def step(self, sec_buf):
self.result = kerberos.authGSSClientStep(self.context,
sec_buf.tostring())
if self.result == 0:
return (array.array('B',
kerberos.authGSSClientResponse(self.context)),
None)
else:
kerberos.authGSSClientSessionKey(self.context)
return (None,
array.array(
'B',
kerberos.authGSSClientResponse(self.context)[:16]))
def step(self, sec_buf):
self.result = kerberos.authGSSClientStep(
self.context,
sec_buf.tostring())
if self.result == 0:
return (array.array(
'B',
kerberos.authGSSClientResponse(self.context)),
None)
else:
kerberos.authGSSClientSessionKey(self.context)
return (None,
array.array('B',
kerberos.authGSSClientResponse(self.context)[:16]))
def session_setup(self, creds=None, bind=None):
"""
Establish a session.
Establishes a session, performing GSS rounds as necessary. Returns
a L{Channel} object which can be used for further requests on the given
connection and session.
@type creds: str
@param creds: A set of credentials of the form '<domain>\<user>%<password>'.
If specified, NTLM authentication will be used. If None,
Kerberos authentication will be attempted.
@type bind: L{Session}
@param bind: An existing session to bind.
"""
assert self.negotiate_response is not None
if creds:
nt4, password = creds.split('%')
domain, user = nt4.split('\\')
(result,
context) = kerberos.authGSSClientInit("cifs/" + self.server,
gssmech=2,
user=user,
password=password,
domain=domain)
else:
(result,
context) = kerberos.authGSSClientInit("cifs/" + self.server,
gssmech=1)
result = kerberos.authGSSClientStep(
context, self.negotiate_response.security_buffer.tostring())
session_id = 0
smb_res = None
if bind:
assert self.negotiate_response.dialect_revision >= 0x300
session_id = bind.session_id
self._binding = bind
self._binding_key = digest.derive_key(bind.session_key,
'SMB2AESCMAC',
'SmbSign')[:16]
while result == 0:
smb_req = self.request()
session_req = smb2.SessionSetupRequest(smb_req)
smb_req.flags = smb2.SMB2_FLAGS_SIGNED if bind else 0
smb_req.session_id = smb_res.session_id if smb_res else session_id
session_req.flags = smb2.SMB2_SESSION_FLAG_BINDING if bind else 0
session_req.security_mode = smb2.SMB2_NEGOTIATE_SIGNING_ENABLED
session_req.security_buffer = array.array(
'B', kerberos.authGSSClientResponse(context))
smb_res = self.transceive(smb_req.parent)[0]
session_res = smb_res[0]
result = kerberos.authGSSClientStep(context,
session_res.security_buffer)
if bind and result == 0:
# Need to verify intermediate signatures
smb_res.verify(self.signing_digest(), self._binding_key)
result = kerberos.authGSSClientSessionKey(context)
session_key = kerberos.authGSSClientResponse(context)[:16]
if self.negotiate_response.dialect_revision >= 0x300:
signing_key = digest.derive_key(session_key, 'SMB2AESCMAC',
'SmbSign')[:16]
else:
signing_key = session_key
# Verify final signature
smb_res.verify(self.signing_digest(), signing_key)
if bind:
self._binding = None
self._binding_key = None
session = bind
else:
session = Session(self.client, smb_res.session_id, session_key)
return session.addchannel(self, signing_key)
def session_setup(self, creds=None, bind=None):
"""
Establish a session.
Establishes a session, performing GSS rounds as necessary. Returns
a L{Channel} object which can be used for further requests on the given
connection and session.
@type creds: str
@param creds: A set of credentials of the form '<domain>\<user>%<password>'.
If specified, NTLM authentication will be used. If None,
Kerberos authentication will be attempted.
@type bind: L{Session}
@param bind: An existing session to bind.
"""
assert self.negotiate_response is not None
if creds:
nt4,password = creds.split('%')
domain,user = nt4.split('\\')
(result,context) = kerberos.authGSSClientInit(
"cifs/" + self.server,
gssmech=2,
user=user,
password=password,
domain=domain)
else:
(result,context) = kerberos.authGSSClientInit("cifs/" + self.server,gssmech=1)
result = kerberos.authGSSClientStep(context,
self.negotiate_response.security_buffer.tostring())
session_id = 0
smb_res = None
if bind:
assert self.negotiate_response.dialect_revision >= 0x300
session_id = bind.session_id
self._binding = bind
self._binding_key = digest.derive_key(bind.session_key, 'SMB2AESCMAC', 'SmbSign')[:16]
while result == 0:
smb_req = self.request()
session_req = smb2.SessionSetupRequest(smb_req)
smb_req.flags = smb2.SMB2_FLAGS_SIGNED if bind else 0
smb_req.session_id = smb_res.session_id if smb_res else session_id
session_req.flags = smb2.SMB2_SESSION_FLAG_BINDING if bind else 0
session_req.security_mode = smb2.SMB2_NEGOTIATE_SIGNING_ENABLED
session_req.security_buffer = array.array('B',kerberos.authGSSClientResponse(context))
smb_res = self.transceive(smb_req.parent)[0]
session_res = smb_res[0]
result = kerberos.authGSSClientStep(context, session_res.security_buffer)
if bind and result == 0:
# Need to verify intermediate signatures
smb_res.verify(self.signing_digest(), self._binding_key)
result = kerberos.authGSSClientSessionKey(context)
session_key = kerberos.authGSSClientResponse(context)[:16]
if self.negotiate_response.dialect_revision >= 0x300:
signing_key = digest.derive_key(session_key, 'SMB2AESCMAC', 'SmbSign')[:16]
else:
signing_key = session_key
# Verify final signature
smb_res.verify(self.signing_digest(), signing_key)
if bind:
self._binding = None
self._binding_key = None
session = bind
else:
session = Session(self.client, smb_res.session_id, session_key)
return session.addchannel(self, signing_key)