def step3(self, tok):
"""
Deals with SSF
This method deals with negotiating SSF (the security level)
and max message size, setting the max message size appropriately
:param bytes tok: the wrapped message sent from the server
:rtype: bytes
:returns: a wrapped message to be sent to the server declaring
our security level and max message size
"""
# we don't care out security for this,
# so we don't use self.unwrap
unwrapped_tok = gss.unwrap(self.ctx, tok)[0]
sec_layers_supported_raw = ord(unwrapped_tok[0])
max_server_msg_size_raw = '\x00' + unwrapped_tok[1:4]
max_server_msg_size = struct.unpack('!L', max_server_msg_size_raw)[0]
if (self.max_msg_size is None
or self.max_msg_size > max_server_msg_size):
self.max_msg_size = max_server_msg_size
sec_layers_supported = []
for name, mask in self.SEC_LAYER_MASKS.items():
if sec_layers_supported_raw & mask > 0:
sec_layers_supported.append(name)
sec_layer_choice = 0
if self.security_type == 'any':
for mask in self.SEC_LAYER_MASKS.values():
if mask & sec_layers_supported_raw > sec_layer_choice:
sec_layer_choice = mask
elif self.security_type in sec_layers_supported:
sec_layer_choice = self.SEC_LAYER_MASKS[self.security_type]
else:
raise SASLGSSClientError('Server is unable to accomodate '
'our security level!')
if self.security_layer is None:
self.security_layer = self.INV_SEC_LAYER_MASKS[sec_layer_choice]
resp = (chr(sec_layer_choice) +
struct.pack('!L', self.max_msg_size)[0:3] +
self.user_name)
# again, we don't care about our selected security type for this one
return gss.wrap(self.ctx, resp, False, None)[0]
def step3(self, tok):
"""
Deals with SSF
This method deals with negotiating SSF (the security level)
and max message size, setting the max message size appropriately
:param bytes tok: the wrapped message sent from the server
:rtype: bytes
:returns: a wrapped message to be sent to the server declaring
our security level and max message size
"""
# we don't care out security for this,
# so we don't use self.unwrap
unwrapped_tok = gss.unwrap(self.ctx, tok)[0]
sec_layers_supported_raw = ord(unwrapped_tok[0])
max_server_msg_size_raw = '\x00' + unwrapped_tok[1:4]
max_server_msg_size = struct.unpack('!L', max_server_msg_size_raw)[0]
if (self.max_msg_size is None
or self.max_msg_size > max_server_msg_size):
self.max_msg_size = max_server_msg_size
sec_layers_supported = []
for name, mask in self.SEC_LAYER_MASKS.items():
if sec_layers_supported_raw & mask > 0:
sec_layers_supported.append(name)
sec_layer_choice = 0
if self.security_type == 'any':
for mask in self.SEC_LAYER_MASKS.values():
if mask & sec_layers_supported_raw > sec_layer_choice:
sec_layer_choice = mask
elif self.security_type in sec_layers_supported:
sec_layer_choice = self.SEC_LAYER_MASKS[self.security_type]
else:
raise SASLGSSClientError('Server is unable to accomodate '
'our security level!')
if self.security_layer is None:
self.security_layer = self.INV_SEC_LAYER_MASKS[sec_layer_choice]
resp = (chr(sec_layer_choice) +
struct.pack('!L', self.max_msg_size)[0:3] + self.user_name)
# again, we don't care about our selected security type for this one
return gss.wrap(self.ctx, resp, False, None)[0]
def encrypt(self, str_msg):
"""
Encrypts a message
This method encrypts a message according to the current
security level
:param str msg: the message to be encrypted
:rtype: bytes
:returns: the encrypted form of the message
:except GSSClientError: if the requested security level
could not be used
"""
msg = str_msg.encode('utf-8')
if self.security_type == gss.RequirementFlag.integrity:
return gss.wrap(self.ctx, msg, False, None)[0]
elif self.security_type == gss.RequirementFlag.confidentiality:
res, used = gss.wrap(self.ctx, msg, True, None)
if not used:
raise GSSClientError('User requested encryption, '
'but it was not used!')
return res
else:
return msg
def encrypt(self, str_msg):
"""
Encrypts a message
This method encrypts a message according to the current
security level
:param str msg: the message to be encrypted
:rtype: bytes
:returns: the encrypted form of the message
:except GSSClientError: if the requested security level
could not be used
"""
msg = str_msg.encode('utf-8')
if self.security_type == gss.RequirementFlag.integrity:
return gss.wrap(self.ctx, msg, False, None)[0]
elif self.security_type == gss.RequirementFlag.confidentiality:
res, used = gss.wrap(self.ctx, msg, True, None)
if not used:
raise GSSClientError('User requested encryption, '
'but it was not used!')
return res
else:
return msg
def test_basic_wrap_unwrap(self):
(wrapped_message, conf) = gb.wrap(self.client_ctx, b'test message')
conf.should_be_a(bool)
conf.should_be_true()
wrapped_message.should_be_a(bytes)
wrapped_message.shouldnt_be_empty()
wrapped_message.should_be_longer_than('test message')
(unwrapped_message, conf, qop) = gb.unwrap(self.server_ctx,
wrapped_message)
conf.should_be_a(bool)
conf.should_be_true()
qop.should_be_an_integer()
qop.should_be_at_least(0)
unwrapped_message.should_be_a(bytes)
unwrapped_message.shouldnt_be_empty()
unwrapped_message.should_be(b'test message')
def test_basic_wrap_unwrap(self):
(wrapped_message, conf) = gb.wrap(self.client_ctx, b'test message')
conf.should_be_a(bool)
conf.should_be_true()
wrapped_message.should_be_a(bytes)
wrapped_message.shouldnt_be_empty()
wrapped_message.should_be_longer_than('test message')
(unwrapped_message, conf, qop) = gb.unwrap(self.server_ctx,
wrapped_message)
conf.should_be_a(bool)
conf.should_be_true()
qop.should_be_an_integer()
qop.should_be_at_least(0)
unwrapped_message.should_be_a(bytes)
unwrapped_message.shouldnt_be_empty()
unwrapped_message.should_be(b'test message')
def encrypt(self, msg):
return gb.wrap(self.ctx, msg.encode('utf-8'), True, None)[0]
def encrypt(self, msg):
return gb.wrap(self.ctx, msg.encode('utf-8'), True, None)[0]
