Jonathan Turner
62e2cb2241
replace byte.Equals with hmac.Equals in order to avoid timing side-channels
|
7 lat temu | |
|---|---|---|
| .. | ||
| ContextFlags.go | 8 lat temu | |
| MechType.go | 8 lat temu | |
| NegotiationToken.go | 7 lat temu | |
| NegotiationToken_test.go | 8 lat temu | |
| README.md | 7 lat temu | |
| WrapToken.go | 7 lat temu | |
| WrapToken_test.go | 7 lat temu | |
| gssapi.go | 7 lat temu | |
| gssapi_test.go | 8 lat temu | |
| krb5Token.go | 7 lat temu | |
| krb5Token_test.go | 7 lat temu | |
README.md
Notes on GSS-API Negotiation Mechanism
https://tools.ietf.org/html/rfc4178
Client sends an initial negotiation message to the server which specifies the list of mechanisms
the client can support in order of decreasing preference.
This message is generated with the NewNegTokenInitKrb5 method.
The message generated by this function specifies only a kerberos v5 mechanism is supported.
The RFC states that this message can optionally contain the initial mechanism token
for the preferred mechanism (KRB5 in this case) of the client. The NewNegTokenInitKrb5
includes this in the message.
The server side responds to this message with a one of four messages:
| Message Type/State | Description |
|---|---|
| accept-completed | indicates that the initiator-selected mechanism was acceptable to the target, and that the security mechanism token embedded in the first negotiation message was sufficient to complete the authentication |
| accept-incomplete | At least one more message is needed from the client to establish security context. |
| reject | Negotiation is being terminated. |
| request-mic | (this state can only be present in the first reply message from the target) indicates that the MIC token exchange is REQUIRED if per-message integrity services are available |