package negotiate

import "github.com/alexbrainman/sspi/negotiate"

Package negotiate provides access to the Microsoft Negotiate SSP Package.

Index

Variables 

var PackageInfo *sspi.PackageInfo

PackageInfo contains the Negotiate SSP package description.

It's initialized best-effort during init. During early boot it may not yet be loaded & available and thus this will be nil.

Deprecated: use GetPackageInfo instead.

Functions

func AcquireCurrentUserCredentials 

func AcquireCurrentUserCredentials() (*sspi.Credentials, error)

AcquireCurrentUserCredentials acquires credentials of currently logged on user. These will be used by the client to authenticate itself to the server. It will also be used by the server to impersonate the user.

func AcquireServerCredentials 

func AcquireServerCredentials(principalName string) (*sspi.Credentials, error)

AcquireServerCredentials acquires server credentials that will be used to authenticate clients. The principalName parameter is passed to the underlying call to the winapi AcquireCredentialsHandle function (and specifies the name of the principal whose credentials the underlying handle will reference). As a special case, using an empty string for the principal name will require the credential of the user under whose security context the current process is running.

func AcquireUserCredentials 

func AcquireUserCredentials(domain, username, password string) (*sspi.Credentials, error)

AcquireUserCredentials acquires credentials of user described by domain, username and password. These will be used by the client to authenticate itself to the server. It will also be used by the server to impersonate the user.

func GetPackageInfo 

func GetPackageInfo() (*sspi.PackageInfo, error)

GetPackageInfo returns the Negotiate SSP package description.

Types

type ClientContext 

type ClientContext struct {
	// contains filtered or unexported fields
}

ClientContext is used by the client to manage all steps of Negotiate negotiation.

func NewClientContext 

func NewClientContext(cred *sspi.Credentials, targetName string) (cc *ClientContext, outputToken []byte, err error)

NewClientContext creates a new client context. It uses client credentials cred generated by AcquireCurrentUserCredentials or AcquireUserCredentials and SPN to start a client Negotiate negotiation sequence. targetName is the service principal name (SPN) or the security context of the destination server. NewClientContext returns a new token to be sent to the server.

func NewClientContextWithFlags 

func NewClientContextWithFlags(cred *sspi.Credentials, targetName string, flags uint32) (cc *ClientContext, outputToken []byte, err error)

NewClientContextWithFlags creates a new client context. It uses client credentials cred generated by AcquireCurrentUserCredentials or AcquireUserCredentials and SPN to start a client Negotiate negotiation sequence. targetName is the service principal name (SPN) or the security context of the destination server. The flags parameter is used to indicate requests for the context (for example sspi.ISC_REQ_CONFIDENTIALITY|sspi.ISC_REQ_REPLAY_DETECT) NewClientContextWithFlags returns a new token to be sent to the server.

func (*ClientContext) DecryptMessage 

func (c *ClientContext) DecryptMessage(msg []byte, seqno uint32) (uint32, []byte, error)

DecryptMessage uses the established client context to decrypt a message using the provided sequence number. It returns the quality of protection flag and the decrypted message in addition to any error.

func (*ClientContext) EncryptMessage 

func (c *ClientContext) EncryptMessage(msg []byte, qop, seqno uint32) ([]byte, error)

EncryptMessage uses the established client context to encrypt a message using the provided quality of protection flags and sequence number. It returns the signature token in addition to any error. IMPORTANT: the input msg parameter is updated in place by the low-level windows api so must be copied if the initial content should not be modified.

func (*ClientContext) Expiry 

func (c *ClientContext) Expiry() time.Time

Expiry returns c expiry time.

func (*ClientContext) MakeSignature 

func (c *ClientContext) MakeSignature(msg []byte, qop, seqno uint32) ([]byte, error)

MakeSignature uses the established client context to create a signature for the given message using the provided quality of protection flags and sequence number. It returns the signature token in addition to any error.

func (*ClientContext) Release 

func (c *ClientContext) Release() error

Release free up resources associated with client context c.

func (*ClientContext) Sizes 

func (c *ClientContext) Sizes() (uint32, uint32, uint32, uint32, error)

Sizes queries the client context for the sizes used in per-message functions. It returns the maximum token size used in authentication exchanges, the maximum signature size, the preferred integral size of messages, the size of any security trailer, and any error.

func (*ClientContext) Update 

func (c *ClientContext) Update(token []byte) (authCompleted bool, outputToken []byte, err error)

Update advances client part of Negotiate negotiation c. It uses token received from the server and returns true if client part of authentication is complete. It also returns new token to be sent to the server.

func (*ClientContext) VerifyFlags 

func (c *ClientContext) VerifyFlags() error

VerifyFlags determines if all flags used to construct the client context were honored (see NewClientContextWithFlags). It should be called after c.Update.

func (*ClientContext) VerifySelectiveFlags 

func (c *ClientContext) VerifySelectiveFlags(flags uint32) error

VerifySelectiveFlags determines if the given flags were honored (see NewClientContextWithFlags). It should be called after c.Update.

func (*ClientContext) VerifySignature 

func (c *ClientContext) VerifySignature(msg, token []byte, seqno uint32) (uint32, error)

VerifySignature uses the established client context and signature token to check that the provided message hasn't been tampered or received out of sequence. It returns any quality of protection flags and any error that occurred.

type ServerContext 

type ServerContext struct {
	// contains filtered or unexported fields
}

ServerContext is used by the server to manage all steps of Negotiate negotiation. Once authentication is completed the context can be used to impersonate client.

func NewServerContext 

func NewServerContext(cred *sspi.Credentials, token []byte) (sc *ServerContext, authDone bool, outputToken []byte, err error)

NewServerContext creates new server context. It uses server credentials created by AcquireServerCredentials and token from the client to start server Negotiate negotiation sequence. It also returns new token to be sent to the client.

func (*ServerContext) DecryptMessage 

func (c *ServerContext) DecryptMessage(msg []byte, seqno uint32) (uint32, []byte, error)

DecryptMessage uses the established server context to decrypt a message using the provided sequence number. It returns the quality of protection flag and the decrypted message in addition to any error.

func (*ServerContext) EncryptMessage 

func (c *ServerContext) EncryptMessage(msg []byte, qop, seqno uint32) ([]byte, error)

EncryptMessage uses the established server context to encrypt a message using the provided quality of protection flags and sequence number. It returns the signature token in addition to any error. IMPORTANT: the input msg parameter is updated in place by the low-level windows api so must be copied if the initial content should not be modified.

func (*ServerContext) Expiry 

func (c *ServerContext) Expiry() time.Time

Expiry returns c expiry time.

func (*ServerContext) GetUsername 

func (c *ServerContext) GetUsername() (string, error)

GetUsername returns the username corresponding to the authenticated client

func (*ServerContext) ImpersonateUser 

func (c *ServerContext) ImpersonateUser() error

ImpersonateUser changes current OS thread user. New user is the user as specified by client credentials.

func (*ServerContext) MakeSignature 

func (c *ServerContext) MakeSignature(msg []byte, qop, seqno uint32) ([]byte, error)

MakeSignature uses the established server context to create a signature for the given message using the provided quality of protection flags and sequence number. It returns the signature token in addition to any error.

func (*ServerContext) Release 

func (c *ServerContext) Release() error

Release free up resources associated with server context c.

func (*ServerContext) RevertToSelf 

func (c *ServerContext) RevertToSelf() error

RevertToSelf stops impersonation. It changes current OS thread user to what it was before ImpersonateUser was executed.

func (*ServerContext) Sizes 

func (c *ServerContext) Sizes() (uint32, uint32, uint32, uint32, error)

Sizes queries the server context for the sizes used in per-message functions. It returns the maximum token size used in authentication exchanges, the maximum signature size, the preferred integral size of messages, the size of any security trailer, and any error.

func (*ServerContext) Update 

func (c *ServerContext) Update(token []byte) (authCompleted bool, outputToken []byte, err error)

Update advances server part of Negotiate negotiation c. It uses token received from the client and returns true if server part of authentication is complete. It also returns new token to be sent to the client.

func (*ServerContext) VerifySignature 

func (c *ServerContext) VerifySignature(msg, token []byte, seqno uint32) (uint32, error)

VerifySignature uses the established server context and signature token to check that the provided message hasn't been tampered or received out of sequence. It returns any quality of protection flags and any error that occurred.

Source Files

negotiate.go

Version
v0.0.0-20231016080023-1a75b4708caa (latest)
Published
Oct 16, 2023
Platform
windows/amd64
Imports
7 packages
Last checked
22 hours ago

Tools for package owners.