def step3(self, tok): """ Deals with SSF This method deals with negotiating SSF (the security level) and max message size, setting the max message size appropriately :param bytes tok: the wrapped message sent from the server :rtype: bytes :returns: a wrapped message to be sent to the server declaring our security level and max message size """ # we don't care out security for this, # so we don't use self.unwrap unwrapped_tok = gss.unwrap(self.ctx, tok)[0] sec_layers_supported_raw = ord(unwrapped_tok[0]) max_server_msg_size_raw = '\x00' + unwrapped_tok[1:4] max_server_msg_size = struct.unpack('!L', max_server_msg_size_raw)[0] if (self.max_msg_size is None or self.max_msg_size > max_server_msg_size): self.max_msg_size = max_server_msg_size sec_layers_supported = [] for name, mask in self.SEC_LAYER_MASKS.items(): if sec_layers_supported_raw & mask > 0: sec_layers_supported.append(name) sec_layer_choice = 0 if self.security_type == 'any': for mask in self.SEC_LAYER_MASKS.values(): if mask & sec_layers_supported_raw > sec_layer_choice: sec_layer_choice = mask elif self.security_type in sec_layers_supported: sec_layer_choice = self.SEC_LAYER_MASKS[self.security_type] else: raise SASLGSSClientError('Server is unable to accomodate ' 'our security level!') if self.security_layer is None: self.security_layer = self.INV_SEC_LAYER_MASKS[sec_layer_choice] resp = (chr(sec_layer_choice) + struct.pack('!L', self.max_msg_size)[0:3] + self.user_name) # again, we don't care about our selected security type for this one return gss.wrap(self.ctx, resp, False, None)[0]
def encrypt(self, str_msg): """ Encrypts a message This method encrypts a message according to the current security level :param str msg: the message to be encrypted :rtype: bytes :returns: the encrypted form of the message :except GSSClientError: if the requested security level could not be used """ msg = str_msg.encode('utf-8') if self.security_type == gss.RequirementFlag.integrity: return gss.wrap(self.ctx, msg, False, None)[0] elif self.security_type == gss.RequirementFlag.confidentiality: res, used = gss.wrap(self.ctx, msg, True, None) if not used: raise GSSClientError('User requested encryption, ' 'but it was not used!') return res else: return msg
def test_basic_wrap_unwrap(self): (wrapped_message, conf) = gb.wrap(self.client_ctx, b'test message') conf.should_be_a(bool) conf.should_be_true() wrapped_message.should_be_a(bytes) wrapped_message.shouldnt_be_empty() wrapped_message.should_be_longer_than('test message') (unwrapped_message, conf, qop) = gb.unwrap(self.server_ctx, wrapped_message) conf.should_be_a(bool) conf.should_be_true() qop.should_be_an_integer() qop.should_be_at_least(0) unwrapped_message.should_be_a(bytes) unwrapped_message.shouldnt_be_empty() unwrapped_message.should_be(b'test message')
def encrypt(self, msg): return gb.wrap(self.ctx, msg.encode('utf-8'), True, None)[0]