Negotiate improvements #4
Conversation
|
Note: I had to change the prototype from sspi.AcquireCredentials in order to pass the principal name since the C++ code I was porting made use of this parameter. Not breaking the current signature would require a new function (sspi.AcquireCredentialsForPrincipal ?), please let me know if you feel this is a better option. |
|
I will try to review this weekend. Alex |
negotiate/negotiate.go
Outdated
| @@ -245,6 +288,20 @@ func (c *ClientContext) MakeSignature(msg []byte, qop, seqno uint32) ([]byte, er | |||
| return makeSignature(c.sctxt, msg, qop, seqno) | |||
| } | |||
|
|
|||
| // EncryptMessage uses the established client context to encrypt a message | |||
There was a problem hiding this comment.
Can you, please, add a test for EncryptMessage and DecryptMessage ?
| // credentials cred generated by AcquireCurrentUserCredentials or | ||
| // AcquireUserCredentials and SPN to start client Negotiate | ||
| // AcquireUserCredentials and SPN to start a client Negotiate | ||
| // negotiation sequence. targetName is the service principal name | ||
| // (SPN) or the security context of the destination server. |
There was a problem hiding this comment.
You do not mention new "flags" parameter in the documentation. Don't you want to say something about it?
There was a problem hiding this comment.
You did not address my comment.
There was a problem hiding this comment.
The flags parameter is documented in AcquireUserCredentialsWithFlags, did you mean something else ?
There was a problem hiding this comment.
My fault, I have no idea why I asked you to document "flag" parameter here. Forget my comment.
sspi.go
Outdated
| @@ -50,13 +50,21 @@ type Credentials struct { | |||
| expiry syscall.Filetime | |||
| } | |||
|
|
|||
| func AcquireCredentials(pkgname string, creduse uint32, authdata *byte) (*Credentials, error) { | |||
| func AcquireCredentials(principal string, pkgname string, creduse uint32, authdata *byte) (*Credentials, error) { | |||
There was a problem hiding this comment.
This commit changes the way "principal" parameter of "" is handled. What is happening here is not obvious. This needs to be at least documented in function doco.
There was a problem hiding this comment.
An empty principal parameter is passed as a nil pointer in the underlying winapi call. I will document.
There was a problem hiding this comment.
I still do not see any new documentation that you promised.
There was a problem hiding this comment.
I forgot this part, sorry. I'll fix that.
negotiate/negotiate.go
Outdated
| @@ -85,13 +85,13 @@ func AcquireUserCredentials(domain, username, password string) (*sspi.Credential | |||
| PasswordLength: plen, | |||
| Flags: sspi.SEC_WINNT_AUTH_IDENTITY_UNICODE, | |||
| } | |||
| return acquireCredentials(sspi.SECPKG_CRED_OUTBOUND, &ai) | |||
| return acquireCredentials("", sspi.SECPKG_CRED_OUTBOUND, &ai) | |||
| } | |||
|
|
|||
| // AcquireServerCredentials acquires server credentials that will | |||
| // be used to authenticate client. | |||
There was a problem hiding this comment.
Maybe add new "principalName" parameter documentation.
There was a problem hiding this comment.
You did not address my comment.
There was a problem hiding this comment.
I'm sorry, I'm afraid I did not understand what you meant here... Do you suggest to add a new parameter "principalName" to AcquireUserCredentials ?
There was a problem hiding this comment.
You have added "principalName" parameter to AcquireServerCredentials function. You should document new parameter - explain what it does.
negotiate/negotiate.go
Outdated
| if ret != sspi.SEC_E_OK { | ||
| return "", ret | ||
| } | ||
| defer sspi.FreeContextBuffer((*byte)(unsafe.Pointer(ns.ClientName))) |
There was a problem hiding this comment.
Why aren't you freeing ServerName too?
There was a problem hiding this comment.
It was simply an oversight, fixed !
vanackere
force-pushed
the
negotiate-improvements
branch
from
48f578e to
816b5ac
Compare
|
Hi, I made the requested changes and updated my branch, PTAL |
negotiate/negotiate.go
Outdated
| @@ -85,13 +85,13 @@ func AcquireUserCredentials(domain, username, password string) (*sspi.Credential | |||
| PasswordLength: plen, | |||
| Flags: sspi.SEC_WINNT_AUTH_IDENTITY_UNICODE, | |||
| } | |||
| return acquireCredentials(sspi.SECPKG_CRED_OUTBOUND, &ai) | |||
| return acquireCredentials("", sspi.SECPKG_CRED_OUTBOUND, &ai) | |||
| } | |||
|
|
|||
| // AcquireServerCredentials acquires server credentials that will | |||
| // be used to authenticate client. | |||
There was a problem hiding this comment.
You did not address my comment.
sspi.go
Outdated
| @@ -50,13 +50,21 @@ type Credentials struct { | |||
| expiry syscall.Filetime | |||
| } | |||
|
|
|||
| func AcquireCredentials(pkgname string, creduse uint32, authdata *byte) (*Credentials, error) { | |||
| func AcquireCredentials(principal string, pkgname string, creduse uint32, authdata *byte) (*Credentials, error) { | |||
There was a problem hiding this comment.
I still do not see any new documentation that you promised.
| // credentials cred generated by AcquireCurrentUserCredentials or | ||
| // AcquireUserCredentials and SPN to start client Negotiate | ||
| // AcquireUserCredentials and SPN to start a client Negotiate | ||
| // negotiation sequence. targetName is the service principal name | ||
| // (SPN) or the security context of the destination server. |
There was a problem hiding this comment.
You did not address my comment.
| // credentials cred generated by AcquireCurrentUserCredentials or | ||
| // AcquireUserCredentials and SPN to start client Negotiate | ||
| // AcquireUserCredentials and SPN to start a client Negotiate | ||
| // negotiation sequence. targetName is the service principal name | ||
| // (SPN) or the security context of the destination server. |
There was a problem hiding this comment.
My fault, I have no idea why I asked you to document "flag" parameter here. Forget my comment.
negotiate/negotiate.go
Outdated
| @@ -85,13 +85,13 @@ func AcquireUserCredentials(domain, username, password string) (*sspi.Credential | |||
| PasswordLength: plen, | |||
| Flags: sspi.SEC_WINNT_AUTH_IDENTITY_UNICODE, | |||
| } | |||
| return acquireCredentials(sspi.SECPKG_CRED_OUTBOUND, &ai) | |||
| return acquireCredentials("", sspi.SECPKG_CRED_OUTBOUND, &ai) | |||
| } | |||
|
|
|||
| // AcquireServerCredentials acquires server credentials that will | |||
| // be used to authenticate client. | |||
There was a problem hiding this comment.
You have added "principalName" parameter to AcquireServerCredentials function. You should document new parameter - explain what it does.
sspi.go
Outdated
| @@ -50,13 +50,21 @@ type Credentials struct { | |||
| expiry syscall.Filetime | |||
| } | |||
|
|
|||
| func AcquireCredentials(pkgname string, creduse uint32, authdata *byte) (*Credentials, error) { | |||
| func AcquireCredentials(principal string, pkgname string, creduse uint32, authdata *byte) (*Credentials, error) { | |||
This allows to pass specific useful flags (like sspi.ISC_REQ_INTEGRITY or ISC_REQ_INTEGRITY)
Setting this parameter to an empty string will pass nil to the underlying windows sspi function. Only the negotiate public api is changed in this commit (since the C++ code I'm porting was explicitely using this parameter).
This method returns the username corresponding to the authenticated client
Explicitely returning the serverDone boolean allows for slightly cleaner code
vanackere
force-pushed
the
negotiate-improvements
branch
from
816b5ac to
55a2fc7
Compare
|
Branch updated and rebased, please let me know if I still missed anything, thanks ! |
|
LGTM now. Thank you. Alex |
|
Merged, so closing this now. Alex |
Hi,
This branch contains various changes / improvements to the negotiate package (FYI those changes were added in order to implement both Web SPNEGO and SASL GSS-SPNEGO support, using the native windows api).
Please merge if you feel those are appropriate, thanks !