def step3(self, tok): """ Deals with SSF This method deals with negotiating SSF (the security level) and max message size, setting the max message size appropriately :param bytes tok: the wrapped message sent from the server :rtype: bytes :returns: a wrapped message to be sent to the server declaring our security level and max message size """ # we don't care out security for this, # so we don't use self.unwrap unwrapped_tok = gss.unwrap(self.ctx, tok)[0] sec_layers_supported_raw = ord(unwrapped_tok[0]) max_server_msg_size_raw = '\x00' + unwrapped_tok[1:4] max_server_msg_size = struct.unpack('!L', max_server_msg_size_raw)[0] if (self.max_msg_size is None or self.max_msg_size > max_server_msg_size): self.max_msg_size = max_server_msg_size sec_layers_supported = [] for name, mask in self.SEC_LAYER_MASKS.items(): if sec_layers_supported_raw & mask > 0: sec_layers_supported.append(name) sec_layer_choice = 0 if self.security_type == 'any': for mask in self.SEC_LAYER_MASKS.values(): if mask & sec_layers_supported_raw > sec_layer_choice: sec_layer_choice = mask elif self.security_type in sec_layers_supported: sec_layer_choice = self.SEC_LAYER_MASKS[self.security_type] else: raise SASLGSSClientError('Server is unable to accomodate ' 'our security level!') if self.security_layer is None: self.security_layer = self.INV_SEC_LAYER_MASKS[sec_layer_choice] resp = (chr(sec_layer_choice) + struct.pack('!L', self.max_msg_size)[0:3] + self.user_name) # again, we don't care about our selected security type for this one return gss.wrap(self.ctx, resp, False, None)[0]
def test_basic_wrap_unwrap(self): (wrapped_message, conf) = gb.wrap(self.client_ctx, b'test message') conf.should_be_a(bool) conf.should_be_true() wrapped_message.should_be_a(bytes) wrapped_message.shouldnt_be_empty() wrapped_message.should_be_longer_than('test message') (unwrapped_message, conf, qop) = gb.unwrap(self.server_ctx, wrapped_message) conf.should_be_a(bool) conf.should_be_true() qop.should_be_an_integer() qop.should_be_at_least(0) unwrapped_message.should_be_a(bytes) unwrapped_message.shouldnt_be_empty() unwrapped_message.should_be(b'test message')
def decrypt(self, msg): """ Decrypts a message This method decrypts a message encrypted by the server. :param bytes msg: the message to be decrypted :rtype: str :returns: the decrypted message :except GSSClientError: if encryption was requested but not used, or if the QoP failed to meet our standards """ if self.security_type is not None and self.security_type != 0: res, used, _ = gss.unwrap(self.ctx, msg) isconf = self.security_type == gss.RequirementFlag.confidentiality if (not used and isconf): raise GSSClientError('User requested encryption, ' 'but the server sent an unencrypted ' 'message!') return res.decode('utf-8') else: return msg.decode('utf-8')
def decrypt(self, msg): return gb.unwrap(self.ctx, msg)[0].decode('utf-8')