def check_reply_verf(self, msg, call_cred, data):
if msg.stat != MSG_ACCEPTED:
return
verf = msg.rbody.areply.verf
if msg.rbody.areply.reply_data.stat != SUCCESS:
if not self.is_NULL(verf):
raise SecError("Bad reply verifier - expected NULL verifier")
elif call_cred.body.gss_proc in (RPCSEC_GSS_INIT, RPCSEC_GSS_CONTINUE_INIT):
# The painful case - we need to check against reply data
p = GSSUnpacker(data)
try:
res = p.unpack_rpc_gss_init_res()
p.done()
except:
log_gss.warn("Failure unpacking gss_init_res")
raise SecError("Failure unpacking gss_init_res")
if self.is_NULL(verf):
if res.gss_major == GSS_S_COMPLETE:
raise SecError("Expected seq_window, got NULL")
else:
if res.gss_major != GSS_S_COMPLETE:
raise SecError("Expected NULL")
# BUG - context establishment is not finished on client
# - so how get context? How run verifyMIC?
# - This seems to be a protocol problem. Just ignore for now
else:
p = Packer()
p.pack_uint(call_cred.body.seq_num)
qop = call_cred.context.verifyMIC(p.get_buffer(), verf.body)
if qop != call_cred.body.qop:
raise SecError("Mismatched qop")
def check_reply_verf(self, msg, call_cred, data):
if msg.stat != MSG_ACCEPTED:
return
verf = msg.rbody.areply.verf
if msg.rbody.areply.reply_data.stat != SUCCESS:
if not self.is_NULL(verf):
raise SecError("Bad reply verifier - expected NULL verifier")
elif call_cred.body.gss_proc in (RPCSEC_GSS_INIT,
RPCSEC_GSS_CONTINUE_INIT):
# The painful case - we need to check against reply data
p = GSSUnpacker(data)
try:
res = p.unpack_rpc_gss_init_res()
p.done()
except:
log_gss.warn("Failure unpacking gss_init_res")
raise SecError("Failure unpacking gss_init_res")
if self.is_NULL(verf):
if res.gss_major == GSS_S_COMPLETE:
raise SecError("Expected seq_window, got NULL")
else:
if res.gss_major != GSS_S_COMPLETE:
raise SecError("Expected NULL")
# BUG - context establishment is not finished on client
# - so how get context? How run verifyMIC?
# - This seems to be a protocol problem. Just ignore for now
else:
p = Packer()
p.pack_uint(call_cred.body.seq_num)
qop = call_cred.context.verifyMIC(p.get_buffer(), verf.body)
if qop != call_cred.body.qop:
raise SecError("Mismatched qop")
def init_cred(self, call, target="nfs@jupiter", source=None, oid=None):
# STUB - need intelligent way to set defaults
good_major = [gssapi.GSS_S_COMPLETE, gssapi.GSS_S_CONTINUE_NEEDED]
p = Packer()
up = GSSUnpacker('')
# Set target (of form nfs@SERVER)
target = gssapi.Name(target, gssapi.NT_HOSTBASED_SERVICE)
# Set source (of form USERNAME)
if source is not None:
source = gssapi.Name(source, gssapi.NT_USER_NAME)
gss_cred = gssapi.Credential(gssapi.INITIATE, source.ptr) # XXX
else:
# Just use default cred
gss_cred = None
context = gssapi.Context()
token = None
handle = ''
proc = RPCSEC_GSS_INIT
while True:
# Call initSecContext. If it returns COMPLETE, we are done.
# If it returns CONTINUE_NEEDED, we must send d['token']
# to the target, which will run it through acceptSecContext,
# and give us back a token we need to send through initSecContext.
# Repeat as necessary.
token = context.init(target, token, gss_cred)
if context.open:
# XXX if res.major == CONTINUE there is a bug in library code
# STUB - now what? Just use context?
# XXX need to use res.seq_window
# XXX - what if handle still '' ?
self._add_context(context, handle)
break
# Send token to target using protocol of RFC 2203 sect 5.2.2
credinfo = CredInfo(self, context=handle,
gss_proc=proc)
proc = RPCSEC_GSS_CONTINUE_INIT
p.reset()
p.pack_opaque(token)
header, reply = call(p.get_buffer(), credinfo)
up.reset(reply)
res = up.unpack_rpc_gss_init_res()
up.done()
# res now holds relevent output from target's acceptSecContext call
if res.gss_major not in good_major:
raise gssapi.Error(res.gss_major, res.gss_minor)
handle = res.handle # Should not change between calls
token = res.gss_token # This needs to be sent to initSecContext
return CredInfo(self, context=handle)
def init_cred(self, call, target="nfs@jupiter", source=None, oid=None):
# STUB - need intelligent way to set defaults
good_major = [gssapi.GSS_S_COMPLETE, gssapi.GSS_S_CONTINUE_NEEDED]
p = Packer()
up = GSSUnpacker('')
# Set target (of form nfs@SERVER)
target = gssapi.Name(target, gssapi.NT_HOSTBASED_SERVICE)
# Set source (of form USERNAME)
if source is not None:
source = gssapi.Name(source, gssapi.NT_USER_NAME)
gss_cred = gssapi.Credential(gssapi.INITIATE, source.ptr) # XXX
else:
# Just use default cred
gss_cred = None
context = gssapi.Context()
token = None
handle = ''
proc = RPCSEC_GSS_INIT
while True:
# Call initSecContext. If it returns COMPLETE, we are done.
# If it returns CONTINUE_NEEDED, we must send d['token']
# to the target, which will run it through acceptSecContext,
# and give us back a token we need to send through initSecContext.
# Repeat as necessary.
token = context.init(target, token, gss_cred)
if context.open:
# XXX if res.major == CONTINUE there is a bug in library code
# STUB - now what? Just use context?
# XXX need to use res.seq_window
# XXX - what if handle still '' ?
self._add_context(context, handle)
break
# Send token to target using protocol of RFC 2203 sect 5.2.2
credinfo = CredInfo(self, context=handle, gss_proc=proc)
proc = RPCSEC_GSS_CONTINUE_INIT
p.reset()
p.pack_opaque(token)
header, reply = call(p.get_buffer(), credinfo)
up.reset(reply)
res = up.unpack_rpc_gss_init_res()
up.done()
# res now holds relevent output from target's acceptSecContext call
if res.gss_major not in good_major:
raise gssapi.Error(res.gss_major, res.gss_minor)
handle = res.handle # Should not change between calls
token = res.gss_token # This needs to be sent to initSecContext
return CredInfo(self, context=handle)
