Exemple #1
0
 def step(self, sec_buf):
     self.result = kerberos.authGSSClientStep(self.context,
                                              sec_buf.tostring())
     if self.result == 0:
         return (array.array('B',
                             kerberos.authGSSClientResponse(self.context)),
                 None)
     else:
         kerberos.authGSSClientSessionKey(self.context)
         return (None,
                 array.array(
                     'B',
                     kerberos.authGSSClientResponse(self.context)[:16]))
Exemple #2
0
 def step(self, sec_buf):
     self.result = kerberos.authGSSClientStep(
             self.context,
             sec_buf.tostring())
     if self.result == 0:
         return (array.array(
                 'B',
                 kerberos.authGSSClientResponse(self.context)),
                 None)
     else:
         kerberos.authGSSClientSessionKey(self.context)
         return (None,
                 array.array('B',
                     kerberos.authGSSClientResponse(self.context)[:16]))
Exemple #3
0
    def session_setup(self, creds=None, bind=None):
        """
        Establish a session.

        Establishes a session, performing GSS rounds as necessary.  Returns
        a L{Channel} object which can be used for further requests on the given
        connection and session.

        @type creds: str
        @param creds: A set of credentials of the form '<domain>\<user>%<password>'.
                      If specified, NTLM authentication will be used.  If None,
                      Kerberos authentication will be attempted.
        @type bind: L{Session}
        @param bind: An existing session to bind.
        """
        assert self.negotiate_response is not None

        if creds:
            nt4, password = creds.split('%')
            domain, user = nt4.split('\\')
            (result,
             context) = kerberos.authGSSClientInit("cifs/" + self.server,
                                                   gssmech=2,
                                                   user=user,
                                                   password=password,
                                                   domain=domain)
        else:
            (result,
             context) = kerberos.authGSSClientInit("cifs/" + self.server,
                                                   gssmech=1)

        result = kerberos.authGSSClientStep(
            context, self.negotiate_response.security_buffer.tostring())
        session_id = 0
        smb_res = None

        if bind:
            assert self.negotiate_response.dialect_revision >= 0x300
            session_id = bind.session_id
            self._binding = bind
            self._binding_key = digest.derive_key(bind.session_key,
                                                  'SMB2AESCMAC',
                                                  'SmbSign')[:16]

        while result == 0:
            smb_req = self.request()
            session_req = smb2.SessionSetupRequest(smb_req)

            smb_req.flags = smb2.SMB2_FLAGS_SIGNED if bind else 0
            smb_req.session_id = smb_res.session_id if smb_res else session_id
            session_req.flags = smb2.SMB2_SESSION_FLAG_BINDING if bind else 0
            session_req.security_mode = smb2.SMB2_NEGOTIATE_SIGNING_ENABLED
            session_req.security_buffer = array.array(
                'B', kerberos.authGSSClientResponse(context))

            smb_res = self.transceive(smb_req.parent)[0]
            session_res = smb_res[0]

            result = kerberos.authGSSClientStep(context,
                                                session_res.security_buffer)

            if bind and result == 0:
                # Need to verify intermediate signatures
                smb_res.verify(self.signing_digest(), self._binding_key)

        result = kerberos.authGSSClientSessionKey(context)
        session_key = kerberos.authGSSClientResponse(context)[:16]

        if self.negotiate_response.dialect_revision >= 0x300:
            signing_key = digest.derive_key(session_key, 'SMB2AESCMAC',
                                            'SmbSign')[:16]
        else:
            signing_key = session_key

        # Verify final signature
        smb_res.verify(self.signing_digest(), signing_key)

        if bind:
            self._binding = None
            self._binding_key = None
            session = bind
        else:
            session = Session(self.client, smb_res.session_id, session_key)

        return session.addchannel(self, signing_key)
Exemple #4
0
    def session_setup(self, creds=None, bind=None):
        """
        Establish a session.

        Establishes a session, performing GSS rounds as necessary.  Returns
        a L{Channel} object which can be used for further requests on the given
        connection and session.

        @type creds: str
        @param creds: A set of credentials of the form '<domain>\<user>%<password>'.
                      If specified, NTLM authentication will be used.  If None,
                      Kerberos authentication will be attempted.
        @type bind: L{Session}
        @param bind: An existing session to bind.
        """
        assert self.negotiate_response is not None

        if creds:
            nt4,password = creds.split('%')
            domain,user = nt4.split('\\')
            (result,context) = kerberos.authGSSClientInit(
                "cifs/" + self.server,
                gssmech=2,
                user=user,
                password=password,
                domain=domain)
        else:
            (result,context) = kerberos.authGSSClientInit("cifs/" + self.server,gssmech=1)

        result = kerberos.authGSSClientStep(context,
                                            self.negotiate_response.security_buffer.tostring())
        session_id = 0
        smb_res = None

        if bind:
            assert self.negotiate_response.dialect_revision >= 0x300
            session_id = bind.session_id
            self._binding = bind
            self._binding_key = digest.derive_key(bind.session_key, 'SMB2AESCMAC', 'SmbSign')[:16]
        
        while result == 0:
            smb_req = self.request()
            session_req = smb2.SessionSetupRequest(smb_req)
            
            smb_req.flags = smb2.SMB2_FLAGS_SIGNED if bind else 0
            smb_req.session_id = smb_res.session_id if smb_res else session_id
            session_req.flags = smb2.SMB2_SESSION_FLAG_BINDING if bind else 0
            session_req.security_mode = smb2.SMB2_NEGOTIATE_SIGNING_ENABLED
            session_req.security_buffer = array.array('B',kerberos.authGSSClientResponse(context))
            
            smb_res = self.transceive(smb_req.parent)[0]
            session_res = smb_res[0]
            
            result = kerberos.authGSSClientStep(context, session_res.security_buffer)

            if bind and result == 0:
                # Need to verify intermediate signatures
                smb_res.verify(self.signing_digest(), self._binding_key)

        result = kerberos.authGSSClientSessionKey(context)
        session_key = kerberos.authGSSClientResponse(context)[:16]

        if self.negotiate_response.dialect_revision >= 0x300:
            signing_key = digest.derive_key(session_key, 'SMB2AESCMAC', 'SmbSign')[:16]
        else:
            signing_key = session_key

        # Verify final signature
        smb_res.verify(self.signing_digest(), signing_key)

        if bind:
            self._binding = None
            self._binding_key = None
            session = bind
        else:
            session = Session(self.client, smb_res.session_id, session_key)

        return session.addchannel(self, signing_key)