def check_reply_verf(self, msg, call_cred, data):
if msg.stat != MSG_ACCEPTED:
return
verf = msg.rbody.areply.verf
if msg.rbody.areply.reply_data.stat != SUCCESS:
if not self.is_NULL(verf):
raise SecError("Bad reply verifier - expected NULL verifier")
elif call_cred.body.gss_proc in (RPCSEC_GSS_INIT, RPCSEC_GSS_CONTINUE_INIT):
# The painful case - we need to check against reply data
p = GSSUnpacker(data)
try:
res = p.unpack_rpc_gss_init_res()
p.done()
except:
log_gss.warn("Failure unpacking gss_init_res")
raise SecError("Failure unpacking gss_init_res")
if self.is_NULL(verf):
if res.gss_major == GSS_S_COMPLETE:
raise SecError("Expected seq_window, got NULL")
else:
if res.gss_major != GSS_S_COMPLETE:
raise SecError("Expected NULL")
# BUG - context establishment is not finished on client
# - so how get context? How run verifyMIC?
# - This seems to be a protocol problem. Just ignore for now
else:
p = Packer()
p.pack_uint(call_cred.body.seq_num)
qop = call_cred.context.verifyMIC(p.get_buffer(), verf.body)
if qop != call_cred.body.qop:
raise SecError("Mismatched qop")
def check_reply_verf(self, msg, call_cred, data):
if msg.stat != MSG_ACCEPTED:
return
verf = msg.rbody.areply.verf
if msg.rbody.areply.reply_data.stat != SUCCESS:
if not self.is_NULL(verf):
raise SecError("Bad reply verifier - expected NULL verifier")
elif call_cred.body.gss_proc in (RPCSEC_GSS_INIT,
RPCSEC_GSS_CONTINUE_INIT):
# The painful case - we need to check against reply data
p = GSSUnpacker(data)
try:
res = p.unpack_rpc_gss_init_res()
p.done()
except:
log_gss.warn("Failure unpacking gss_init_res")
raise SecError("Failure unpacking gss_init_res")
if self.is_NULL(verf):
if res.gss_major == GSS_S_COMPLETE:
raise SecError("Expected seq_window, got NULL")
else:
if res.gss_major != GSS_S_COMPLETE:
raise SecError("Expected NULL")
# BUG - context establishment is not finished on client
# - so how get context? How run verifyMIC?
# - This seems to be a protocol problem. Just ignore for now
else:
p = Packer()
p.pack_uint(call_cred.body.seq_num)
qop = call_cred.context.verifyMIC(p.get_buffer(), verf.body)
if qop != call_cred.body.qop:
raise SecError("Mismatched qop")
def handle_gss_init(self, cred, data, first):
p = GSSUnpacker(data)
token = p.unpack_opaque()
p.done()
log_gss.debug("***ACCEPTSECCONTEXT***")
if first:
context = gssapi.Context()
else:
context = self._get_context(cred.body.handle)
try:
token = context.accept(token)
except gssapi.Error as e:
log_gss.debug("RPCSEC_GSS_INIT failed (%s, %i)!" %
(e.name, e.minor))
res = rpc_gss_init_res('', e.major, e.minor, 0, '')
else:
log_gss.debug("RPCSEC_GSS_*INIT succeeded!")
if first:
handle = self._add_context(context)
# XXX HACK - this ensures make_reply_verf works, but
# is a subtle side-effect that could introduce bugs if code
# is ever reorganized. Currently cred is forgotten once
# we leave here though.
cred.body.rpc_gss_cred_vers_1_t.handle = handle
else:
handle = cred.body.handle
if context.open:
major = gssapi.GSS_S_COMPLETE
else:
major = gssapi.GSS_S_CONTINUE_NEEDED
res = rpc_gss_init_res(
handle,
major,
0, # XXX can't see minor
WINDOWSIZE,
token)
# Prepare response
p = GSSPacker()
p.pack_rpc_gss_init_res(res)
# NOTE this is an annoying case for make_reply_verf.
# It is the only time that you need msg_data to feed into it.
verf = self.make_reply_verf(cred, major)
raise rpclib.RPCSuccessfulReply(verf, p.get_buffer())
def handle_gss_init(self, cred, data, first):
p = GSSUnpacker(data)
token = p.unpack_opaque()
p.done()
log_gss.debug("***ACCEPTSECCONTEXT***")
if first:
context = gssapi.Context()
else:
context = self._get_context(cred.body.handle)
try:
token = context.accept(token)
except gssapi.Error as e:
log_gss.debug("RPCSEC_GSS_INIT failed (%s, %i)!" %
(e.name, e.minor))
res = rpc_gss_init_res('', e.major, e.minor, 0, '')
else:
log_gss.debug("RPCSEC_GSS_*INIT succeeded!")
if first:
handle = self._add_context(context)
# XXX HACK - this ensures make_reply_verf works, but
# is a subtle side-effect that could introduce bugs if code
# is ever reorganized. Currently cred is forgotten once
# we leave here though.
cred.body.rpc_gss_cred_vers_1_t.handle = handle
else:
handle = cred.body.handle
if context.open:
major = gssapi.GSS_S_COMPLETE
else:
major = gssapi.GSS_S_CONTINUE_NEEDED
res = rpc_gss_init_res(handle, major, 0, # XXX can't see minor
WINDOWSIZE, token)
# Prepare response
p = GSSPacker()
p.pack_rpc_gss_init_res(res)
# NOTE this is an annoying case for make_reply_verf.
# It is the only time that you need msg_data to feed into it.
verf = self.make_reply_verf(cred, major)
raise rpclib.RPCSuccessfulReply(verf, p.get_buffer())
