def authenticate_hmac(self, challenge_response, client_salt=None):
log("authenticate_hmac(%r, %r)", challenge_response, client_salt)
self.sessions = None
if not self.salt:
log.error(
"Error: illegal challenge response received - salt cleared or unset"
)
return None
#ensure this salt does not get re-used:
salt = self.get_response_salt(client_salt)
entry = self.get_auth_info()
if entry is None:
log.warn("Warning: authentication failed")
log.warn(" no password for '%s' in '%s'", self.username,
self.password_filename)
return None
log("authenticate: auth-info(%s)=%s", self.username, entry)
fpassword, uid, gid, displays, env_options, session_options = entry
log("multifile authenticate_hmac password='******', hex(salt)=%s",
fpassword, hexstr(salt))
if not verify_digest(self.digest, fpassword, salt, challenge_response):
log.warn("Warning: %s challenge for '%s' does not match",
self.digest, self.username)
return False
self.sessions = uid, gid, displays, env_options, session_options
return True
def getuid(v):
try:
return int(v)
except:
log("uid '%s' is not an int", v)
if os.name=="posix":
try:
import pwd
return pwd.getpwnam(v or "nobody").pw_uid
except Exception as e:
log.error("Error: cannot find uid of '%s': %s", v, e)
return os.getuid()
return -1
def getgid(v):
try:
return int(v)
except:
log("gid '%s' is not an int", v)
if os.name=="posix":
try:
import grp #@UnresolvedImport
return grp.getgrnam(v or "nobody").gr_gid
except Exception as e:
log.error("Error: cannot find gid of '%s': %s", v, e)
return os.getgid()
return -1
def getgid(v):
try:
return int(v)
except:
log("gid '%s' is not an int", v)
if os.name == "posix":
try:
import grp #@UnresolvedImport
return grp.getgrnam(v or "nobody").gr_gid
except Exception as e:
log.error("Error: cannot find gid of '%s': %s", v, e)
return os.getgid()
return -1
def getuid(v):
try:
return int(v)
except:
log("uid '%s' is not an int", v)
if os.name == "posix":
try:
import pwd
return pwd.getpwnam(v or "nobody").pw_uid
except Exception as e:
log.error("Error: cannot find uid of '%s': %s", v, e)
return os.getuid()
return -1
def parse_filedata(self, data):
if not data:
return {}
auth_data = {}
i = 0
for line in data.splitlines():
i += 1
line = line.strip()
log("line %s: %s", i, line)
if not line or line.startswith(b"#"):
continue
try:
v = parse_auth_line(line)
if v:
username, password, uid, gid, displays, env_options, session_options = v
if username in auth_data:
log.error("Error: duplicate entry for username '%s' in '%s'", username, self.password_filename)
else:
auth_data[username] = password, uid, gid, displays, env_options, session_options
except Exception as e:
log("parsing error", exc_info=True)
log.error("Error parsing password file '%s' at line %i:", self.password_filename, i)
log.error(" '%s'", bytestostr(line))
log.error(" %s", e)
continue
log("parsed auth data from file %s: %s", self.password_filename, auth_data)
return auth_data
def authenticate_hmac(self, challenge_response, client_salt):
log("authenticate_hmac(%s, %s)", challenge_response, client_salt)
self.sessions = None
if not self.salt:
log.error(
"Error: illegal challenge response received - salt cleared or unset"
)
return None
#ensure this salt does not get re-used:
salt = self.get_response_salt(client_salt)
entry = self.get_auth_info()
if entry is None:
log.error("Error: authentication failed")
log.error(" no password for '%s' in '%s'", self.username,
self.password_filename)
return None
log("authenticate: auth-info(%s)=%s", self.username, entry)
fpassword, uid, gid, displays, env_options, session_options = entry
digestmod = get_digest_module(self.digest)
verify = hmac.HMAC(strtobytes(fpassword),
strtobytes(salt),
digestmod=digestmod).hexdigest()
log(
"multifile authenticate_hmac(%s) password='******', hex(salt)=%s, hash=%s",
challenge_response, fpassword, binascii.hexlify(strtobytes(salt)),
verify)
if not hmac.compare_digest(verify, challenge_response):
log("expected '%s' but got '%s'", verify, challenge_response)
log.error("Error: hmac password challenge for '%s' does not match",
self.username)
return False
self.sessions = uid, gid, displays, env_options, session_options
return True
def parse_filedata(self, data):
global socket_dir, socket_dirs
if not data:
return {}
auth_data = {}
i = 0
for line in data.splitlines():
i += 1
line = line.strip()
log("line %s: %s", i, line)
if len(line)==0 or line.startswith(b"#"):
continue
try:
v = parse_auth_line(line)
if v:
username, password, uid, gid, displays, env_options, session_options = v
if username in auth_data:
log.error("Error: duplicate entry for username '%s' in '%s'", username, self.password_filename)
else:
auth_data[username] = password, uid, gid, displays, env_options, session_options
except Exception as e:
log("parsing error", exc_info=True)
log.error("Error parsing password file '%s' at line %i:", self.password_filename, i)
log.error(" '%s'", line)
log.error(" %s", e)
continue
log("parsed auth data from file %s: %s", self.password_filename, auth_data)
return auth_data
def authenticate_hmac(self, challenge_response, client_salt):
self.sessions = None
if not self.salt:
log.error("Error: illegal challenge response received - salt cleared or unset")
return None
#ensure this salt does not get re-used:
if client_salt is None:
salt = self.salt
else:
salt = xor(self.salt, client_salt)
self.salt = None
entry = self.get_auth_info()
log("authenticate(%s) auth-info=%s", self.username, entry)
if entry is None:
log.error("Error: authentication failed")
log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
return None
fpassword, uid, gid, displays, env_options, session_options = entry
verify = hmac.HMAC(strtobytes(fpassword), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
log("authenticate(%s) password='******', hex(salt)=%s, hash=%s", challenge_response, fpassword, binascii.hexlify(strtobytes(salt)), verify)
if not hmac.compare_digest(verify, challenge_response):
log("expected '%s' but got '%s'", verify, challenge_response)
log.error("Error: hmac password challenge for '%s' does not match", self.username)
return False
self.sessions = uid, gid, displays, env_options, session_options
return True
def authenticate(self, challenge_response, client_salt):
if not self.salt:
log.error("Error: illegal challenge response received - salt cleared or unset")
return None
#ensure this salt does not get re-used:
if client_salt is None:
salt = self.salt
else:
salt = xor(self.salt, client_salt)
self.salt = None
password = self.get_password()
if not password:
log.error("Error: authentication failed")
log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
return False
verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
log("authenticate(%s) password='******', hex(salt)=%s, hash=%s", challenge_response, nonl(password), binascii.hexlify(strtobytes(salt)), verify)
if hasattr(hmac, "compare_digest"):
eq = hmac.compare_digest(verify, challenge_response)
else:
eq = verify==challenge_response
if not eq:
log("expected '%s' but got '%s'", verify, challenge_response)
log.error("Error: hmac password challenge for '%s' does not match", self.username)
return False
return True
def authenticate_hmac(self, challenge_response, client_salt=None):
if not self.salt:
log.error("Error: illegal challenge response received - salt cleared or unset")
return None
salt = self.get_response_salt(client_salt)
password = self.get_password()
log("authenticate_hmac() get_password()=%s", obsc(password))
if not password:
log.warn("Warning: authentication failed")
log.warn(" no password for '%s' in '%s'", self.username, self.password_filename)
return False
if not verify_digest(self.digest, password, salt, challenge_response):
log.warn("Warning: %s challenge for '%s' does not match", self.digest, self.username)
return False
return True
def authenticate(self, challenge_response, client_salt):
if not self.salt:
log.error(
"Error: illegal challenge response received - salt cleared or unset"
)
return None
salt = self.get_response_salt(client_salt)
password = self.get_password()
if not password:
log.error("Error: authentication failed")
log.error(" no password for '%s' in '%s'", self.username,
self.password_filename)
return False
if not self.verify_hmac_md5(password, salt):
log("expected '%s' but got '%s'", verify, challenge_response)
log.error("Error: hmac password challenge for '%s' does not match",
self.username)
return False
return True
def authenticate(self, challenge_response, client_salt):
if not self.salt:
log.error("Error: illegal challenge response received - salt cleared or unset")
return None
#ensure this salt does not get re-used:
if client_salt is None:
salt = self.salt
else:
salt = xor(self.salt, client_salt)
self.salt = None
password = self.get_password()
if not password:
log.error("Error: authentication failed")
log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
return False
verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
log("authenticate(%s) password='******', hex(salt)=%s, hash=%s", challenge_response, nonl(password), binascii.hexlify(strtobytes(salt)), verify)
if not hmac.compare_digest(verify, challenge_response):
log("expected '%s' but got '%s'", verify, challenge_response)
log.error("Error: hmac password challenge for '%s' does not match", self.username)
return False
return True
def authenticate_hmac(self, challenge_response, client_salt):
self.sessions = None
if not self.salt:
log.error(
"Error: illegal challenge response received - salt cleared or unset"
)
return None
#ensure this salt does not get re-used:
if client_salt is None:
salt = self.salt
else:
salt = xor(self.salt, client_salt)
self.salt = None
entry = self.get_auth_info()
log("authenticate(%s) auth-info=%s", self.username, entry)
if entry is None:
log.error("Error: authentication failed")
log.error(" no password for '%s' in '%s'", self.username,
self.password_filename)
return None
fpassword, uid, gid, displays, env_options, session_options = entry
verify = hmac.HMAC(strtobytes(fpassword),
strtobytes(salt),
digestmod=hashlib.md5).hexdigest()
log("authenticate(%s) password='******', hex(salt)=%s, hash=%s",
challenge_response, fpassword, binascii.hexlify(strtobytes(salt)),
verify)
if hasattr(hmac, "compare_digest"):
eq = hmac.compare_digest(verify, challenge_response)
else:
eq = verify == challenge_response
if not eq:
log("expected '%s' but got '%s'", verify, challenge_response)
log.error("Error: hmac password challenge for '%s' does not match",
self.username)
return False
self.sessions = uid, gid, displays, env_options, session_options
return True
def authenticate_hmac(self, challenge_response, client_salt):
self.sessions = None
if not self.salt:
log.error(
"Error: illegal challenge response received - salt cleared or unset"
)
return None
#ensure this salt does not get re-used:
salt = self.get_response_salt(client_salt)
entry = self.get_auth_info()
log("authenticate(%s) auth-info=%s", self.username, entry)
if entry is None:
log.error("Error: authentication failed")
log.error(" no password for '%s' in '%s'", self.username,
self.password_filename)
return None
fpassword, uid, gid, displays, env_options, session_options = entry
if not self.verify_hmac_md5(password, salt):
log("expected '%s' but got '%s'", verify, challenge_response)
log.error("Error: hmac password challenge for '%s' does not match",
self.username)
return False
self.sessions = uid, gid, displays, env_options, session_options
return True
def authenticate_hmac(self, challenge_response, client_salt):
if not self.salt:
log.error("Error: illegal challenge response received - salt cleared or unset")
return None
salt = self.get_response_salt(client_salt)
password = self.get_password()
if not password:
log.error("Error: authentication failed")
log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
return False
digestmod = get_digest_module(self.digest)
if not digestmod:
log.error("Error: %s authentication failed", self)
log.error(" digest module '%s' is invalid", self.digest)
return False
verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=digestmod).hexdigest()
log("file authenticate(%s) password='******', salt=%s, hash=%s", nonl(challenge_response), nonl(password), binascii.hexlify(strtobytes(salt)), verify)
if not hmac.compare_digest(verify, challenge_response):
log("expected '%s' but got '%s'", verify, challenge_response)
log.error("Error: hmac password challenge for '%s' does not match", self.username)
return False
return True
