SHA384_192 {
|
||||||
|
kl = 32
|
||||||
|
}
|
||||||
|
if len(key) != kl {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", kl, len(key))
|
||||||
|
}
|
||||||
|
if len(key) != e.GetKeyByteSize() {
|
||||||
|
}
|
||||||
|
//confounder
|
||||||
|
c := make([]byte, e.GetConfounderByteSize())
|
||||||
|
_, err := rand.Read(c)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("could not generate random confounder: %v", err)
|
||||||
|
}
|
||||||
|
plainBytes := append(c, message...)
|
||||||
|
|
||||||
|
// Derive key for encryption from usage
|
||||||
|
var k []byte
|
||||||
|
if usage != 0 {
|
||||||
|
k, err = e.DeriveKey(key, common.GetUsageKe(usage))
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, []byte{}, fmt.Errorf("error deriving key for encryption: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encrypt the data
|
||||||
|
iv, b, err := e.EncryptData(k, plainBytes)
|
||||||
|
if err != nil {
|
||||||
|
return iv, b, fmt.Errorf("error encrypting data: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ivz := make([]byte, e.GetConfounderByteSize())
|
||||||
|
ih, err := GetIntegityHash(ivz, b, key, usage, e)
|
||||||
|
if err != nil {
|
||||||
|
return iv, b, fmt.Errorf("error encrypting data: %v", err)
|
||||||
|
}
|
||||||
|
b = append(b, ih...)
|
||||||
|
return iv, b, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptData decrypts the data provided using the methods specific to the etype provided as defined in RFC 8009.
|
||||||
|
func DecryptData(key, data []byte, e etype.EType) ([]byte, error) {
|
||||||
|
kl := e.GetKeyByteSize()
|
||||||
|
if e.GetETypeID() == etypeID.AES256_CTS_HMAC_SHA384_192 {
|
||||||
|
kl = 32
|
||||||
|
}
|
||||||
|
if len(key) != kl {
|
||||||
|
return []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", kl, len(key))
|
||||||
|
}
|
||||||
|
ivz := make([]byte, aes.BlockSize)
|
||||||
|
return aescts.Decrypt(key, ivz, data)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DecryptMessage decrypts the message provided using the methods specific to the etype provided as defined in RFC 8009.
|
||||||
|
// The integrity of the message is also verified.
|
||||||
|
func DecryptMessage(key, ciphertext []byte, usage uint32, e etype.EType) ([]byte, error) {
|
||||||
|
//Derive the key
|
||||||
|
k, err := e.DeriveKey(key, common.GetUsageKe(usage))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("error deriving key: %v", err)
|
||||||
|
}
|
||||||
|
// Strip off the checksum from the end
|
||||||
|
b, err := e.DecryptData(k, ciphertext[:len(ciphertext)-e.GetHMACBitLength()/8])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
//Verify checksum
|
||||||
|
if !e.VerifyIntegrity(key, ciphertext, b, usage) {
|
||||||
|
return nil, errors.New("integrity verification failed")
|
||||||
|
}
|
||||||
|
//Remove the confounder bytes
|
||||||
|
return b[e.GetConfounderByteSize():], nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetIntegityHash returns a keyed integrity hash of the bytes provided as defined in RFC 8009
|
||||||
|
func GetIntegityHash(iv, c, key []byte, usage uint32, e etype.EType) ([]byte, error) {
|
||||||
|
// Generate and append integrity hash
|
||||||
|
// Rather than calculating the hash over the confounder and plaintext
|
||||||
|
// it is calculated over the iv concatenated with the AES cipher output.
|
||||||
|
ib := append(iv, c...)
|
||||||
|
return common.GetIntegrityHash(ib, key, usage, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// VerifyIntegrity verifies the integrity of cipertext bytes ct.
|
||||||
|
func VerifyIntegrity(key, ct []byte, usage uint32, etype etype.EType) bool {
|
||||||
|
h := make([]byte, etype.GetHMACBitLength()/8)
|
||||||
|
copy(h, ct[len(ct)-etype.GetHMACBitLength()/8:])
|
||||||
|
ivz := make([]byte, etype.GetConfounderByteSize())
|
||||||
|
ib := append(ivz, ct[:len(ct)-(etype.GetHMACBitLength()/8)]...)
|
||||||
|
expectedMAC, _ := common.GetIntegrityHash(ib, key, usage, etype)
|
||||||
|
return hmac.Equal(h, expectedMAC)
|
||||||
|
}
|
135
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc8009/keyDerivation.go
generated
vendored
Normal file
135
vendor/github.com/jcmturner/gokrb5/v8/crypto/rfc8009/keyDerivation.go
generated
vendored
Normal file
@ -0,0 +1,135 @@
|
|||||||
|
package rfc8009
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/hmac"
|
||||||
|
"encoding/binary"
|
||||||
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto/etype"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||||
|
"golang.org/x/crypto/pbkdf2"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
s2kParamsZero = 32768
|
||||||
|
)
|
||||||
|
|
||||||
|
// DeriveRandom for key derivation as defined in RFC 8009
|
||||||
|
func DeriveRandom(protocolKey, usage []byte, e etype.EType) ([]byte, error) {
|
||||||
|
h := e.GetHashFunc()()
|
||||||
|
return KDF_HMAC_SHA2(protocolKey, []byte("prf"), usage, h.Size(), e), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeriveKey derives a key from the protocol key based on the usage and the etype's specific methods.
|
||||||
|
//
|
||||||
|
// https://tools.ietf.org/html/rfc8009#section-5
|
||||||
|
func DeriveKey(protocolKey, label []byte, e etype.EType) []byte {
|
||||||
|
var context []byte
|
||||||
|
var kl int
|
||||||
|
// Key length is longer for aes256-cts-hmac-sha384-192 is it is a Ke or from StringToKey (where label is "kerberos")
|
||||||
|
if e.GetETypeID() == etypeID.AES256_CTS_HMAC_SHA384_192 {
|
||||||
|
Swtch:
|
||||||
|
switch label[len(label)-1] {
|
||||||
|
case 0x73:
|
||||||
|
// 0x73 is "s" so label could be kerberos meaning StringToKey so now check if the label is "kerberos"
|
||||||
|
kerblabel := []byte("kerberos")
|
||||||
|
if len(label) != len(kerblabel) {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
for i, b := range label {
|
||||||
|
if b != kerblabel[i] {
|
||||||
|
kl = e.GetKeySeedBitLength()
|
||||||
|
break Swtch
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if kl == 0 {
|
||||||
|
// This is StringToKey
|
||||||
|
kl = 256
|
||||||
|
}
|
||||||
|
case 0xAA:
|
||||||
|
// This is a Ke
|
||||||
|
kl = 256
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if kl == 0 {
|
||||||
|
kl = e.GetKeySeedBitLength()
|
||||||
|
}
|
||||||
|
return e.RandomToKey(KDF_HMAC_SHA2(protocolKey, label, context, kl, e))
|
||||||
|
}
|
||||||
|
|
||||||
|
// RandomToKey returns a key from the bytes provided according to the definition in RFC 8009.
|
||||||
|
func RandomToKey(b []byte) []byte {
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKey returns a key derived from the string provided according to the definition in RFC 8009.
|
||||||
|
func StringToKey(secret, salt, s2kparams string, e etype.EType) ([]byte, error) {
|
||||||
|
i, err := S2KparamsToItertions(s2kparams)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return StringToKeyIter(secret, salt, i, e)
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToKeyIter returns a key derived from the string provided according to the definition in RFC 8009.
|
||||||
|
func StringToKeyIter(secret, salt string, iterations int, e etype.EType) ([]byte, error) {
|
||||||
|
tkey := e.RandomToKey(StringToPBKDF2(secret, salt, iterations, e))
|
||||||
|
return e.DeriveKey(tkey, []byte("kerberos"))
|
||||||
|
}
|
||||||
|
|
||||||
|
// StringToPBKDF2 generates an encryption key from a pass phrase and salt string using the PBKDF2 function from PKCS #5 v2.0
|
||||||
|
func StringToPBKDF2(secret, salt string, iterations int, e etype.EType) []byte {
|
||||||
|
kl := e.GetKeyByteSize()
|
||||||
|
if e.GetETypeID() == etypeID.AES256_CTS_HMAC_SHA384_192 {
|
||||||
|
kl = 32
|
||||||
|
}
|
||||||
|
return pbkdf2.Key([]byte(secret), []byte(salt), iterations, kl, e.GetHashFunc())
|
||||||
|
}
|
||||||
|
|
||||||
|
// KDF_HMAC_SHA2 key derivation: https://tools.ietf.org/html/rfc8009#section-3
|
||||||
|
func KDF_HMAC_SHA2(protocolKey, label, context []byte, kl int, e etype.EType) []byte {
|
||||||
|
//k: Length in bits of the key to be outputted, expressed in big-endian binary representation in 4 bytes.
|
||||||
|
k := make([]byte, 4, 4)
|
||||||
|
binary.BigEndian.PutUint32(k, uint32(kl))
|
||||||
|
|
||||||
|
c := make([]byte, 4, 4)
|
||||||
|
binary.BigEndian.PutUint32(c, uint32(1))
|
||||||
|
c = append(c, label...)
|
||||||
|
c = append(c, byte(0))
|
||||||
|
if len(context) > 0 {
|
||||||
|
c = append(c, context...)
|
||||||
|
}
|
||||||
|
c = append(c, k...)
|
||||||
|
|
||||||
|
mac := hmac.New(e.GetHashFunc(), protocolKey)
|
||||||
|
mac.Write(c)
|
||||||
|
return mac.Sum(nil)[:(kl / 8)]
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetSaltP returns the salt value based on the etype name: https://tools.ietf.org/html/rfc8009#section-4
|
||||||
|
func GetSaltP(salt, ename string) string {
|
||||||
|
b := []byte(ename)
|
||||||
|
b = append(b, byte(0))
|
||||||
|
b = append(b, []byte(salt)...)
|
||||||
|
return string(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
// S2KparamsToItertions converts the string representation of iterations to an integer for RFC 8009.
|
||||||
|
func S2KparamsToItertions(s2kparams string) (int, error) {
|
||||||
|
var i uint32
|
||||||
|
if len(s2kparams) != 8 {
|
||||||
|
return s2kParamsZero, errors.New("Invalid s2kparams length")
|
||||||
|
}
|
||||||
|
b, err := hex.DecodeString(s2kparams)
|
||||||
|
if err != nil {
|
||||||
|
return s2kParamsZero, errors.New("Invalid s2kparams, cannot decode string to bytes")
|
||||||
|
}
|
||||||
|
i = binary.BigEndian.Uint32(b)
|
||||||
|
//buf := bytes.NewBuffer(b)
|
||||||
|
//err = binary.Read(buf, binary.BigEndian, &i)
|
||||||
|
if err != nil {
|
||||||
|
return s2kParamsZero, errors.New("Invalid s2kparams, cannot convert to big endian int32")
|
||||||
|
}
|
||||||
|
return int(i), nil
|
||||||
|
}
|
174
vendor/github.com/jcmturner/gokrb5/v8/gssapi/MICToken.go
generated
vendored
Normal file
174
vendor/github.com/jcmturner/gokrb5/v8/gssapi/MICToken.go
generated
vendored
Normal file
@ -0,0 +1,174 @@
|
|||||||
|
package gssapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"encoding/binary"
|
||||||
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/keyusage"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RFC 4121, section 4.2.6.1
|
||||||
|
|
||||||
|
const (
|
||||||
|
// MICTokenFlagSentByAcceptor - this flag indicates the sender is the context acceptor. When not set, it indicates the sender is the context initiator
|
||||||
|
MICTokenFlagSentByAcceptor = 1 << iota
|
||||||
|
// MICTokenFlagSealed - this flag indicates confidentiality is provided for. It SHALL NOT be set in MIC tokens
|
||||||
|
MICTokenFlagSealed
|
||||||
|
// MICTokenFlagAcceptorSubkey - a subkey asserted by the context acceptor is used to protect the message
|
||||||
|
MICTokenFlagAcceptorSubkey
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
micHdrLen = 16 // Length of the MIC Token's header
|
||||||
|
)
|
||||||
|
|
||||||
|
// MICToken represents a GSS API MIC token, as defined in RFC 4121.
|
||||||
|
// It contains the header fields, the payload (this is not transmitted) and
|
||||||
|
// the checksum, and provides the logic for converting to/from bytes plus
|
||||||
|
// computing and verifying checksums
|
||||||
|
type MICToken struct {
|
||||||
|
// const GSS Token ID: 0x0404
|
||||||
|
Flags byte // contains three flags: acceptor, sealed, acceptor subkey
|
||||||
|
// const Filler: 0xFF 0xFF 0xFF 0xFF 0xFF
|
||||||
|
SndSeqNum uint64 // sender's sequence number. big-endian
|
||||||
|
Payload []byte // your data! :)
|
||||||
|
Checksum []byte // checksum of { payload | header }
|
||||||
|
}
|
||||||
|
|
||||||
|
// Return the 2 bytes identifying a GSS API MIC token
|
||||||
|
func getGSSMICTokenID() *[2]byte {
|
||||||
|
return &[2]byte{0x04, 0x04}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Return the filler bytes used in header
|
||||||
|
func fillerBytes() *[5]byte {
|
||||||
|
return &[5]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal the MICToken into a byte slice.
|
||||||
|
// The payload should have been set and the checksum computed, otherwise an error is returned.
|
||||||
|
func (mt *MICToken) Marshal() ([]byte, error) {
|
||||||
|
if mt.Checksum == nil {
|
||||||
|
return nil, errors.New("checksum has not been set")
|
||||||
|
}
|
||||||
|
|
||||||
|
bytes := make([]byte, micHdrLen+len(mt.Checksum))
|
||||||
|
copy(bytes[0:micHdrLen], mt.getMICChecksumHeader()[:])
|
||||||
|
copy(bytes[micHdrLen:], mt.Checksum)
|
||||||
|
|
||||||
|
return bytes, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetChecksum uses the passed encryption key and key usage to compute the checksum over the payload and
|
||||||
|
// the header, and sets the Checksum field of this MICToken.
|
||||||
|
// If the payload has not been set or the checksum has already been set, an error is returned.
|
||||||
|
func (mt *MICToken) SetChecksum(key types.EncryptionKey, keyUsage uint32) error {
|
||||||
|
if mt.Checksum != nil {
|
||||||
|
return errors.New("checksum has already been computed")
|
||||||
|
}
|
||||||
|
checksum, err := mt.checksum(key, keyUsage)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
mt.Checksum = checksum
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compute and return the checksum of this token, computed using the passed key and key usage.
|
||||||
|
// Note: This will NOT update the struct's Checksum field.
|
||||||
|
func (mt *MICToken) checksum(key types.EncryptionKey, keyUsage uint32) ([]byte, error) {
|
||||||
|
if mt.Payload == nil {
|
||||||
|
return nil, errors.New("cannot compute checksum with uninitialized payload")
|
||||||
|
}
|
||||||
|
d := make([]byte, micHdrLen+len(mt.Payload))
|
||||||
|
copy(d[0:], mt.Payload)
|
||||||
|
copy(d[len(mt.Payload):], mt.getMICChecksumHeader())
|
||||||
|
|
||||||
|
encType, err := crypto.GetEtype(key.KeyType)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return encType.GetChecksumHash(key.KeyValue, d, keyUsage)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Build a header suitable for a checksum computation
|
||||||
|
func (mt *MICToken) getMICChecksumHeader() []byte {
|
||||||
|
header := make([]byte, micHdrLen)
|
||||||
|
copy(header[0:2], getGSSMICTokenID()[:])
|
||||||
|
header[2] = mt.Flags
|
||||||
|
copy(header[3:8], fillerBytes()[:])
|
||||||
|
binary.BigEndian.PutUint64(header[8:16], mt.SndSeqNum)
|
||||||
|
return header
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify computes the token's checksum with the provided key and usage,
|
||||||
|
// and compares it to the checksum present in the token.
|
||||||
|
// In case of any failure, (false, err) is returned, with err an explanatory error.
|
||||||
|
func (mt *MICToken) Verify(key types.EncryptionKey, keyUsage uint32) (bool, error) {
|
||||||
|
computed, err := mt.checksum(key, keyUsage)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if !hmac.Equal(computed, mt.Checksum) {
|
||||||
|
return false, fmt.Errorf(
|
||||||
|
"checksum mismatch. Computed: %s, Contained in token: %s",
|
||||||
|
hex.EncodeToString(computed), hex.EncodeToString(mt.Checksum))
|
||||||
|
}
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unmarshal bytes into the corresponding MICToken.
|
||||||
|
// If expectFromAcceptor is true we expect the token to have been emitted by the gss acceptor,
|
||||||
|
// and will check the according flag, returning an error if the token does not match the expectation.
|
||||||
|
func (mt *MICToken) Unmarshal(b []byte, expectFromAcceptor bool) error {
|
||||||
|
if len(b) < micHdrLen {
|
||||||
|
return errors.New("bytes shorter than header length")
|
||||||
|
}
|
||||||
|
if !bytes.Equal(getGSSMICTokenID()[:], b[0:2]) {
|
||||||
|
return fmt.Errorf("wrong Token ID, Expected %s, was %s",
|
||||||
|
hex.EncodeToString(getGSSMICTokenID()[:]),
|
||||||
|
hex.EncodeToString(b[0:2]))
|
||||||
|
}
|
||||||
|
flags := b[2]
|
||||||
|
isFromAcceptor := flags&MICTokenFlagSentByAcceptor != 0
|
||||||
|
if isFromAcceptor && !expectFromAcceptor {
|
||||||
|
return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
|
||||||
|
}
|
||||||
|
if !isFromAcceptor && expectFromAcceptor {
|
||||||
|
return errors.New("unexpected acceptor flag is not set: expecting a token from the acceptor, not in the initiator")
|
||||||
|
}
|
||||||
|
if !bytes.Equal(b[3:8], fillerBytes()[:]) {
|
||||||
|
return fmt.Errorf("unexpected filler bytes: expecting %s, was %s",
|
||||||
|
hex.EncodeToString(fillerBytes()[:]),
|
||||||
|
hex.EncodeToString(b[3:8]))
|
||||||
|
}
|
||||||
|
|
||||||
|
mt.Flags = flags
|
||||||
|
mt.SndSeqNum = binary.BigEndian.Uint64(b[8:16])
|
||||||
|
mt.Checksum = b[micHdrLen:]
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewInitiatorMICToken builds a new initiator token (acceptor flag will be set to 0) and computes the authenticated checksum.
|
||||||
|
// Other flags are set to 0.
|
||||||
|
// Note that in certain circumstances you may need to provide a sequence number that has been defined earlier.
|
||||||
|
// This is currently not supported.
|
||||||
|
func NewInitiatorMICToken(payload []byte, key types.EncryptionKey) (*MICToken, error) {
|
||||||
|
token := MICToken{
|
||||||
|
Flags: 0x00,
|
||||||
|
SndSeqNum: 0,
|
||||||
|
Payload: payload,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := token.SetChecksum(key, keyusage.GSSAPI_INITIATOR_SIGN); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &token, nil
|
||||||
|
}
|
20
vendor/github.com/jcmturner/gokrb5/v8/gssapi/README.md
generated
vendored
Normal file
20
vendor/github.com/jcmturner/gokrb5/v8/gssapi/README.md
generated
vendored
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# Notes on GSS-API Negotiation Mechanism
|
||||||
|
https://tools.ietf.org/html/rfc4178
|
||||||
|
|
||||||
|
Client sends an initial negotiation message to the server which specifies the list of mechanisms
|
||||||
|
the client can support in order of decreasing preference.
|
||||||
|
This message is generated with the ``NewNegTokenInitKrb5`` method.
|
||||||
|
The message generated by this function specifies only a kerberos v5 mechanism is supported.
|
||||||
|
|
||||||
|
The RFC states that this message can optionally contain the initial mechanism token
|
||||||
|
for the preferred mechanism (KRB5 in this case) of the client. The ``NewNegTokenInitKrb5``
|
||||||
|
includes this in the message.
|
||||||
|
|
||||||
|
The server side responds to this message with a one of four messages:
|
||||||
|
|
||||||
|
| Message Type/State | Description |
|
||||||
|
|--------------------|-------------|
|
||||||
|
| accept-completed | indicates that the initiator-selected mechanism was acceptable to the target, and that the security mechanism token embedded in the first negotiation message was sufficient to complete the authentication |
|
||||||
|
| accept-incomplete | At least one more message is needed from the client to establish security context. |
|
||||||
|
| reject | Negotiation is being terminated. |
|
||||||
|
| request-mic | (this state can only be present in the first reply message from the target) indicates that the MIC token exchange is REQUIRED if per-message integrity services are available |
|
25
vendor/github.com/jcmturner/gokrb5/v8/gssapi/contextFlags.go
generated
vendored
Normal file
25
vendor/github.com/jcmturner/gokrb5/v8/gssapi/contextFlags.go
generated
vendored
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
package gssapi
|
||||||
|
|
||||||
|
import "github.com/jcmturner/gofork/encoding/asn1"
|
||||||
|
|
||||||
|
// GSS-API context flags assigned numbers.
|
||||||
|
const (
|
||||||
|
ContextFlagDeleg = 1
|
||||||
|
ContextFlagMutual = 2
|
||||||
|
ContextFlagReplay = 4
|
||||||
|
ContextFlagSequence = 8
|
||||||
|
ContextFlagConf = 16
|
||||||
|
ContextFlagInteg = 32
|
||||||
|
ContextFlagAnon = 64
|
||||||
|
)
|
||||||
|
|
||||||
|
// ContextFlags flags for GSSAPI
|
||||||
|
type ContextFlags asn1.BitString
|
||||||
|
|
||||||
|
// NewContextFlags creates a new ContextFlags instance.
|
||||||
|
func NewContextFlags() ContextFlags {
|
||||||
|
var c ContextFlags
|
||||||
|
c.BitLength = 32
|
||||||
|
c.Bytes = make([]byte, 4)
|
||||||
|
return c
|
||||||
|
}
|
202
vendor/github.com/jcmturner/gokrb5/v8/gssapi/gssapi.go
generated
vendored
Normal file
202
vendor/github.com/jcmturner/gokrb5/v8/gssapi/gssapi.go
generated
vendored
Normal file
@ -0,0 +1,202 @@
|
|||||||
|
// Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.
|
||||||
|
package gssapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gofork/encoding/asn1"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GSS-API OID names
|
||||||
|
const (
|
||||||
|
// GSS-API OID names
|
||||||
|
OIDKRB5 OIDName = "KRB5" // MechType OID for Kerberos 5
|
||||||
|
OIDMSLegacyKRB5 OIDName = "MSLegacyKRB5" // MechType OID for Kerberos 5
|
||||||
|
OIDSPNEGO OIDName = "SPNEGO"
|
||||||
|
OIDGSSIAKerb OIDName = "GSSIAKerb" // Indicates the client cannot get a service ticket and asks the server to serve as an intermediate to the target KDC. http://k5wiki.kerberos.org/wiki/Projects/IAKERB#IAKERB_mech
|
||||||
|
)
|
||||||
|
|
||||||
|
// GSS-API status values
|
||||||
|
const (
|
||||||
|
StatusBadBindings = 1 << iota
|
||||||
|
StatusBadMech
|
||||||
|
StatusBadName
|
||||||
|
StatusBadNameType
|
||||||
|
StatusBadStatus
|
||||||
|
StatusBadSig
|
||||||
|
StatusBadMIC
|
||||||
|
StatusContextExpired
|
||||||
|
StatusCredentialsExpired
|
||||||
|
StatusDefectiveCredential
|
||||||
|
StatusDefectiveToken
|
||||||
|
StatusFailure
|
||||||
|
StatusNoContext
|
||||||
|
StatusNoCred
|
||||||
|
StatusBadQOP
|
||||||
|
StatusUnauthorized
|
||||||
|
StatusUnavailable
|
||||||
|
StatusDuplicateElement
|
||||||
|
StatusNameNotMN
|
||||||
|
StatusComplete
|
||||||
|
StatusContinueNeeded
|
||||||
|
StatusDuplicateToken
|
||||||
|
StatusOldToken
|
||||||
|
StatusUnseqToken
|
||||||
|
StatusGapToken
|
||||||
|
)
|
||||||
|
|
||||||
|
// ContextToken is an interface for a GSS-API context token.
|
||||||
|
type ContextToken interface {
|
||||||
|
Marshal() ([]byte, error)
|
||||||
|
Unmarshal(b []byte) error
|
||||||
|
Verify() (bool, Status)
|
||||||
|
Context() context.Context
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
CREDENTIAL MANAGEMENT
|
||||||
|
|
||||||
|
GSS_Acquire_cred acquire credentials for use
|
||||||
|
GSS_Release_cred release credentials after use
|
||||||
|
GSS_Inquire_cred display information about credentials
|
||||||
|
GSS_Add_cred construct credentials incrementally
|
||||||
|
GSS_Inquire_cred_by_mech display per-mechanism credential information
|
||||||
|
|
||||||
|
CONTEXT-LEVEL CALLS
|
||||||
|
|
||||||
|
GSS_Init_sec_context initiate outbound security context
|
||||||
|
GSS_Accept_sec_context accept inbound security context
|
||||||
|
GSS_Delete_sec_context flush context when no longer needed
|
||||||
|
GSS_Process_context_token process received control token on context
|
||||||
|
GSS_Context_time indicate validity time remaining on context
|
||||||
|
GSS_Inquire_context display information about context
|
||||||
|
GSS_Wrap_size_limit determine GSS_Wrap token size limit
|
||||||
|
GSS_Export_sec_context transfer context to other process
|
||||||
|
GSS_Import_sec_context import transferred context
|
||||||
|
|
||||||
|
PER-MESSAGE CALLS
|
||||||
|
|
||||||
|
GSS_GetMIC apply integrity check, receive as token separate from message
|
||||||
|
GSS_VerifyMIC validate integrity check token along with message
|
||||||
|
GSS_Wrap sign, optionally encrypt, encapsulate
|
||||||
|
GSS_Unwrap decapsulate, decrypt if needed, validate integrity check
|
||||||
|
|
||||||
|
SUPPORT CALLS
|
||||||
|
|
||||||
|
GSS_Display_status translate status codes to printable form
|
||||||
|
GSS_Indicate_mechs indicate mech_types supported on local system
|
||||||
|
GSS_Compare_name compare two names for equality
|
||||||
|
GSS_Display_name translate name to printable form
|
||||||
|
GSS_Import_name convert printable name to normalized form
|
||||||
|
GSS_Release_name free storage of normalized-form name
|
||||||
|
GSS_Release_buffer free storage of general GSS-allocated object
|
||||||
|
GSS_Release_OID_set free storage of OID set object
|
||||||
|
GSS_Create_empty_OID_set create empty OID set
|
||||||
|
GSS_Add_OID_set_member add member to OID set
|
||||||
|
GSS_Test_OID_set_member test if OID is member of OID set
|
||||||
|
GSS_Inquire_names_for_mech indicate name types supported by mechanism
|
||||||
|
GSS_Inquire_mechs_for_name indicates mechanisms supporting name type
|
||||||
|
GSS_Canonicalize_name translate name to per-mechanism form
|
||||||
|
GSS_Export_name externalize per-mechanism name
|
||||||
|
GSS_Duplicate_name duplicate name object
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Mechanism is the GSS-API interface for authentication mechanisms.
|
||||||
|
type Mechanism interface {
|
||||||
|
OID() asn1.ObjectIdentifier
|
||||||
|
AcquireCred() error // acquire credentials for use (eg. AS exchange for KRB5)
|
||||||
|
InitSecContext() (ContextToken, error) // initiate outbound security context (eg TGS exchange builds AP_REQ to go into ContextToken to send to service)
|
||||||
|
AcceptSecContext(ct ContextToken) (bool, context.Context, Status) // service verifies the token server side to establish a context
|
||||||
|
MIC() MICToken // apply integrity check, receive as token separate from message
|
||||||
|
VerifyMIC(mt MICToken) (bool, error) // validate integrity check token along with message
|
||||||
|
Wrap(msg []byte) WrapToken // sign, optionally encrypt, encapsulate
|
||||||
|
Unwrap(wt WrapToken) []byte // decapsulate, decrypt if needed, validate integrity check
|
||||||
|
}
|
||||||
|
|
||||||
|
// OIDName is the type for defined GSS-API OIDs.
|
||||||
|
type OIDName string
|
||||||
|
|
||||||
|
// OID returns the OID for the provided OID name.
|
||||||
|
func (o OIDName) OID() asn1.ObjectIdentifier {
|
||||||
|
switch o {
|
||||||
|
case OIDSPNEGO:
|
||||||
|
return asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 2}
|
||||||
|
case OIDKRB5:
|
||||||
|
return asn1.ObjectIdentifier{1, 2, 840, 113554, 1, 2, 2}
|
||||||
|
case OIDMSLegacyKRB5:
|
||||||
|
return asn1.ObjectIdentifier{1, 2, 840, 48018, 1, 2, 2}
|
||||||
|
case OIDGSSIAKerb:
|
||||||
|
return asn1.ObjectIdentifier{1, 3, 6, 1, 5, 2, 5}
|
||||||
|
}
|
||||||
|
return asn1.ObjectIdentifier{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Status is the GSS-API status and implements the error interface.
|
||||||
|
type Status struct {
|
||||||
|
Code int
|
||||||
|
Message string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Error returns the Status description.
|
||||||
|
func (s Status) Error() string {
|
||||||
|
var str string
|
||||||
|
switch s.Code {
|
||||||
|
case StatusBadBindings:
|
||||||
|
str = "channel binding mismatch"
|
||||||
|
case StatusBadMech:
|
||||||
|
str = "unsupported mechanism requested"
|
||||||
|
case StatusBadName:
|
||||||
|
str = "invalid name provided"
|
||||||
|
case StatusBadNameType:
|
||||||
|
str = "name of unsupported type provided"
|
||||||
|
case StatusBadStatus:
|
||||||
|
str = "invalid input status selector"
|
||||||
|
case StatusBadSig:
|
||||||
|
str = "token had invalid integrity check"
|
||||||
|
case StatusBadMIC:
|
||||||
|
str = "preferred alias for GSS_S_BAD_SIG"
|
||||||
|
case StatusContextExpired:
|
||||||
|
str = "specified security context expired"
|
||||||
|
case StatusCredentialsExpired:
|
||||||
|
str = "expired credentials detected"
|
||||||
|
case StatusDefectiveCredential:
|
||||||
|
str = "defective credential detected"
|
||||||
|
case StatusDefectiveToken:
|
||||||
|
str = "defective token detected"
|
||||||
|
case StatusFailure:
|
||||||
|
str = "failure, unspecified at GSS-API level"
|
||||||
|
case StatusNoContext:
|
||||||
|
str = "no valid security context specified"
|
||||||
|
case StatusNoCred:
|
||||||
|
str = "no valid credentials provided"
|
||||||
|
case StatusBadQOP:
|
||||||
|
str = "unsupported QOP valu"
|
||||||
|
case StatusUnauthorized:
|
||||||
|
str = "operation unauthorized"
|
||||||
|
case StatusUnavailable:
|
||||||
|
str = "operation unavailable"
|
||||||
|
case StatusDuplicateElement:
|
||||||
|
str = "duplicate credential element requested"
|
||||||
|
case StatusNameNotMN:
|
||||||
|
str = "name contains multi-mechanism elements"
|
||||||
|
case StatusComplete:
|
||||||
|
str = "normal completion"
|
||||||
|
case StatusContinueNeeded:
|
||||||
|
str = "continuation call to routine required"
|
||||||
|
case StatusDuplicateToken:
|
||||||
|
str = "duplicate per-message token detected"
|
||||||
|
case StatusOldToken:
|
||||||
|
str = "timed-out per-message token detected"
|
||||||
|
case StatusUnseqToken:
|
||||||
|
str = "reordered (early) per-message token detected"
|
||||||
|
case StatusGapToken:
|
||||||
|
str = "skipped predecessor token(s) detected"
|
||||||
|
default:
|
||||||
|
str = "unknown GSS-API error status"
|
||||||
|
}
|
||||||
|
if s.Message != "" {
|
||||||
|
return fmt.Sprintf("%s: %s", str, s.Message)
|
||||||
|
}
|
||||||
|
return str
|
||||||
|
}
|
193
vendor/github.com/jcmturner/gokrb5/v8/gssapi/wrapToken.go
generated
vendored
Normal file
193
vendor/github.com/jcmturner/gokrb5/v8/gssapi/wrapToken.go
generated
vendored
Normal file
@ -0,0 +1,193 @@
|
|||||||
|
package gssapi
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/hmac"
|
||||||
|
"encoding/binary"
|
||||||
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/iana/keyusage"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RFC 4121, section 4.2.6.2
|
||||||
|
|
||||||
|
const (
|
||||||
|
HdrLen = 16 // Length of the Wrap Token's header
|
||||||
|
FillerByte byte = 0xFF
|
||||||
|
)
|
||||||
|
|
||||||
|
// WrapToken represents a GSS API Wrap token, as defined in RFC 4121.
|
||||||
|
// It contains the header fields, the payload and the checksum, and provides
|
||||||
|
// the logic for converting to/from bytes plus computing and verifying checksums
|
||||||
|
type WrapToken struct {
|
||||||
|
// const GSS Token ID: 0x0504
|
||||||
|
Flags byte // contains three flags: acceptor, sealed, acceptor subkey
|
||||||
|
// const Filler: 0xFF
|
||||||
|
EC uint16 // checksum length. big-endian
|
||||||
|
RRC uint16 // right rotation count. big-endian
|
||||||
|
SndSeqNum uint64 // sender's sequence number. big-endian
|
||||||
|
Payload []byte // your data! :)
|
||||||
|
CheckSum []byte // authenticated checksum of { payload | header }
|
||||||
|
}
|
||||||
|
|
||||||
|
// Return the 2 bytes identifying a GSS API Wrap token
|
||||||
|
func getGssWrapTokenId() *[2]byte {
|
||||||
|
return &[2]byte{0x05, 0x04}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal the WrapToken into a byte slice.
|
||||||
|
// The payload should have been set and the checksum computed, otherwise an error is returned.
|
||||||
|
func (wt *WrapToken) Marshal() ([]byte, error) {
|
||||||
|
if wt.CheckSum == nil {
|
||||||
|
return nil, errors.New("checksum has not been set")
|
||||||
|
}
|
||||||
|
if wt.Payload == nil {
|
||||||
|
return nil, errors.New("payload has not been set")
|
||||||
|
}
|
||||||
|
|
||||||
|
pldOffset := HdrLen // Offset of the payload in the token
|
||||||
|
chkSOffset := HdrLen + len(wt.Payload) // Offset of the checksum in the token
|
||||||
|
|
||||||
|
bytes := make([]byte, chkSOffset+int(wt.EC))
|
||||||
|
copy(bytes[0:], getGssWrapTokenId()[:])
|
||||||
|
bytes[2] = wt.Flags
|
||||||
|
bytes[3] = FillerByte
|
||||||
|
binary.BigEndian.PutUint16(bytes[4:6], wt.EC)
|
||||||
|
binary.BigEndian.PutUint16(bytes[6:8], wt.RRC)
|
||||||
|
binary.BigEndian.PutUint64(bytes[8:16], wt.SndSeqNum)
|
||||||
|
copy(bytes[pldOffset:], wt.Payload)
|
||||||
|
copy(bytes[chkSOffset:], wt.CheckSum)
|
||||||
|
return bytes, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetCheckSum uses the passed encryption key and key usage to compute the checksum over the payload and
|
||||||
|
// the header, and sets the CheckSum field of this WrapToken.
|
||||||
|
// If the payload has not been set or the checksum has already been set, an error is returned.
|
||||||
|
func (wt *WrapToken) SetCheckSum(key types.EncryptionKey, keyUsage uint32) error {
|
||||||
|
if wt.Payload == nil {
|
||||||
|
return errors.New("payload has not been set")
|
||||||
|
}
|
||||||
|
if wt.CheckSum != nil {
|
||||||
|
return errors.New("checksum has already been computed")
|
||||||
|
}
|
||||||
|
chkSum, cErr := wt.computeCheckSum(key, keyUsage)
|
||||||
|
if cErr != nil {
|
||||||
|
return cErr
|
||||||
|
}
|
||||||
|
wt.CheckSum = chkSum
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ComputeCheckSum computes and returns the checksum of this token, computed using the passed key and key usage.
|
||||||
|
// Note: This will NOT update the struct's Checksum field.
|
||||||
|
func (wt *WrapToken) computeCheckSum(key types.EncryptionKey, keyUsage uint32) ([]byte, error) {
|
||||||
|
if wt.Payload == nil {
|
||||||
|
return nil, errors.New("cannot compute checksum with uninitialized payload")
|
||||||
|
}
|
||||||
|
// Build a slice containing { payload | header }
|
||||||
|
checksumMe := make([]byte, HdrLen+len(wt.Payload))
|
||||||
|
copy(checksumMe[0:], wt.Payload)
|
||||||
|
copy(checksumMe[len(wt.Payload):], getChecksumHeader(wt.Flags, wt.SndSeqNum))
|
||||||
|
|
||||||
|
encType, err := crypto.GetEtype(key.KeyType)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return encType.GetChecksumHash(key.KeyValue, checksumMe, keyUsage)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Build a header suitable for a checksum computation
|
||||||
|
func getChecksumHeader(flags byte, senderSeqNum uint64) []byte {
|
||||||
|
header := make([]byte, 16)
|
||||||
|
copy(header[0:], []byte{0x05, 0x04, flags, 0xFF, 0x00, 0x00, 0x00, 0x00})
|
||||||
|
binary.BigEndian.PutUint64(header[8:], senderSeqNum)
|
||||||
|
return header
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify computes the token's checksum with the provided key and usage,
|
||||||
|
// and compares it to the checksum present in the token.
|
||||||
|
// In case of any failure, (false, Err) is returned, with Err an explanatory error.
|
||||||
|
func (wt *WrapToken) Verify(key types.EncryptionKey, keyUsage uint32) (bool, error) {
|
||||||
|
computed, cErr := wt.computeCheckSum(key, keyUsage)
|
||||||
|
if cErr != nil {
|
||||||
|
return false, cErr
|
||||||
|
}
|
||||||
|
if !hmac.Equal(computed, wt.CheckSum) {
|
||||||
|
return false, fmt.Errorf(
|
||||||
|
"checksum mismatch. Computed: %s, Contained in token: %s",
|
||||||
|
hex.EncodeToString(computed), hex.EncodeToString(wt.CheckSum))
|
||||||
|
}
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unmarshal bytes into the corresponding WrapToken.
|
||||||
|
// If expectFromAcceptor is true, we expect the token to have been emitted by the gss acceptor,
|
||||||
|
// and will check the according flag, returning an error if the token does not match the expectation.
|
||||||
|
func (wt *WrapToken) Unmarshal(b []byte, expectFromAcceptor bool) error {
|
||||||
|
// Check if we can read a whole header
|
||||||
|
if len(b) < 16 {
|
||||||
|
return errors.New("bytes shorter than header length")
|
||||||
|
}
|
||||||
|
// Is the Token ID correct?
|
||||||
|
if !bytes.Equal(getGssWrapTokenId()[:], b[0:2]) {
|
||||||
|
return fmt.Errorf("wrong Token ID. Expected %s, was %s",
|
||||||
|
hex.EncodeToString(getGssWrapTokenId()[:]),
|
||||||
|
hex.EncodeToString(b[0:2]))
|
||||||
|
}
|
||||||
|
// Check the acceptor flag
|
||||||
|
flags := b[2]
|
||||||
|
isFromAcceptor := flags&0x01 == 1
|
||||||
|
if isFromAcceptor && !expectFromAcceptor {
|
||||||
|
return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
|
||||||
|
}
|
||||||
|
if !isFromAcceptor && expectFromAcceptor {
|
||||||
|
return errors.New("expected acceptor flag is not set: expecting a token from the acceptor, not the initiator")
|
||||||
|
}
|
||||||
|
// Check the filler byte
|
||||||
|
if b[3] != FillerByte {
|
||||||
|
return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(b[3:4]))
|
||||||
|
}
|
||||||
|
checksumL := binary.BigEndian.Uint16(b[4:6])
|
||||||
|
// Sanity check on the checksum length
|
||||||
|
if int(checksumL) > len(b)-HdrLen {
|
||||||
|
return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(b), checksumL)
|
||||||
|
}
|
||||||
|
|
||||||
|
wt.Flags = flags
|
||||||
|
wt.EC = checksumL
|
||||||
|
wt.RRC = binary.BigEndian.Uint16(b[6:8])
|
||||||
|
wt.SndSeqNum = binary.BigEndian.Uint64(b[8:16])
|
||||||
|
wt.Payload = b[16 : len(b)-int(checksumL)]
|
||||||
|
wt.CheckSum = b[len(b)-int(checksumL):]
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewInitiatorWrapToken builds a new initiator token (acceptor flag will be set to 0) and computes the authenticated checksum.
|
||||||
|
// Other flags are set to 0, and the RRC and sequence number are initialized to 0.
|
||||||
|
// Note that in certain circumstances you may need to provide a sequence number that has been defined earlier.
|
||||||
|
// This is currently not supported.
|
||||||
|
func NewInitiatorWrapToken(payload []byte, key types.EncryptionKey) (*WrapToken, error) {
|
||||||
|
encType, err := crypto.GetEtype(key.KeyType)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
token := WrapToken{
|
||||||
|
Flags: 0x00, // all zeroed out (this is a token sent by the initiator)
|
||||||
|
// Checksum size: length of output of the HMAC function, in bytes.
|
||||||
|
EC: uint16(encType.GetHMACBitLength() / 8),
|
||||||
|
RRC: 0,
|
||||||
|
SndSeqNum: 0,
|
||||||
|
Payload: payload,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := token.SetCheckSum(key, keyusage.GSSAPI_INITIATOR_SEAL); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &token, nil
|
||||||
|
}
|
15
vendor/github.com/jcmturner/gokrb5/v8/iana/addrtype/constants.go
generated
vendored
Normal file
15
vendor/github.com/jcmturner/gokrb5/v8/iana/addrtype/constants.go
generated
vendored
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
// Package addrtype provides Address type assigned numbers.
|
||||||
|
package addrtype
|
||||||
|
|
||||||
|
// Address type IDs.
|
||||||
|
const (
|
||||||
|
IPv4 int32 = 2
|
||||||
|
Directional int32 = 3
|
||||||
|
ChaosNet int32 = 5
|
||||||
|
XNS int32 = 6
|
||||||
|
ISO int32 = 7
|
||||||
|
DECNETPhaseIV int32 = 12
|
||||||
|
AppleTalkDDP int32 = 16
|
||||||
|
NetBios int32 = 20
|
||||||
|
IPv6 int32 = 24
|
||||||
|
)
|
23
vendor/github.com/jcmturner/gokrb5/v8/iana/adtype/constants.go
generated
vendored
Normal file
23
vendor/github.com/jcmturner/gokrb5/v8/iana/adtype/constants.go
generated
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
// Package adtype provides Authenticator type assigned numbers.
|
||||||
|
package adtype
|
||||||
|
|
||||||
|
// Authenticator type IDs.
|
||||||
|
const (
|
||||||
|
ADIfRelevant int32 = 1
|
||||||
|
ADIntendedForServer int32 = 2
|
||||||
|
ADIntendedForApplicationClass int32 = 3
|
||||||
|
ADKDCIssued int32 = 4
|
||||||
|
ADAndOr int32 = 5
|
||||||
|
ADMandatoryTicketExtensions int32 = 6
|
||||||
|
ADInTicketExtensions int32 = 7
|
||||||
|
ADMandatoryForKDC int32 = 8
|
||||||
|
OSFDCE int32 = 64
|
||||||
|
SESAME int32 = 65
|
||||||
|
ADOSFDCEPKICertID int32 = 66
|
||||||
|
ADAuthenticationStrength int32 = 70
|
||||||
|
ADFXFastArmor int32 = 71
|
||||||
|
ADFXFastUsed int32 = 72
|
||||||
|
ADWin2KPAC int32 = 128
|
||||||
|
ADEtypeNegotiation int32 = 129
|
||||||
|
//Reserved values 9-63
|
||||||
|
)
|
24
vendor/github.com/jcmturner/gokrb5/v8/iana/asnAppTag/constants.go
generated
vendored
Normal file
24
vendor/github.com/jcmturner/gokrb5/v8/iana/asnAppTag/constants.go
generated
vendored
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
// Package asnAppTag provides ASN1 application tag numbers.
|
||||||
|
package asnAppTag
|
||||||
|
|
||||||
|
// ASN1 application tag numbers.
|
||||||
|
const (
|
||||||
|
Ticket = 1
|
||||||
|
Authenticator = 2
|
||||||
|
EncTicketPart = 3
|
||||||
|
ASREQ = 10
|
||||||
|
TGSREQ = 12
|
||||||
|
ASREP = 11
|
||||||
|
TGSREP = 13
|
||||||
|
APREQ = 14
|
||||||
|
APREP = 15
|
||||||
|
KRBSafe = 20
|
||||||
|
KRBPriv = 21
|
||||||
|
KRBCred = 22
|
||||||
|
EncASRepPart = 25
|
||||||
|
EncTGSRepPart = 26
|
||||||
|
EncAPRepPart = 27
|
||||||
|
EncKrbPrivPart = 28
|
||||||
|
EncKrbCredPart = 29
|
||||||
|
KRBError = 30
|
||||||
|
)
|
32
vendor/github.com/jcmturner/gokrb5/v8/iana/chksumtype/constants.go
generated
vendored
Normal file
32
vendor/github.com/jcmturner/gokrb5/v8/iana/chksumtype/constants.go
generated
vendored
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
// Package chksumtype provides Kerberos 5 checksum type assigned numbers.
|
||||||
|
package chksumtype
|
||||||
|
|
||||||
|
// Checksum type IDs.
|
||||||
|
const (
|
||||||
|
//RESERVED : 0
|
||||||
|
CRC32 int32 = 1
|
||||||
|
RSA_MD4 int32 = 2
|
||||||
|
RSA_MD4_DES int32 = 3
|
||||||
|
DES_MAC int32 = 4
|
||||||
|
DES_MAC_K int32 = 5
|
||||||
|
RSA_MD4_DES_K int32 = 6
|
||||||
|
RSA_MD5 int32 = 7
|
||||||
|
RSA_MD5_DES int32 = 8
|
||||||
|
RSA_MD5_DES3 int32 = 9
|
||||||
|
SHA1_ID10 int32 = 10
|
||||||
|
//UNASSIGNED : 11
|
||||||
|
HMAC_SHA1_DES3_KD int32 = 12
|
||||||
|
HMAC_SHA1_DES3 int32 = 13
|
||||||
|
SHA1_ID14 int32 = 14
|
||||||
|
HMAC_SHA1_96_AES128 int32 = 15
|
||||||
|
HMAC_SHA1_96_AES256 int32 = 16
|
||||||
|
CMAC_CAMELLIA128 int32 = 17
|
||||||
|
CMAC_CAMELLIA256 int32 = 18
|
||||||
|
HMAC_SHA256_128_AES128 int32 = 19
|
||||||
|
HMAC_SHA384_192_AES256 int32 = 20
|
||||||
|
//UNASSIGNED : 21-32770
|
||||||
|
GSSAPI int32 = 32771
|
||||||
|
//UNASSIGNED : 32772-2147483647
|
||||||
|
KERB_CHECKSUM_HMAC_MD5_UNSIGNED uint32 = 4294967158 // 0xFFFFFF76 documentation says this is -138 but in an unsigned int this is 4294967158
|
||||||
|
KERB_CHECKSUM_HMAC_MD5 int32 = -138
|
||||||
|
)
|
5
vendor/github.com/jcmturner/gokrb5/v8/iana/constants.go
generated
vendored
Normal file
5
vendor/github.com/jcmturner/gokrb5/v8/iana/constants.go
generated
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
// Package iana provides Kerberos 5 assigned numbers.
|
||||||
|
package iana
|
||||||
|
|
||||||
|
// PVNO is the Protocol Version Number.
|
||||||
|
const PVNO = 5
|
155
vendor/github.com/jcmturner/gokrb5/v8/iana/errorcode/constants.go
generated
vendored
Normal file
155
vendor/github.com/jcmturner/gokrb5/v8/iana/errorcode/constants.go
generated
vendored
Normal file
@ -0,0 +1,155 @@
|
|||||||
|
// Package errorcode provides Kerberos 5 assigned error codes.
|
||||||
|
package errorcode
|
||||||
|
|
||||||
|
import "fmt"
|
||||||
|
|
||||||
|
// Kerberos error codes.
|
||||||
|
const (
|
||||||
|
KDC_ERR_NONE int32 = 0 //No error
|
||||||
|
KDC_ERR_NAME_EXP int32 = 1 //Client's entry in database has expired
|
||||||
|
KDC_ERR_SERVICE_EXP int32 = 2 //Server's entry in database has expired
|
||||||
|
KDC_ERR_BAD_PVNO int32 = 3 //Requested protocol version number not supported
|
||||||
|
KDC_ERR_C_OLD_MAST_KVNO int32 = 4 //Client's key encrypted in old master key
|
||||||
|
KDC_ERR_S_OLD_MAST_KVNO int32 = 5 //Server's key encrypted in old master key
|
||||||
|
KDC_ERR_C_PRINCIPAL_UNKNOWN int32 = 6 //Client not found in Kerberos database
|
||||||
|
KDC_ERR_S_PRINCIPAL_UNKNOWN int32 = 7 //Server not found in Kerberos database
|
||||||
|
KDC_ERR_PRINCIPAL_NOT_UNIQUE int32 = 8 //Multiple principal entries in database
|
||||||
|
KDC_ERR_NULL_KEY int32 = 9 //The client or server has a null key
|
||||||
|
KDC_ERR_CANNOT_POSTDATE int32 = 10 //Ticket not eligible for postdating
|
||||||
|
KDC_ERR_NEVER_VALID int32 = 11 //Requested starttime is later than end time
|
||||||
|
KDC_ERR_POLICY int32 = 12 //KDC policy rejects request
|
||||||
|
KDC_ERR_BADOPTION int32 = 13 //KDC cannot accommodate requested option
|
||||||
|
KDC_ERR_ETYPE_NOSUPP int32 = 14 //KDC has no support for encryption type
|
||||||
|
KDC_ERR_SUMTYPE_NOSUPP int32 = 15 //KDC has no support for checksum type
|
||||||
|
KDC_ERR_PADATA_TYPE_NOSUPP int32 = 16 //KDC has no support for padata type
|
||||||
|
KDC_ERR_TRTYPE_NOSUPP int32 = 17 //KDC has no support for transited type
|
||||||
|
KDC_ERR_CLIENT_REVOKED int32 = 18 //Clients credentials have been revoked
|
||||||
|
KDC_ERR_SERVICE_REVOKED int32 = 19 //Credentials for server have been revoked
|
||||||
|
KDC_ERR_TGT_REVOKED int32 = 20 //TGT has been revoked
|
||||||
|
KDC_ERR_CLIENT_NOTYET int32 = 21 //Client not yet valid; try again later
|
||||||
|
KDC_ERR_SERVICE_NOTYET int32 = 22 //Server not yet valid; try again later
|
||||||
|
KDC_ERR_KEY_EXPIRED int32 = 23 //Password has expired; change password to reset
|
||||||
|
KDC_ERR_PREAUTH_FAILED int32 = 24 //Pre-authentication information was invalid
|
||||||
|
KDC_ERR_PREAUTH_REQUIRED int32 = 25 //Additional pre-authentication required
|
||||||
|
KDC_ERR_SERVER_NOMATCH int32 = 26 //Requested server and ticket don't match
|
||||||
|
KDC_ERR_MUST_USE_USER2USER int32 = 27 //Server principal valid for user2user only
|
||||||
|
KDC_ERR_PATH_NOT_ACCEPTED int32 = 28 //KDC Policy rejects transited path
|
||||||
|
KDC_ERR_SVC_UNAVAILABLE int32 = 29 //A service is not available
|
||||||
|
KRB_AP_ERR_BAD_INTEGRITY int32 = 31 //Integrity check on decrypted field failed
|
||||||
|
KRB_AP_ERR_TKT_EXPIRED int32 = 32 //Ticket expired
|
||||||
|
KRB_AP_ERR_TKT_NYV int32 = 33 //Ticket not yet valid
|
||||||
|
KRB_AP_ERR_REPEAT int32 = 34 //Request is a replay
|
||||||
|
KRB_AP_ERR_NOT_US int32 = 35 //The ticket isn't for us
|
||||||
|
KRB_AP_ERR_BADMATCH int32 = 36 //Ticket and authenticator don't match
|
||||||
|
KRB_AP_ERR_SKEW int32 = 37 //Clock skew too great
|
||||||
|
KRB_AP_ERR_BADADDR int32 = 38 //Incorrect net address
|
||||||
|
KRB_AP_ERR_BADVERSION int32 = 39 //Protocol version mismatch
|
||||||
|
KRB_AP_ERR_MSG_TYPE int32 = 40 //Invalid msg type
|
||||||
|
KRB_AP_ERR_MODIFIED int32 = 41 //Message stream modified
|
||||||
|
KRB_AP_ERR_BADORDER int32 = 42 //Message out of order
|
||||||
|
KRB_AP_ERR_BADKEYVER int32 = 44 //Specified version of key is not available
|
||||||
|
KRB_AP_ERR_NOKEY int32 = 45 //Service key not available
|
||||||
|
KRB_AP_ERR_MUT_FAIL int32 = 46 //Mutual authentication failed
|
||||||
|
KRB_AP_ERR_BADDIRECTION int32 = 47 //Incorrect message direction
|
||||||
|
KRB_AP_ERR_METHOD int32 = 48 //Alternative authentication method required
|
||||||
|
KRB_AP_ERR_BADSEQ int32 = 49 //Incorrect sequence number in message
|
||||||
|
KRB_AP_ERR_INAPP_CKSUM int32 = 50 //Inappropriate type of checksum in message
|
||||||
|
KRB_AP_PATH_NOT_ACCEPTED int32 = 51 //Policy rejects transited path
|
||||||
|
KRB_ERR_RESPONSE_TOO_BIG int32 = 52 //Response too big for UDP; retry with TCP
|
||||||
|
KRB_ERR_GENERIC int32 = 60 //Generic error (description in e-text)
|
||||||
|
KRB_ERR_FIELD_TOOLONG int32 = 61 //Field is too long for this implementation
|
||||||
|
KDC_ERROR_CLIENT_NOT_TRUSTED int32 = 62 //Reserved for PKINIT
|
||||||
|
KDC_ERROR_KDC_NOT_TRUSTED int32 = 63 //Reserved for PKINIT
|
||||||
|
KDC_ERROR_INVALID_SIG int32 = 64 //Reserved for PKINIT
|
||||||
|
KDC_ERR_KEY_TOO_WEAK int32 = 65 //Reserved for PKINIT
|
||||||
|
KDC_ERR_CERTIFICATE_MISMATCH int32 = 66 //Reserved for PKINIT
|
||||||
|
KRB_AP_ERR_NO_TGT int32 = 67 //No TGT available to validate USER-TO-USER
|
||||||
|
KDC_ERR_WRONG_REALM int32 = 68 //Reserved for future use
|
||||||
|
KRB_AP_ERR_USER_TO_USER_REQUIRED int32 = 69 //Ticket must be for USER-TO-USER
|
||||||
|
KDC_ERR_CANT_VERIFY_CERTIFICATE int32 = 70 //Reserved for PKINIT
|
||||||
|
KDC_ERR_INVALID_CERTIFICATE int32 = 71 //Reserved for PKINIT
|
||||||
|
KDC_ERR_REVOKED_CERTIFICATE int32 = 72 //Reserved for PKINIT
|
||||||
|
KDC_ERR_REVOCATION_STATUS_UNKNOWN int32 = 73 //Reserved for PKINIT
|
||||||
|
KDC_ERR_REVOCATION_STATUS_UNAVAILABLE int32 = 74 //Reserved for PKINIT
|
||||||
|
KDC_ERR_CLIENT_NAME_MISMATCH int32 = 75 //Reserved for PKINIT
|
||||||
|
KDC_ERR_KDC_NAME_MISMATCH int32 = 76 //Reserved for PKINIT
|
||||||
|
)
|
||||||
|
|
||||||
|
// Lookup an error code description.
|
||||||
|
func Lookup(i int32) string {
|
||||||
|
if s, ok := errorcodeLookup[i]; ok {
|
||||||
|
return fmt.Sprintf("(%d) %s", i, s)
|
||||||
|
}
|
||||||
|
return fmt.Sprintf("Unknown ErrorCode %d", i)
|
||||||
|
}
|
||||||
|
|
||||||
|
var errorcodeLookup = map[int32]string{
|
||||||
|
KDC_ERR_NONE: "KDC_ERR_NONE No error",
|
||||||
|
KDC_ERR_NAME_EXP: "KDC_ERR_NAME_EXP Client's entry in database has expired",
|
||||||
|
KDC_ERR_SERVICE_EXP: "KDC_ERR_SERVICE_EXP Server's entry in database has expired",
|
||||||
|
KDC_ERR_BAD_PVNO: "KDC_ERR_BAD_PVNO Requested protocol version number not supported",
|
||||||
|
KDC_ERR_C_OLD_MAST_KVNO: "KDC_ERR_C_OLD_MAST_KVNO Client's key encrypted in old master key",
|
||||||
|
KDC_ERR_S_OLD_MAST_KVNO: "KDC_ERR_S_OLD_MAST_KVNO Server's key encrypted in old master key",
|
||||||
|
KDC_ERR_C_PRINCIPAL_UNKNOWN: "KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database",
|
||||||
|
KDC_ERR_S_PRINCIPAL_UNKNOWN: "KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database",
|
||||||
|
KDC_ERR_PRINCIPAL_NOT_UNIQUE: "KDC_ERR_PRINCIPAL_NOT_UNIQUE Multiple principal entries in database",
|
||||||
|
KDC_ERR_NULL_KEY: "KDC_ERR_NULL_KEY The client or server has a null key",
|
||||||
|
KDC_ERR_CANNOT_POSTDATE: "KDC_ERR_CANNOT_POSTDATE Ticket not eligible for postdating",
|
||||||
|
KDC_ERR_NEVER_VALID: "KDC_ERR_NEVER_VALID Requested starttime is later than end time",
|
||||||
|
KDC_ERR_POLICY: "KDC_ERR_POLICY KDC policy rejects request",
|
||||||
|
KDC_ERR_BADOPTION: "KDC_ERR_BADOPTION KDC cannot accommodate requested option",
|
||||||
|
KDC_ERR_ETYPE_NOSUPP: "KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type",
|
||||||
|
KDC_ERR_SUMTYPE_NOSUPP: "KDC_ERR_SUMTYPE_NOSUPP KDC has no support for checksum type",
|
||||||
|
KDC_ERR_PADATA_TYPE_NOSUPP: "KDC_ERR_PADATA_TYPE_NOSUPP KDC has no support for padata type",
|
||||||
|
KDC_ERR_TRTYPE_NOSUPP: "KDC_ERR_TRTYPE_NOSUPP KDC has no support for transited type",
|
||||||
|
KDC_ERR_CLIENT_REVOKED: "KDC_ERR_CLIENT_REVOKED Clients credentials have been revoked",
|
||||||
|
KDC_ERR_SERVICE_REVOKED: "KDC_ERR_SERVICE_REVOKED Credentials for server have been revoked",
|
||||||
|
KDC_ERR_TGT_REVOKED: "KDC_ERR_TGT_REVOKED TGT has been revoked",
|
||||||
|
KDC_ERR_CLIENT_NOTYET: "KDC_ERR_CLIENT_NOTYET Client not yet valid; try again later",
|
||||||
|
KDC_ERR_SERVICE_NOTYET: "KDC_ERR_SERVICE_NOTYET Server not yet valid; try again later",
|
||||||
|
KDC_ERR_KEY_EXPIRED: "KDC_ERR_KEY_EXPIRED Password has expired; change password to reset",
|
||||||
|
KDC_ERR_PREAUTH_FAILED: "KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid",
|
||||||
|
KDC_ERR_PREAUTH_REQUIRED: "KDC_ERR_PREAUTH_REQUIRED Additional pre-authentication required",
|
||||||
|
KDC_ERR_SERVER_NOMATCH: "KDC_ERR_SERVER_NOMATCH Requested server and ticket don't match",
|
||||||
|
KDC_ERR_MUST_USE_USER2USER: "KDC_ERR_MUST_USE_USER2USER Server principal valid for user2user only",
|
||||||
|
KDC_ERR_PATH_NOT_ACCEPTED: "KDC_ERR_PATH_NOT_ACCEPTED KDC Policy rejects transited path",
|
||||||
|
KDC_ERR_SVC_UNAVAILABLE: "KDC_ERR_SVC_UNAVAILABLE A service is not available",
|
||||||
|
KRB_AP_ERR_BAD_INTEGRITY: "KRB_AP_ERR_BAD_INTEGRITY Integrity check on decrypted field failed",
|
||||||
|
KRB_AP_ERR_TKT_EXPIRED: "KRB_AP_ERR_TKT_EXPIRED Ticket expired",
|
||||||
|
KRB_AP_ERR_TKT_NYV: "KRB_AP_ERR_TKT_NYV Ticket not yet valid",
|
||||||
|
KRB_AP_ERR_REPEAT: "KRB_AP_ERR_REPEAT Request is a replay",
|
||||||
|
KRB_AP_ERR_NOT_US: "KRB_AP_ERR_NOT_US The ticket isn't for us",
|
||||||
|
KRB_AP_ERR_BADMATCH: "KRB_AP_ERR_BADMATCH Ticket and authenticator don't match",
|
||||||
|
KRB_AP_ERR_SKEW: "KRB_AP_ERR_SKEW Clock skew too great",
|
||||||
|
KRB_AP_ERR_BADADDR: "KRB_AP_ERR_BADADDR Incorrect net address",
|
||||||
|
KRB_AP_ERR_BADVERSION: "KRB_AP_ERR_BADVERSION Protocol version mismatch",
|
||||||
|
KRB_AP_ERR_MSG_TYPE: "KRB_AP_ERR_MSG_TYPE Invalid msg type",
|
||||||
|
KRB_AP_ERR_MODIFIED: "KRB_AP_ERR_MODIFIED Message stream modified",
|
||||||
|
KRB_AP_ERR_BADORDER: "KRB_AP_ERR_BADORDER Message out of order",
|
||||||
|
KRB_AP_ERR_BADKEYVER: "KRB_AP_ERR_BADKEYVER Specified version of key is not available",
|
||||||
|
KRB_AP_ERR_NOKEY: "KRB_AP_ERR_NOKEY Service key not available",
|
||||||
|
KRB_AP_ERR_MUT_FAIL: "KRB_AP_ERR_MUT_FAIL Mutual authentication failed",
|
||||||
|
KRB_AP_ERR_BADDIRECTION: "KRB_AP_ERR_BADDIRECTION Incorrect message direction",
|
||||||
|
KRB_AP_ERR_METHOD: "KRB_AP_ERR_METHOD Alternative authentication method required",
|
||||||
|
KRB_AP_ERR_BADSEQ: "KRB_AP_ERR_BADSEQ Incorrect sequence number in message",
|
||||||
|
KRB_AP_ERR_INAPP_CKSUM: "KRB_AP_ERR_INAPP_CKSUM Inappropriate type of checksum in message",
|
||||||
|
KRB_AP_PATH_NOT_ACCEPTED: "KRB_AP_PATH_NOT_ACCEPTED Policy rejects transited path",
|
||||||
|
KRB_ERR_RESPONSE_TOO_BIG: "KRB_ERR_RESPONSE_TOO_BIG Response too big for UDP; retry with TCP",
|
||||||
|
KRB_ERR_GENERIC: "KRB_ERR_GENERIC Generic error (description in e-text)",
|
||||||
|
KRB_ERR_FIELD_TOOLONG: "KRB_ERR_FIELD_TOOLONG Field is too long for this implementation",
|
||||||
|
KDC_ERROR_CLIENT_NOT_TRUSTED: "KDC_ERROR_CLIENT_NOT_TRUSTED Reserved for PKINIT",
|
||||||
|
KDC_ERROR_KDC_NOT_TRUSTED: "KDC_ERROR_KDC_NOT_TRUSTED Reserved for PKINIT",
|
||||||
|
KDC_ERROR_INVALID_SIG: "KDC_ERROR_INVALID_SIG Reserved for PKINIT",
|
||||||
|
KDC_ERR_KEY_TOO_WEAK: "KDC_ERR_KEY_TOO_WEAK Reserved for PKINIT",
|
||||||
|
KDC_ERR_CERTIFICATE_MISMATCH: "KDC_ERR_CERTIFICATE_MISMATCH Reserved for PKINIT",
|
||||||
|
KRB_AP_ERR_NO_TGT: "KRB_AP_ERR_NO_TGT No TGT available to validate USER-TO-USER",
|
||||||
|
KDC_ERR_WRONG_REALM: "KDC_ERR_WRONG_REALM Reserved for future use",
|
||||||
|
KRB_AP_ERR_USER_TO_USER_REQUIRED: "KRB_AP_ERR_USER_TO_USER_REQUIRED Ticket must be for USER-TO-USER",
|
||||||
|
KDC_ERR_CANT_VERIFY_CERTIFICATE: "KDC_ERR_CANT_VERIFY_CERTIFICATE Reserved for PKINIT",
|
||||||
|
KDC_ERR_INVALID_CERTIFICATE: "KDC_ERR_INVALID_CERTIFICATE Reserved for PKINIT",
|
||||||
|
KDC_ERR_REVOKED_CERTIFICATE: "KDC_ERR_REVOKED_CERTIFICATE Reserved for PKINIT",
|
||||||
|
KDC_ERR_REVOCATION_STATUS_UNKNOWN: "KDC_ERR_REVOCATION_STATUS_UNKNOWN Reserved for PKINIT",
|
||||||
|
KDC_ERR_REVOCATION_STATUS_UNAVAILABLE: "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE Reserved for PKINIT",
|
||||||
|
KDC_ERR_CLIENT_NAME_MISMATCH: "KDC_ERR_CLIENT_NAME_MISMATCH Reserved for PKINIT",
|
||||||
|
KDC_ERR_KDC_NAME_MISMATCH: "KDC_ERR_KDC_NAME_MISMATCH Reserved for PKINIT",
|
||||||
|
}
|
101
vendor/github.com/jcmturner/gokrb5/v8/iana/etypeID/constants.go
generated
vendored
Normal file
101
vendor/github.com/jcmturner/gokrb5/v8/iana/etypeID/constants.go
generated
vendored
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
// Package etypeID provides Kerberos 5 encryption type assigned numbers.
|
||||||
|
package etypeID
|
||||||
|
|
||||||
|
// Kerberos encryption type assigned numbers.
|
||||||
|
const (
|
||||||
|
//RESERVED : 0
|
||||||
|
DES_CBC_CRC int32 = 1
|
||||||
|
DES_CBC_MD4 int32 = 2
|
||||||
|
DES_CBC_MD5 int32 = 3
|
||||||
|
DES_CBC_RAW int32 = 4
|
||||||
|
DES3_CBC_MD5 int32 = 5
|
||||||
|
DES3_CBC_RAW int32 = 6
|
||||||
|
DES3_CBC_SHA1 int32 = 7
|
||||||
|
DES_HMAC_SHA1 int32 = 8
|
||||||
|
DSAWITHSHA1_CMSOID int32 = 9
|
||||||
|
MD5WITHRSAENCRYPTION_CMSOID int32 = 10
|
||||||
|
SHA1WITHRSAENCRYPTION_CMSOID int32 = 11
|
||||||
|
RC2CBC_ENVOID int32 = 12
|
||||||
|
RSAENCRYPTION_ENVOID int32 = 13
|
||||||
|
RSAES_OAEP_ENV_OID int32 = 14
|
||||||
|
DES_EDE3_CBC_ENV_OID int32 = 15
|
||||||
|
DES3_CBC_SHA1_KD int32 = 16
|
||||||
|
AES128_CTS_HMAC_SHA1_96 int32 = 17
|
||||||
|
AES256_CTS_HMAC_SHA1_96 int32 = 18
|
||||||
|
AES128_CTS_HMAC_SHA256_128 int32 = 19
|
||||||
|
AES256_CTS_HMAC_SHA384_192 int32 = 20
|
||||||
|
//UNASSIGNED : 21-22
|
||||||
|
RC4_HMAC int32 = 23
|
||||||
|
RC4_HMAC_EXP int32 = 24
|
||||||
|
CAMELLIA128_CTS_CMAC int32 = 25
|
||||||
|
CAMELLIA256_CTS_CMAC int32 = 26
|
||||||
|
//UNASSIGNED : 27-64
|
||||||
|
SUBKEY_KEYMATERIAL int32 = 65
|
||||||
|
//UNASSIGNED : 66-2147483647
|
||||||
|
)
|
||||||
|
|
||||||
|
// ETypesByName is a map of EncType names to their assigned EncType number.
|
||||||
|
var ETypesByName = map[string]int32{
|
||||||
|
"des-cbc-crc": DES_CBC_CRC,
|
||||||
|
"des-cbc-md4": DES_CBC_MD4,
|
||||||
|
"des-cbc-md5": DES_CBC_MD5,
|
||||||
|
"des-cbc-raw": DES_CBC_RAW,
|
||||||
|
"des3-cbc-md5": DES3_CBC_MD5,
|
||||||
|
"des3-cbc-raw": DES3_CBC_RAW,
|
||||||
|
"des3-cbc-sha1": DES3_CBC_SHA1,
|
||||||
|
"des3-hmac-sha1": DES_HMAC_SHA1,
|
||||||
|
"des3-cbc-sha1-kd": DES3_CBC_SHA1_KD,
|
||||||
|
"des-hmac-sha1": DES_HMAC_SHA1,
|
||||||
|
"dsaWithSHA1-CmsOID": DSAWITHSHA1_CMSOID,
|
||||||
|
"md5WithRSAEncryption-CmsOID": MD5WITHRSAENCRYPTION_CMSOID,
|
||||||
|
"sha1WithRSAEncryption-CmsOID": SHA1WITHRSAENCRYPTION_CMSOID,
|
||||||
|
"rc2CBC-EnvOID": RC2CBC_ENVOID,
|
||||||
|
"rsaEncryption-EnvOID": RSAENCRYPTION_ENVOID,
|
||||||
|
"rsaES-OAEP-ENV-OID": RSAES_OAEP_ENV_OID,
|
||||||
|
"des-ede3-cbc-Env-OID": DES_EDE3_CBC_ENV_OID,
|
||||||
|
"aes128-cts-hmac-sha1-96": AES128_CTS_HMAC_SHA1_96,
|
||||||
|
"aes128-cts": AES128_CTS_HMAC_SHA1_96,
|
||||||
|
"aes128-sha1": AES128_CTS_HMAC_SHA1_96,
|
||||||
|
"aes256-cts-hmac-sha1-96": AES256_CTS_HMAC_SHA1_96,
|
||||||
|
"aes256-cts": AES256_CTS_HMAC_SHA1_96,
|
||||||
|
"aes256-sha1": AES256_CTS_HMAC_SHA1_96,
|
||||||
|
"aes128-cts-hmac-sha256-128": AES128_CTS_HMAC_SHA256_128,
|
||||||
|
"aes128-sha2": AES128_CTS_HMAC_SHA256_128,
|
||||||
|
"aes256-cts-hmac-sha384-192": AES256_CTS_HMAC_SHA384_192,
|
||||||
|
"aes256-sha2": AES256_CTS_HMAC_SHA384_192,
|
||||||
|
"arcfour-hmac": RC4_HMAC,
|
||||||
|
"rc4-hmac": RC4_HMAC,
|
||||||
|
"arcfour-hmac-md5": RC4_HMAC,
|
||||||
|
"arcfour-hmac-exp": RC4_HMAC_EXP,
|
||||||
|
"rc4-hmac-exp": RC4_HMAC_EXP,
|
||||||
|
"arcfour-hmac-md5-exp": RC4_HMAC_EXP,
|
||||||
|
"camellia128-cts-cmac": CAMELLIA128_CTS_CMAC,
|
||||||
|
"camellia128-cts": CAMELLIA128_CTS_CMAC,
|
||||||
|
"camellia256-cts-cmac": CAMELLIA256_CTS_CMAC,
|
||||||
|
"camellia256-cts": CAMELLIA256_CTS_CMAC,
|
||||||
|
"subkey-keymaterial": SUBKEY_KEYMATERIAL,
|
||||||
|
}
|
||||||
|
|
||||||
|
// EtypeSupported resolves the etype name string to the etype ID.
|
||||||
|
// If zero is returned the etype is not supported by gokrb5.
|
||||||
|
func EtypeSupported(etype string) int32 {
|
||||||
|
// Slice of supported enctype IDs
|
||||||
|
s := []int32{
|
||||||
|
AES128_CTS_HMAC_SHA1_96,
|
||||||
|
AES256_CTS_HMAC_SHA1_96,
|
||||||
|
AES128_CTS_HMAC_SHA256_128,
|
||||||
|
AES256_CTS_HMAC_SHA384_192,
|
||||||
|
DES3_CBC_SHA1_KD,
|
||||||
|
RC4_HMAC,
|
||||||
|
}
|
||||||
|
id := ETypesByName[etype]
|
||||||
|
if id == 0 {
|
||||||
|
return id
|
||||||
|
}
|
||||||
|
for _, sid := range s {
|
||||||
|
if id == sid {
|
||||||
|
return id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0
|
||||||
|
}
|
36
vendor/github.com/jcmturner/gokrb5/v8/iana/flags/constants.go
generated
vendored
Normal file
36
vendor/github.com/jcmturner/gokrb5/v8/iana/flags/constants.go
generated
vendored
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
// Package flags provides Kerberos 5 flag assigned numbers.
|
||||||
|
package flags
|
||||||
|
|
||||||
|
// Flag values for KRB5 messages and tickets.
|
||||||
|
const (
|
||||||
|
Reserved = 0
|
||||||
|
Forwardable = 1
|
||||||
|
Forwarded = 2
|
||||||
|
Proxiable = 3
|
||||||
|
Proxy = 4
|
||||||
|
AllowPostDate = 5
|
||||||
|
MayPostDate = 5
|
||||||
|
PostDated = 6
|
||||||
|
Invalid = 7
|
||||||
|
Renewable = 8
|
||||||
|
Initial = 9
|
||||||
|
PreAuthent = 10
|
||||||
|
HWAuthent = 11
|
||||||
|
OptHardwareAuth = 11
|
||||||
|
RequestAnonymous = 12
|
||||||
|
TransitedPolicyChecked = 12
|
||||||
|
OKAsDelegate = 13
|
||||||
|
EncPARep = 15
|
||||||
|
Canonicalize = 15
|
||||||
|
DisableTransitedCheck = 26
|
||||||
|
RenewableOK = 27
|
||||||
|
EncTktInSkey = 28
|
||||||
|
Renew = 30
|
||||||
|
Validate = 31
|
||||||
|
|
||||||
|
// AP Option Flags
|
||||||
|
// 0 Reserved for future use.
|
||||||
|
APOptionUseSessionKey = 1
|
||||||
|
APOptionMutualRequired = 2
|
||||||
|
// 3-31 Reserved for future use.
|
||||||
|
)
|
42
vendor/github.com/jcmturner/gokrb5/v8/iana/keyusage/constants.go
generated
vendored
Normal file
42
vendor/github.com/jcmturner/gokrb5/v8/iana/keyusage/constants.go
generated
vendored
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
// Package keyusage provides Kerberos 5 key usage assigned numbers.
|
||||||
|
package keyusage
|
||||||
|
|
||||||
|
// Key usage numbers.
|
||||||
|
const (
|
||||||
|
AS_REQ_PA_ENC_TIMESTAMP = 1
|
||||||
|
KDC_REP_TICKET = 2
|
||||||
|
AS_REP_ENCPART = 3
|
||||||
|
TGS_REQ_KDC_REQ_BODY_AUTHDATA_SESSION_KEY = 4
|
||||||
|
TGS_REQ_KDC_REQ_BODY_AUTHDATA_SUB_KEY = 5
|
||||||
|
TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR_CHKSUM = 6
|
||||||
|
TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR = 7
|
||||||
|
TGS_REP_ENCPART_SESSION_KEY = 8
|
||||||
|
TGS_REP_ENCPART_AUTHENTICATOR_SUB_KEY = 9
|
||||||
|
AP_REQ_AUTHENTICATOR_CHKSUM = 10
|
||||||
|
AP_REQ_AUTHENTICATOR = 11
|
||||||
|
AP_REP_ENCPART = 12
|
||||||
|
KRB_PRIV_ENCPART = 13
|
||||||
|
KRB_CRED_ENCPART = 14
|
||||||
|
KRB_SAFE_CHKSUM = 15
|
||||||
|
KERB_NON_KERB_SALT = 16
|
||||||
|
KERB_NON_KERB_CKSUM_SALT = 17
|
||||||
|
//18. Reserved for future use in Kerberos and related protocols.
|
||||||
|
AD_KDC_ISSUED_CHKSUM = 19
|
||||||
|
//20-21. Reserved for future use in Kerberos and related protocols.
|
||||||
|
GSSAPI_ACCEPTOR_SEAL = 22
|
||||||
|
GSSAPI_ACCEPTOR_SIGN = 23
|
||||||
|
GSSAPI_INITIATOR_SEAL = 24
|
||||||
|
GSSAPI_INITIATOR_SIGN = 25
|
||||||
|
KEY_USAGE_FAST_REQ_CHKSUM = 50
|
||||||
|
KEY_USAGE_FAST_ENC = 51
|
||||||
|
KEY_USAGE_FAST_REP = 52
|
||||||
|
KEY_USAGE_FAST_FINISHED = 53
|
||||||
|
KEY_USAGE_ENC_CHALLENGE_CLIENT = 54
|
||||||
|
KEY_USAGE_ENC_CHALLENGE_KDC = 55
|
||||||
|
KEY_USAGE_AS_REQ = 56
|
||||||
|
//26-511. Reserved for future use in Kerberos and related protocols.
|
||||||
|
//512-1023. Reserved for uses internal to a Kerberos implementation.
|
||||||
|
//1024. Encryption for application use in protocols that do not specify key usage values
|
||||||
|
//1025. Checksums for application use in protocols that do not specify key usage values
|
||||||
|
//1026-2047. Reserved for application use.
|
||||||
|
)
|
18
vendor/github.com/jcmturner/gokrb5/v8/iana/msgtype/constants.go
generated
vendored
Normal file
18
vendor/github.com/jcmturner/gokrb5/v8/iana/msgtype/constants.go
generated
vendored
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
// Package msgtype provides Kerberos 5 message type assigned numbers.
|
||||||
|
package msgtype
|
||||||
|
|
||||||
|
// KRB message type IDs.
|
||||||
|
const (
|
||||||
|
KRB_AS_REQ = 10 //Request for initial authentication
|
||||||
|
KRB_AS_REP = 11 //Response to KRB_AS_REQ request
|
||||||
|
KRB_TGS_REQ = 12 //Request for authentication based on TGT
|
||||||
|
KRB_TGS_REP = 13 //Response to KRB_TGS_REQ request
|
||||||
|
KRB_AP_REQ = 14 //Application request to server
|
||||||
|
KRB_AP_REP = 15 //Response to KRB_AP_REQ_MUTUAL
|
||||||
|
KRB_RESERVED16 = 16 //Reserved for user-to-user krb_tgt_request
|
||||||
|
KRB_RESERVED17 = 17 //Reserved for user-to-user krb_tgt_reply
|
||||||
|
KRB_SAFE = 20 // Safe (checksummed) application message
|
||||||
|
KRB_PRIV = 21 // Private (encrypted) application message
|
||||||
|
KRB_CRED = 22 //Private (encrypted) message to forward credentials
|
||||||
|
KRB_ERROR = 30 //Error response
|
||||||
|
)
|
15
vendor/github.com/jcmturner/gokrb5/v8/iana/nametype/constants.go
generated
vendored
Normal file
15
vendor/github.com/jcmturner/gokrb5/v8/iana/nametype/constants.go
generated
vendored
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
// Package nametype provides Kerberos 5 principal name type numbers.
|
||||||
|
package nametype
|
||||||
|
|
||||||
|
// Kerberos name type IDs.
|
||||||
|
const (
|
||||||
|
KRB_NT_UNKNOWN int32 = 0 //Name type not known
|
||||||
|
KRB_NT_PRINCIPAL int32 = 1 //Just the name of the principal as in DCE, or for users
|
||||||
|
KRB_NT_SRV_INST int32 = 2 //Service and other unique instance (krbtgt)
|
||||||
|
KRB_NT_SRV_HST int32 = 3 //Service with host name as instance (telnet, rcommands)
|
||||||
|
KRB_NT_SRV_XHST int32 = 4 //Service with host as remaining components
|
||||||
|
KRB_NT_UID int32 = 5 //Unique ID
|
||||||
|
KRB_NT_X500_PRINCIPAL int32 = 6 //Encoded X.509 Distinguished name [RFC2253]
|
||||||
|
KRB_NT_SMTP_NAME int32 = 7 //Name in form of SMTP email name (e.g., user@example.com)
|
||||||
|
KRB_NT_ENTERPRISE int32 = 10 //Enterprise name; may be mapped to principal name
|
||||||
|
)
|
77
vendor/github.com/jcmturner/gokrb5/v8/iana/patype/constants.go
generated
vendored
Normal file
77
vendor/github.com/jcmturner/gokrb5/v8/iana/patype/constants.go
generated
vendored
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
// Package patype provides Kerberos 5 pre-authentication type assigned numbers.
|
||||||
|
package patype
|
||||||
|
|
||||||
|
// Kerberos pre-authentication type assigned numbers.
|
||||||
|
const (
|
||||||
|
PA_TGS_REQ int32 = 1
|
||||||
|
PA_ENC_TIMESTAMP int32 = 2
|
||||||
|
PA_PW_SALT int32 = 3
|
||||||
|
//RESERVED : 4
|
||||||
|
PA_ENC_UNIX_TIME int32 = 5
|
||||||
|
PA_SANDIA_SECUREID int32 = 6
|
||||||
|
PA_SESAME int32 = 7
|
||||||
|
PA_OSF_DCE int32 = 8
|
||||||
|
PA_CYBERSAFE_SECUREID int32 = 9
|
||||||
|
PA_AFS3_SALT int32 = 10
|
||||||
|
PA_ETYPE_INFO int32 = 11
|
||||||
|
PA_SAM_CHALLENGE int32 = 12
|
||||||
|
PA_SAM_RESPONSE int32 = 13
|
||||||
|
PA_PK_AS_REQ_OLD int32 = 14
|
||||||
|
PA_PK_AS_REP_OLD int32 = 15
|
||||||
|
PA_PK_AS_REQ int32 = 16
|
||||||
|
PA_PK_AS_REP int32 = 17
|
||||||
|
PA_PK_OCSP_RESPONSE int32 = 18
|
||||||
|
PA_ETYPE_INFO2 int32 = 19
|
||||||
|
PA_USE_SPECIFIED_KVNO int32 = 20
|
||||||
|
PA_SVR_REFERRAL_INFO int32 = 20
|
||||||
|
PA_SAM_REDIRECT int32 = 21
|
||||||
|
PA_GET_FROM_TYPED_DATA int32 = 22
|
||||||
|
TD_PADATA int32 = 22
|
||||||
|
PA_SAM_ETYPE_INFO int32 = 23
|
||||||
|
PA_ALT_PRINC int32 = 24
|
||||||
|
PA_SERVER_REFERRAL int32 = 25
|
||||||
|
//UNASSIGNED : 26-29
|
||||||
|
PA_SAM_CHALLENGE2 int32 = 30
|
||||||
|
PA_SAM_RESPONSE2 int32 = 31
|
||||||
|
//UNASSIGNED : 32-40
|
||||||
|
PA_EXTRA_TGT int32 = 41
|
||||||
|
//UNASSIGNED : 42-100
|
||||||
|
TD_PKINIT_CMS_CERTIFICATES int32 = 101
|
||||||
|
TD_KRB_PRINCIPAL int32 = 102
|
||||||
|
TD_KRB_REALM int32 = 103
|
||||||
|
TD_TRUSTED_CERTIFIERS int32 = 104
|
||||||
|
TD_CERTIFICATE_INDEX int32 = 105
|
||||||
|
TD_APP_DEFINED_ERROR int32 = 106
|
||||||
|
TD_REQ_NONCE int32 = 107
|
||||||
|
TD_REQ_SEQ int32 = 108
|
||||||
|
TD_DH_PARAMETERS int32 = 109
|
||||||
|
//UNASSIGNED : 110
|
||||||
|
TD_CMS_DIGEST_ALGORITHMS int32 = 111
|
||||||
|
TD_CERT_DIGEST_ALGORITHMS int32 = 112
|
||||||
|
//UNASSIGNED : 113-127
|
||||||
|
PA_PAC_REQUEST int32 = 128
|
||||||
|
PA_FOR_USER int32 = 129
|
||||||
|
PA_FOR_X509_USER int32 = 130
|
||||||
|
PA_FOR_CHECK_DUPS int32 = 131
|
||||||
|
PA_AS_CHECKSUM int32 = 132
|
||||||
|
PA_FX_COOKIE int32 = 133
|
||||||
|
PA_AUTHENTICATION_SET int32 = 134
|
||||||
|
PA_AUTH_SET_SELECTED int32 = 135
|
||||||
|
PA_FX_FAST int32 = 136
|
||||||
|
PA_FX_ERROR int32 = 137
|
||||||
|
PA_ENCRYPTED_CHALLENGE int32 = 138
|
||||||
|
//UNASSIGNED : 139-140
|
||||||
|
PA_OTP_CHALLENGE int32 = 141
|
||||||
|
PA_OTP_REQUEST int32 = 142
|
||||||
|
PA_OTP_CONFIRM int32 = 143
|
||||||
|
PA_OTP_PIN_CHANGE int32 = 144
|
||||||
|
PA_EPAK_AS_REQ int32 = 145
|
||||||
|
PA_EPAK_AS_REP int32 = 146
|
||||||
|
PA_PKINIT_KX int32 = 147
|
||||||
|
PA_PKU2U_NAME int32 = 148
|
||||||
|
PA_REQ_ENC_PA_REP int32 = 149
|
||||||
|
PA_AS_FRESHNESS int32 = 150
|
||||||
|
//UNASSIGNED : 151-164
|
||||||
|
PA_SUPPORTED_ETYPES int32 = 165
|
||||||
|
PA_EXTENDED_ERROR int32 = 166
|
||||||
|
)
|
23
vendor/github.com/jcmturner/gokrb5/v8/kadmin/changepasswddata.go
generated
vendored
Normal file
23
vendor/github.com/jcmturner/gokrb5/v8/kadmin/changepasswddata.go
generated
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
package kadmin
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/jcmturner/gofork/encoding/asn1"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ChangePasswdData is the payload to a password change message.
|
||||||
|
type ChangePasswdData struct {
|
||||||
|
NewPasswd []byte `asn1:"explicit,tag:0"`
|
||||||
|
TargName types.PrincipalName `asn1:"explicit,optional,tag:1"`
|
||||||
|
TargRealm string `asn1:"generalstring,optional,explicit,tag:2"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal ChangePasswdData into a byte slice.
|
||||||
|
func (c *ChangePasswdData) Marshal() ([]byte, error) {
|
||||||
|
b, err := asn1.Marshal(*c)
|
||||||
|
if err != nil {
|
||||||
|
return []byte{}, err
|
||||||
|
}
|
||||||
|
//b = asn1tools.AddASNAppTag(b, asnAppTag.)
|
||||||
|
return b, nil
|
||||||
|
}
|
114
vendor/github.com/jcmturner/gokrb5/v8/kadmin/message.go
generated
vendored
Normal file
114
vendor/github.com/jcmturner/gokrb5/v8/kadmin/message.go
generated
vendored
Normal file
@ -0,0 +1,114 @@
|
|||||||
|
package kadmin
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"math"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
verisonHex = "ff80"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Request message for changing password.
|
||||||
|
type Request struct {
|
||||||
|
APREQ messages.APReq
|
||||||
|
KRBPriv messages.KRBPriv
|
||||||
|
}
|
||||||
|
|
||||||
|
// Reply message for a password change.
|
||||||
|
type Reply struct {
|
||||||
|
MessageLength int
|
||||||
|
Version int
|
||||||
|
APREPLength int
|
||||||
|
APREP messages.APRep
|
||||||
|
KRBPriv messages.KRBPriv
|
||||||
|
KRBError messages.KRBError
|
||||||
|
IsKRBError bool
|
||||||
|
ResultCode uint16
|
||||||
|
Result string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal a Request into a byte slice.
|
||||||
|
func (m *Request) Marshal() (b []byte, err error) {
|
||||||
|
b = []byte{255, 128} // protocol version number: contains the hex constant 0xff80 (big-endian integer).
|
||||||
|
ab, e := m.APREQ.Marshal()
|
||||||
|
if e != nil {
|
||||||
|
err = fmt.Errorf("error marshaling AP_REQ: %v", e)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(ab) > math.MaxUint16 {
|
||||||
|
err = errors.New("length of AP_REQ greater then max Uint16 size")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
al := make([]byte, 2)
|
||||||
|
binary.BigEndian.PutUint16(al, uint16(len(ab)))
|
||||||
|
b = append(b, al...)
|
||||||
|
b = append(b, ab...)
|
||||||
|
pb, e := m.KRBPriv.Marshal()
|
||||||
|
if e != nil {
|
||||||
|
err = fmt.Errorf("error marshaling KRB_Priv: %v", e)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
b = append(b, pb...)
|
||||||
|
if len(b)+2 > math.MaxUint16 {
|
||||||
|
err = errors.New("length of message greater then max Uint16 size")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ml := make([]byte, 2)
|
||||||
|
binary.BigEndian.PutUint16(ml, uint16(len(b)+2))
|
||||||
|
b = append(ml, b...)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unmarshal a byte slice into a Reply.
|
||||||
|
func (m *Reply) Unmarshal(b []byte) error {
|
||||||
|
m.MessageLength = int(binary.BigEndian.Uint16(b[0:2]))
|
||||||
|
m.Version = int(binary.BigEndian.Uint16(b[2:4]))
|
||||||
|
if m.Version != 1 {
|
||||||
|
return fmt.Errorf("kadmin reply has incorrect protocol version number: %d", m.Version)
|
||||||
|
}
|
||||||
|
m.APREPLength = int(binary.BigEndian.Uint16(b[4:6]))
|
||||||
|
if m.APREPLength != 0 {
|
||||||
|
err := m.APREP.Unmarshal(b[6 : 6+m.APREPLength])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
err = m.KRBPriv.Unmarshal(b[6+m.APREPLength : m.MessageLength])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
m.IsKRBError = true
|
||||||
|
m.KRBError.Unmarshal(b[6:m.MessageLength])
|
||||||
|
m.ResultCode, m.Result = parseResponse(m.KRBError.EData)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseResponse(b []byte) (c uint16, s string) {
|
||||||
|
c = binary.BigEndian.Uint16(b[0:2])
|
||||||
|
buf := bytes.NewBuffer(b[2:])
|
||||||
|
m := make([]byte, len(b)-2)
|
||||||
|
binary.Read(buf, binary.BigEndian, &m)
|
||||||
|
s = string(m)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt the encrypted part of the KRBError within the change password Reply.
|
||||||
|
func (m *Reply) Decrypt(key types.EncryptionKey) error {
|
||||||
|
if m.IsKRBError {
|
||||||
|
return m.KRBError
|
||||||
|
}
|
||||||
|
err := m.KRBPriv.DecryptEncPart(key)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
m.ResultCode, m.Result = parseResponse(m.KRBPriv.DecryptedEncPart.UserData)
|
||||||
|
return nil
|
||||||
|
}
|
68
vendor/github.com/jcmturner/gokrb5/v8/kadmin/passwd.go
generated
vendored
Normal file
68
vendor/github.com/jcmturner/gokrb5/v8/kadmin/passwd.go
generated
vendored
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
// Package kadmin provides Kerberos administration capabilities.
|
||||||
|
package kadmin
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/jcmturner/gokrb5/v8/crypto"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/krberror"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/messages"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ChangePasswdMsg generate a change password request and also return the key needed to decrypt the reply.
|
||||||
|
func ChangePasswdMsg(cname types.PrincipalName, realm, password string, tkt messages.Ticket, sessionKey types.EncryptionKey) (r Request, k types.EncryptionKey, err error) {
|
||||||
|
// Create change password data struct and marshal to bytes
|
||||||
|
chgpasswd := ChangePasswdData{
|
||||||
|
NewPasswd: []byte(password),
|
||||||
|
TargName: cname,
|
||||||
|
TargRealm: realm,
|
||||||
|
}
|
||||||
|
chpwdb, err := chgpasswd.Marshal()
|
||||||
|
if err != nil {
|
||||||
|
err = krberror.Errorf(err, krberror.KRBMsgError, "error marshaling change passwd data")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate authenticator
|
||||||
|
auth, err := types.NewAuthenticator(realm, cname)
|
||||||
|
if err != nil {
|
||||||
|
err = krberror.Errorf(err, krberror.KRBMsgError, "error generating new authenticator")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
etype, err := crypto.GetEtype(sessionKey.KeyType)
|
||||||
|
if err != nil {
|
||||||
|
err = krberror.Errorf(err, krberror.KRBMsgError, "error generating subkey etype")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
err = auth.GenerateSeqNumberAndSubKey(etype.GetETypeID(), etype.GetKeyByteSize())
|
||||||
|
if err != nil {
|
||||||
|
err = krberror.Errorf(err, krberror.KRBMsgError, "error generating subkey")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
k = auth.SubKey
|
||||||
|
|
||||||
|
// Generate AP_REQ
|
||||||
|
APreq, err := messages.NewAPReq(tkt, sessionKey, auth)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Form the KRBPriv encpart data
|
||||||
|
kp := messages.EncKrbPrivPart{
|
||||||
|
UserData: chpwdb,
|
||||||
|
Timestamp: auth.CTime,
|
||||||
|
Usec: auth.Cusec,
|
||||||
|
SequenceNumber: auth.SeqNumber,
|
||||||
|
}
|
||||||
|
kpriv := messages.NewKRBPriv(kp)
|
||||||
|
err = kpriv.EncryptEncPart(k)
|
||||||
|
if err != nil {
|
||||||
|
err = krberror.Errorf(err, krberror.EncryptingError, "error encrypting change passwd data")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
r = Request{
|
||||||
|
APREQ: APreq,
|
||||||
|
KRBPriv: kpriv,
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
470
vendor/github.com/jcmturner/gokrb5/v8/keytab/keytab.go
generated
vendored
Normal file
470
vendor/github.com/jcmturner/gokrb5/v8/keytab/keytab.go
generated
vendored
Normal file
@ -0,0 +1,470 @@
|
|||||||
|
// Package keytab implements Kerberos keytabs: https://web.mit.edu/kerberos/krb5-devel/doc/formats/keytab_file_format.html.
|
||||||
|
package keytab
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/binary"
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"time"
|
||||||
|
"unsafe"
|
||||||
|
|
||||||
|
"github.com/jcmturner/gokrb5/v8/types"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
keytabFirstByte byte = 05
|
||||||
|
)
|
||||||
|
|
||||||
|
// Keytab struct.
|
||||||
|
type Keytab struct {
|
||||||
|
version uint8
|
||||||
|
Entries []entry
|
||||||
|
}
|
||||||
|
|
||||||
|
// Keytab entry struct.
|
||||||
|
type entry struct {
|
||||||
|
Principal principal
|
||||||
|
Timestamp time.Time
|
||||||
|
KVNO8 uint8
|
||||||
|
Key types.EncryptionKey
|
||||||
|
KVNO uint32
|
||||||
|
}
|
||||||
|
|
||||||
|
// Keytab entry principal struct.
|
||||||
|
type principal struct {
|
||||||
|
NumComponents int16 `json:"-"`
|
||||||
|
Realm string
|
||||||
|
Components []string
|
||||||
|
NameType int32
|
||||||
|
}
|
||||||
|
|
||||||
|
// New creates new, empty Keytab type.
|
||||||
|
func New() *Keytab {
|
||||||
|
var e []entry
|
||||||
|
return &Keytab{
|
||||||
|
version: 0,
|
||||||
|
Entries: e,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEncryptionKey returns the EncryptionKey from the Keytab for the newest entry with the required kvno, etype and matching principal.
|
||||||
|
// If the kvno is zero then the latest kvno will be returned. The kvno is also returned for
|
||||||
|
func (kt *Keytab) GetEncryptionKey(princName types.PrincipalName, realm string, kvno int, etype int32) (types.EncryptionKey, int, error) {
|
||||||
|
var key types.EncryptionKey
|
||||||
|
var t time.Time
|
||||||
|
for _, k := range kt.Entries {
|
||||||
|
if k.Principal.Realm == realm && len(k.Principal.Components) == len(princName.NameString) &&
|
||||||
|
k.Key.KeyType == etype &&
|
||||||
|
(k.KVNO == uint32(kvno) || kvno == 0) &&
|
||||||
|
k.Timestamp.After(t) {
|
||||||
|
p := true
|
||||||
|
for i, n := range k.Principal.Components {
|
||||||
|
if princName.NameString[i] != n {
|
||||||
|
p = false
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if p {
|
||||||
|
key = k.Key
|
||||||
|
kvno = int(k.KVNO)
|
||||||
|
t = k.Timestamp
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(key.KeyValue) < 1 {
|
||||||
|
return key, 0, fmt.Errorf("matching key not found in keytab. Looking for %v realm: %v kvno: %v etype: %v", princName.NameString, realm, kvno, etype)
|
||||||
|
}
|
||||||
|
return key, kvno, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create a new Keytab entry.
|
||||||
|
func newEntry() entry {
|
||||||
|
var b []byte
|
||||||
|
return entry{
|
||||||
|
Principal: newPrincipal(),
|
||||||
|
Timestamp: time.Time{},
|
||||||
|
KVNO8: 0,
|
||||||
|
Key: types.EncryptionKey{
|
||||||
|
KeyType: 0,
|
||||||
|
KeyValue: b,
|
||||||
|
},
|
||||||
|
KVNO: 0,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create a new principal.
|
||||||
|
func newPrincipal() principal {
|
||||||
|
var c []string
|
||||||
|
return principal{
|
||||||
|
NumComponents: 0,
|
||||||
|
Realm: "",
|
||||||
|
Components: c,
|
||||||
|
NameType: 0,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Load a Keytab file into a Keytab type.
|
||||||
|
func Load(ktPath string) (*Keytab, error) {
|
||||||
|
kt := new(Keytab)
|
||||||
|
b, err := ioutil.ReadFile(ktPath)
|
||||||
|
if err != nil {
|
||||||
|
return kt, err
|
||||||
|
}
|
||||||
|
err = kt.Unmarshal(b)
|
||||||
|
return kt, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Marshal keytab into byte slice
|
||||||
|
func (kt *Keytab) Marshal() ([]byte, error) {
|
||||||
|
b := []byte{keytabFirstByte, kt.version}
|
||||||
|
for _, e := range kt.Entries {
|
||||||
|
eb, err := e.marshal(int(kt.version))
|
||||||
|
if err != nil {
|
||||||
|
return b, err
|
||||||
|
}
|
||||||
|
b = append(b, eb...)
|
||||||
|
}
|
||||||
|
return b, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write the keytab bytes to io.Writer.
|
||||||
|
// Returns the number of bytes written
|
||||||
|
func (kt *Keytab) Write(w io.Writer) (int, error) {
|
||||||
|
b, err := kt.Marshal()
|
||||||
|
if err != nil {
|
||||||
|
return 0, fmt.Errorf("error marshaling keytab: %v", err)
|
||||||
|
}
|
||||||
|
return w.Write(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unmarshal byte slice of Keytab data into Keytab type.
|
||||||
|
func (kt *Keytab) Unmarshal(b []byte) error {
|
||||||
|
if len(b) < 2 {
|
||||||
|
return fmt.Errorf("byte array is less than 2 bytes: %d", len(b))
|
||||||
|
}
|
||||||
|
|
||||||
|
//The first byte of the file always has the value 5
|
||||||
|
if b[0] != keytabFirstByte {
|
||||||
|
return errors.New("invalid keytab data. First byte does not equal 5")
|
||||||
|
}
|
||||||
|
//Get keytab version
|
||||||
|
//The 2nd byte contains the version number (1 or 2)
|
||||||
|
kt.version = b[1]
|
||||||
|
if kt.version != 1 && kt.version != 2 {
|
||||||
|
return errors.New("invalid keytab data. Keytab version is neither 1 nor 2")
|
||||||
|
}
|
||||||
|
//Version 1 of the file format uses native byte order for integer representations. Version 2 always uses big-endian byte order
|
||||||
|
var endian binary.ByteOrder
|
||||||
|
endian = binary.BigEndian
|
||||||
|
if kt.version == 1 && isNativeEndianLittle() {
|
||||||
|
endian = binary.LittleEndian
|
||||||
|
}
|
||||||
|
// n tracks position in the byte array
|
||||||
|
n := 2
|
||||||
|
l, err := readInt32(b, &n, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for l != 0 {
|
||||||
|
if l < 0 {
|
||||||
|
//Zero padded so skip over
|
||||||
|
l = l * -1
|
||||||
|
n = n + int(l)
|
||||||
|
} else {
|
||||||
|
if n < 0 {
|
||||||
|
return fmt.Errorf("%d can't be less than zero", n)
|
||||||
|
}
|
||||||
|
if n+int(l) > len(b) {
|
||||||
|
return fmt.Errorf("%s's length is less than %d", b, n+int(l))
|
||||||
|
}
|
||||||
|
eb := b[n : n+int(l)]
|
||||||
|
n = n + int(l)
|
||||||
|
ke := newEntry()
|
||||||
|
// p keeps track as to where we are in the byte stream
|
||||||
|
var p int
|
||||||
|
var err error
|
||||||
|
parsePrincipal(eb, &p, kt, &ke, &endian)
|
||||||
|
ke.Timestamp, err = readTimestamp(eb, &p, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
rei8, err := readInt8(eb, &p, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
ke.KVNO8 = uint8(rei8)
|
||||||
|
rei16, err := readInt16(eb, &p, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
ke.Key.KeyType = int32(rei16)
|
||||||
|
rei16, err = readInt16(eb, &p, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
kl := int(rei16)
|
||||||
|
ke.Key.KeyValue, err = readBytes(eb, &p, kl, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
// The 32-bit key version overrides the 8-bit key version.
|
||||||
|
// If at least 4 bytes are left after the other fields are read and they are non-zero
|
||||||
|
// this indicates the 32-bit version is present.
|
||||||
|
if len(eb)-p >= 4 {
|
||||||
|
// The 32-bit key may be present
|
||||||
|
ri32, err := readInt32(eb, &p, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
ke.KVNO = uint32(ri32)
|
||||||
|
}
|
||||||
|
if ke.KVNO == 0 {
|
||||||
|
// Handles if the value from the last 4 bytes was zero and also if there are not the 4 bytes present. Makes sense to put the same value here as KVNO8
|
||||||
|
ke.KVNO = uint32(ke.KVNO8)
|
||||||
|
}
|
||||||
|
// Add the entry to the keytab
|
||||||
|
kt.Entries = append(kt.Entries, ke)
|
||||||
|
}
|
||||||
|
// Check if there are still 4 bytes left to read
|
||||||
|
// Also check that n is greater than zero
|
||||||
|
if n < 0 || n > len(b) || len(b[n:]) < 4 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
// Read the size of the next entry
|
||||||
|
l, err = readInt32(b, &n, &endian)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e entry) marshal(v int) ([]byte, error) {
|
||||||
|
var b []byte
|
||||||
|
pb, err := e.Principal.marshal(v)
|
||||||
|
if err != nil {
|
||||||
|
return b, err
|
||||||
|
}
|
||||||
|
b = append(b, pb...)
|
||||||
|
|
||||||
|
var endian binary.ByteOrder
|
||||||
|
endian = binary.BigEndian
|
||||||
|
if v == 1 && isNativeEndianLittle() {
|
||||||
|
endian = binary.LittleEndian
|
||||||
|
}
|
||||||
|
|
||||||
|
t := make([]byte, 9)
|
||||||
|
endian.PutUint32(t[0:4], uint32(e.Timestamp.Unix()))
|
||||||
|
t[4] = e.KVNO8
|
||||||
|
endian.PutUint16(t[5:7], uint16(e.Key.KeyType))
|
||||||
|
endian.PutUint16(t[7:9], uint16(len(e.Key.KeyValue)))
|
||||||
|
b = append(b, t...)
|
||||||
|
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
err = binary.Write(buf, endian, e.Key.KeyValue)
|
||||||
|
if err != nil {
|
||||||
|
return b, err
|
||||||
|
}
|
||||||
|
b = append(b, buf.Bytes()...)
|
||||||
|
|
||||||
|
t = make([]byte, 4)
|
||||||
|
endian.PutUint32(t, e.KVNO)
|
||||||
|
b = append(b, t...)
|
||||||
|
|
||||||
|
// Add the length header
|
||||||
|
t = make([]byte, 4)
|
||||||
|
endian.PutUint32(t, uint32(len(b)))
|
||||||
|
b = append(t, b...)
|
||||||
|
return b, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the Keytab bytes of a principal into a Keytab entry's principal.
|
||||||
|
func parsePrincipal(b []byte, p *int, kt *Keytab, ke *entry, e *binary.ByteOrder) error {
|
||||||
|
var err error
|
||||||
|
ke.Principal.NumComponents, err = readInt16(b, p, e)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if kt.version == 1 {
|
||||||
|
//In version 1 the number of components includes the realm. Minus 1 to make consistent with version 2
|
||||||
|
ke.Principal.NumComponents--
|
||||||
|
}
|
||||||
|
lenRealm, err := readInt16(b, p, e)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
realmB, err := readBytes(b, p, int(lenRealm), e)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
ke.Principal.Realm = string(realmB)
|
||||||
|
for i := 0; i < int(ke.Principal.NumComponents); i++ {
|
||||||
|
l, err := readInt16(b, p, e)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
compB, err := readBytes(b, p, int(l), e)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
ke.Principal.Components = append(ke.Principal.Components, string(compB))
|
||||||
|
}
|
||||||
|
if kt.version != 1 {
|
||||||
|
//Name Type is omitted in version 1
|
||||||
|
ke.Principal.NameType, err = readInt32(b, p, e)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p principal) marshal(v int) ([]byte, error) {
|
||||||
|
//var b []byte
|
||||||
|
b := make([]byte, 2)
|
||||||
|
var endian binary.ByteOrder
|
||||||
|
endian = binary.BigEndian
|
||||||
|
if v == 1 && isNativeEndianLittle() {
|
||||||
|
endian = binary.LittleEndian
|
||||||
|
}
|
||||||
|
endian.PutUint16(b[0:], uint16(p.NumComponents))
|
||||||
|
realm, err := marshalString(p.Realm, v)
|
||||||
|
if err != nil {
|
||||||
|
return b, err
|
||||||
|
}
|
||||||
|
b = append(b, realm...)
|
||||||
|
for _, c := range p.Components {
|
||||||
|
cb, err := marshalString(c, v)
|
||||||
|
if err != nil {
|
||||||
|
return b, err
|
||||||
|
}
|
||||||
|
b = append(b, cb...)
|
||||||
|
}
|
||||||
|
if v != 1 {
|
||||||
|
t := make([]byte, 4)
|
||||||
|
endian.PutUint32(t, uint32(p.NameType))
|
||||||
|
b = append(b, t...)
|
||||||
|
}
|
||||||
|
return b, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func marshalString(s string, v int) ([]byte, error) {
|
||||||
|
sb := []byte(s)
|
||||||
|
b := make([]byte, 2)
|
||||||
|
var endian binary.ByteOrder
|
||||||
|
endian = binary.BigEndian
|
||||||
|
if v == 1 && isNativeEndianLittle() {
|
||||||
|
endian = binary.LittleEndian
|
||||||
|
}
|
||||||
|
endian.PutUint16(b[0:], uint16(len(sb)))
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
err := binary.Write(buf, endian, sb)
|
||||||
|
if err != nil {
|
||||||
|
return b, err
|
||||||
|
}
|
||||||
|
b = append(b, buf.Bytes()...)
|
||||||
|
return b, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read bytes representing a timestamp.
|
||||||
|
func readTimestamp(b []byte, p *int, e *binary.ByteOrder) (time.Time, error) {
|
||||||
|
i32, err := readInt32(b, p, e)
|
||||||
|
if err != nil {
|
||||||
|
return time.Time{}, err
|
||||||
|
}
|
||||||
|
return time.Unix(int64(i32), 0), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read bytes representing an eight bit integer.
|
||||||
|
func readInt8(b []byte, p *int, e *binary.ByteOrder) (i int8, err error) {
|
||||||
|
if *p < 0 {
|
||||||
|
return 0, fmt.Errorf("%d cannot be less than zero", *p)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (*p + 1) > len(b) {
|
||||||
|
return 0, fmt.Errorf("%s's length is less than %d", b, *p+1)
|
||||||
|
}
|
||||||
|
buf := bytes.NewBuffer(b[*p : *p+1])
|
||||||
|
binary.Read(buf, *e, &i)
|
||||||
|
*p++
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read bytes representing a sixteen bit integer.
|
||||||
|
func readInt16(b []byte, p *int, e *binary.ByteOrder) (i int16, err error) {
|
||||||
|
if *p < 0 {
|
||||||
|
return 0, fmt.Errorf("%d cannot be less than zero", *p)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (*p + 2) > len(b) {
|
||||||
|
return 0, fmt.Errorf("%s's length is less than %d", b, *p+2)
|
||||||
|
}
|
||||||
|
|
||||||
|
buf := bytes.NewBuffer(b[*p : *p+2])
|
||||||
|
binary.Read(buf, *e, &i)
|
||||||
|
*p += 2
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read bytes representing a thirty two bit integer.
|
||||||
|
func readInt32(b []byte, p *int, e *binary.ByteOrder) (i int32, err error) {
|
||||||
|
if *p < 0 {
|
||||||
|
return 0, fmt.Errorf("%d cannot be less than zero", *p)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (*p + 4) > len(b) {
|
||||||
|
return 0, fmt.Errorf("%s's length is less than %d", b, *p+4)
|
||||||
|
}
|
||||||
|
|
||||||
|
buf := bytes.NewBuffer(b[*p : *p+4])
|
||||||
|
binary.Read(buf, *e, &i)
|
||||||
|
*p += 4
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func readBytes(b []byte, p *int, s int, e *binary.ByteOrder) ([]byte, error) {
|
||||||
|
if s < 0 {
|
||||||
|
return nil, fmt.Errorf("%d cannot be less than zero", s)
|
||||||
|
}
|
||||||
|
i := *p + s
|
||||||
|
if i > len(b) {
|
||||||
|
return nil, fmt.Errorf("%s's length is greater than %d", b, i)
|
||||||
|
}
|
||||||
|
buf := bytes.NewBuffer(b[*p:i])
|
||||||
|
r := make([]byte, s)
|
||||||
|
if err := binary.Read(buf, *e, &r); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
*p += s
|
||||||
|
return r, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func isNativeEndianLittle() bool {
|
||||||
|
var x = 0x012345678
|
||||||
|
var p = unsafe.Pointer(&x)
|
||||||
|
var bp = (*[4]byte)(p)
|
||||||
|
|
||||||
|
var endian bool
|
||||||
|
if 0x01 == bp[0] {
|
||||||
|
endian = false
|
||||||
|
} else if (0x78 & 0xff) == (bp[0] & 0xff) {
|
||||||
|
endian = true
|
||||||
|
} else {
|
||||||
|
// Default to big endian
|
||||||
|
endian = false
|
||||||
|
}
|
||||||
|
return endian
|
||||||
|
}
|
||||||
|
|
||||||
|
// JSON return information about the keys held in the keytab in a JSON format.
|
||||||
|
func (k *Keytab) JSON() (string, error) {
|
||||||
|
b, err := json.MarshalIndent(k, "", " ")
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return string(b), nil
|
||||||
|
}
|
67
vendor/github.com/jcmturner/gokrb5/v8/krberror/error.go
generated
vendored
Normal file
67
vendor/github.com/jcmturner/gokrb5/v8/krberror/error.go
generated
vendored
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
// Package krberror provides error type and functions for gokrb5.
|
||||||
|
package krberror
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Error type descriptions.
|
||||||
|
const (
|
||||||
|
separator = " < "
|
||||||
|
EncodingError = "Encoding_Error"
|
||||||
|
NetworkingError = "Networking_Error"
|
||||||
|
DecryptingError = "Decrypting_Error"
|
||||||
|
EncryptingError = "Encrypting_Error"
|
||||||
|
ChksumError = "Checksum_Error"
|
||||||
|
KRBMsgError = "KRBMessage_Handling_Error"
|
||||||
|
ConfigError = "Configuration_Error"
|
||||||
|
KDCError = "KDC_Error"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Krberror is an error type for gokrb5
|
||||||
|
type Krberror struct {
|
||||||
|
RootCause string
|
||||||
|
EText []string
|
||||||
|
}
|
||||||
|
|
||||||
|
// Error function to implement the error interface.
|
||||||
|
func (e Krberror) Error() string {
|
||||||
|
return fmt.Sprintf("[Root cause: %s] ", e.RootCause) + strings.Join(e.EText, separator)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add another error statement to the error.
|
||||||
|
func (e *Krberror) Add(et string, s string) {
|
||||||
|
e.EText = append([]string{fmt.Sprintf("%s: %s", et, s)}, e.EText...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// New creates a new instance of Krberror.
|
||||||
|
func New(et, s string) Krberror {
|
||||||
|
return Krberror{
|
||||||
|
RootCause: et,
|
||||||
|
EText: []string{s},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Errorf appends to or creates a new Krberror.
|
||||||
|
func Errorf(err error, et, format string, a ...interface{}) Krberror {
|
||||||
|
if e, ok := err.(Krberror); ok {
|
||||||
|
e.Add(et, fmt.Sprintf(format, a...))
|
||||||
|
return e
|
||||||
|
}
|
||||||
|
return NewErrorf(et, format+": %s", append(a, err)...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewErrorf creates a new Krberror from a formatted string.
|
||||||
|
func NewErrorf(et, format string, a ...interface{}) Krberror {
|
||||||
|
var s string
|
||||||
|
if len(a) > 0 {
|
||||||
|
s = fmt.Sprintf("%s: %s", et, fmt.Sprintf(format, a...))
|
||||||
|
} else {
|
||||||
|
s = fmt.Sprintf("%s: %s", et, format)
|
||||||
|
}
|
||||||
|
return Krberror{
|
||||||
|
RootCause: et,
|
||||||
|
EText: []string{s},
|
||||||
|
}
|
||||||
|
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user