def _test_hmac_auth(self, mod_name, password, **kwargs): for test_password in (password, "somethingelse"): a = self._init_auth(mod_name, **kwargs) assert a.requires_challenge() assert a.get_passwords() salt, mac = a.get_challenge( [x for x in get_digests() if x.startswith("hmac")]) assert salt assert mac.startswith("hmac"), "invalid mac: %s" % mac client_salt = strtobytes(uuid.uuid4().hex + uuid.uuid4().hex) salt_digest = a.choose_salt_digest(get_digests()) auth_salt = strtobytes(gendigest(salt_digest, client_salt, salt)) digestmod = get_digest_module(mac) verify = hmac.HMAC(strtobytes(test_password), auth_salt, digestmod=digestmod).hexdigest() passed = a.authenticate(verify, client_salt) assert passed == ( test_password == password ), "expected authentication to %s with %s vs %s" % ([ "fail", "succeed" ][test_password == password], test_password, password) assert not a.authenticate( verify, client_salt ), "should not be able to athenticate again with the same values"
def main(argv): #pylint: disable=import-outside-toplevel from xpra.platform import program_context with program_context("Kerberos-Token-Auth", "Kerberos Token Authentication"): if len(argv) != 3: sys.stderr.write("%s invalid arguments\n" % argv[0]) sys.stderr.write("usage: %s username token\n" % argv[0]) return 1 username = argv[1] token = argv[2] kwargs = {"username": username} a = Authenticator(**kwargs) server_salt, digest = a.get_challenge(["xor"]) salt_digest = a.choose_salt_digest(get_digests()) assert digest == "xor" client_salt = get_salt(len(server_salt)) combined_salt = gendigest(salt_digest, client_salt, server_salt) response = xor(token, combined_salt) caps = typedict({ "challenge_response": response, "challenge_client_salt": client_salt, }) a.authenticate(caps) return 0
def main(argv): from xpra.util import xor from xpra.net.digest import get_salt, get_digests, gendigest from xpra.platform import program_context with program_context("LDAP-Password-Auth", "LDAP-Password-Authentication"): for x in list(argv): if x in ("-v", "--verbose"): enable_debug_for("auth") argv.remove(x) if len(argv) not in (3,4,5,6,7): sys.stderr.write("%s invalid arguments\n" % argv[0]) sys.stderr.write("usage: %s username password [host] [port] [tls] [username_format]\n" % argv[0]) return 1 username = argv[1] password = argv[2] kwargs = {} if len(argv)>=4: kwargs["host"] = argv[3] if len(argv)>=5: kwargs["port"] = argv[4] if len(argv)>=6: kwargs["tls"] = argv[5] if len(argv)>=7: kwargs["username_format"] = argv[6] a = Authenticator(username, **kwargs) server_salt, digest = a.get_challenge(["xor"]) salt_digest = a.choose_salt_digest(get_digests()) assert digest=="xor" client_salt = get_salt(len(server_salt)) combined_salt = gendigest(salt_digest, client_salt, server_salt) response = xor(password, combined_salt) r = a.authenticate(response, client_salt) print("success: %s" % r) return int(not r)
def main(argv): #pylint: disable=import-outside-toplevel from xpra.platform import program_context with program_context("GSS-Auth", "GSS-Authentication"): if len(argv) != 3: sys.stderr.write("%s invalid arguments\n" % argv[0]) sys.stderr.write("usage: %s username token\n" % argv[0]) return 1 username = argv[1] token = argv[2] kwargs = {"username": username} a = Authenticator(**kwargs) server_salt, digest = a.get_challenge(["gss"]) salt_digest = a.choose_salt_digest(get_digests()) assert digest.startswith("gss:"), "unexpected digest %r" % digest client_salt = get_salt(len(server_salt)) combined_salt = gendigest(salt_digest, client_salt, server_salt) response = gendigest(digest, token, combined_salt) caps = typedict({ "challenge_response": response, "challenge_client_salt": client_salt, }) r = a.authenticate(caps) print("success: %s" % bool(r)) return r
def main(argv): from xpra.platform import program_context with program_context("Kerberos-Password-Auth", "Kerberos-Password-Authentication"): if len(argv) not in (3, 4, 5): sys.stderr.write("%s invalid arguments\n" % argv[0]) sys.stderr.write( "usage: %s username password [service [realm]]\n" % argv[0]) return 1 username = argv[1] password = argv[2] kwargs = {"username": username} if len(argv) >= 4: kwargs["service"] = argv[3] if len(argv) == 5: kwargs["realm"] = argv[4] a = Authenticator(**kwargs) server_salt, digest = a.get_challenge(["xor"]) salt_digest = a.choose_salt_digest(get_digests()) assert digest == "xor" client_salt = get_salt(len(server_salt)) combined_salt = gendigest(salt_digest, client_salt, server_salt) response = xor(password, combined_salt) caps = typedict({ "challenge_response": response, "challenge_client_salt": client_salt, }) a.authenticate(caps) return 0
def test_allow(self): a = self._init_auth("allow") assert a.requires_challenge() assert a.get_challenge(get_digests()) assert not a.get_passwords() for x in (None, "bar"): assert a.authenticate(x, "") assert a.authenticate("", x)
def test_none(self): a = self._init_auth("none") assert not a.requires_challenge() assert a.get_challenge(get_digests()) is None assert not a.get_password() for x in (None, "bar"): assert self.capsauth(a, x, "") assert self.capsauth(a, "", x)
def test_reject(self): a = self._init_auth("reject") assert a.requires_challenge() c, mac = a.get_challenge(get_digests()) assert c and mac assert not a.get_sessions() assert not a.get_passwords() for x in (None, "bar"): assert not a.authenticate(x, c) assert not a.authenticate(x, x)
def _test_file_auth(self, mod_name, genauthdata, display_count=0): #no file, no go: a = self._init_auth(mod_name) assert a.requires_challenge() p = a.get_passwords() assert not p, "got passwords from %s: %s" % (a, p) #challenge twice is a fail assert a.get_challenge(get_digests()) assert not a.get_challenge(get_digests()) assert not a.get_challenge(get_digests()) for muck in (0, 1): with TempFileContext(prefix=mod_name) as context: f = context.file filename = context.filename with f: a = self._init_auth(mod_name, filename=filename) password, filedata = genauthdata(a) #print("saving password file data='%s' to '%s'" % (filedata, filename)) f.write(strtobytes(filedata)) f.flush() assert a.requires_challenge() salt, mac = a.get_challenge(get_digests()) assert salt assert mac in get_digests() assert mac != "xor" password = strtobytes(password) client_salt = strtobytes(uuid.uuid4().hex + uuid.uuid4().hex)[:len(salt)] salt_digest = a.choose_salt_digest(get_digests()) assert salt_digest auth_salt = strtobytes( gendigest(salt_digest, client_salt, salt)) if muck == 0: digestmod = get_digest_module(mac) verify = hmac.HMAC(password, auth_salt, digestmod=digestmod).hexdigest() assert a.authenticate( verify, client_salt), "%s failed" % a.authenticate if display_count > 0: sessions = a.get_sessions() assert len(sessions) >= 3 displays = sessions[2] assert len( displays ) == display_count, "expected %i displays but got %i : %s" % ( display_count, len(sessions), sessions) assert not a.authenticate( verify, client_salt), "authenticated twice!" passwords = a.get_passwords() assert len( passwords ) == 1, "expected just one password in file, got %i" % len( passwords) assert password in passwords elif muck == 1: for verify in ("whatever", None, "bad"): assert not a.authenticate(verify, client_salt) return a
def test_all_digests(self): for digest in get_digests(): if digest.startswith("hmac"): m = get_digest_module(digest) assert m is not None, "digest module not found for '%s'" % digest salt = get_salt(32) password = "******" d = gendigest(digest, password, salt) assert d is not None assert not verify_digest(digest, None, salt, d) assert not verify_digest(digest, password, None, d) assert not verify_digest(digest, password, salt, None) assert not verify_digest(digest, password, salt, d[:-1]) assert verify_digest(digest, password, salt, d)
def test_reject(self): a = self._init_auth("reject") assert a.requires_challenge() c, mac = a.get_challenge(get_digests()) assert a.get_uid() == -1 assert a.get_gid() == -1 assert a.get_password() is None assert c and mac assert not a.get_sessions() assert not a.get_passwords() assert a.choose_salt_digest("xor") == "xor" for x in (None, "bar"): assert not self.capsauth(a, x, c) assert not self.capsauth(a, x, x)
def _test_module(self, module): a = self._init_auth(module) assert a if a.requires_challenge(): challenge = a.get_challenge(get_digests()) assert challenge a = self._init_auth(module) assert a if a.requires_challenge(): try: challenge = a.get_challenge(["invalid-digest"]) except Exception: pass else: assert challenge is None
def get_network_caps() -> dict: from xpra.net.digest import get_digests from xpra.net.crypto import get_crypto_caps from xpra.net.compression import get_enabled_compressors, get_compression_caps from xpra.net.packet_encoding import get_enabled_encoders, get_packet_encoding_caps digests = get_digests() #"hmac" is the legacy name, "xor" and "des" should not be used for salt: salt_digests = tuple(x for x in digests if x not in ("hmac", "xor", "des")) caps = { "digest": digests, "salt-digest": salt_digests, "compressors": get_enabled_compressors(), "encoders": get_enabled_encoders(), } caps.update(get_crypto_caps()) caps.update(get_compression_caps()) caps.update(get_packet_encoding_caps()) return caps
def main(argv): from xpra.platform import program_context with program_context("GSS-Auth", "GSS-Authentication"): if len(argv) != 3: sys.stderr.write("%s invalid arguments\n" % argv[0]) sys.stderr.write("usage: %s username token\n" % argv[0]) return 1 username = argv[1] token = argv[2] kwargs = {} a = Authenticator(username, **kwargs) server_salt, digest = a.get_challenge(["xor"]) salt_digest = a.choose_salt_digest(get_digests()) assert digest == "xor" client_salt = get_salt(len(server_salt)) combined_salt = gendigest(salt_digest, client_salt, server_salt) response = xor(token, combined_salt) a.authenticate(response, client_salt) return 0
def main(argv): #pylint: disable=import-outside-toplevel from xpra.net.digest import get_salt, get_digests, gendigest from xpra.platform import program_context with program_context("LDAP-Password-Auth", "LDAP-Password-Authentication"): for x in list(argv): if x in ("-v", "--verbose"): enable_debug_for("auth") argv.remove(x) if len(argv) not in (3, 4, 5, 6, 7): sys.stderr.write("%s invalid arguments\n" % argv[0]) sys.stderr.write( "usage: %s username password [host] [port] [tls] [username_format]\n" % argv[0]) return 1 username = argv[1] password = argv[2] kwargs = {"username": username} if len(argv) >= 4: kwargs["host"] = argv[3] if len(argv) >= 5: kwargs["port"] = argv[4] if len(argv) >= 6: kwargs["tls"] = argv[5] if len(argv) >= 7: kwargs["username_format"] = argv[6] a = Authenticator(**kwargs) server_salt, digest = a.get_challenge(["xor"]) salt_digest = a.choose_salt_digest(get_digests()) assert digest == "xor" client_salt = get_salt(len(server_salt)) combined_salt = gendigest(salt_digest, client_salt, server_salt) assert digest == "xor" response = gendigest(digest, password, combined_salt) caps = typedict({ "challenge_response": response, "challenge_client_salt": client_salt, }) r = a.authenticate(caps) print("success: %s" % bool(r)) return int(not r)
def get_network_caps(): try: from xpra.platform.features import MMAP_SUPPORTED except: MMAP_SUPPORTED = False from xpra.net.digest import get_digests from xpra.net.crypto import get_crypto_caps from xpra.net.compression import get_enabled_compressors, get_compression_caps from xpra.net.packet_encoding import get_enabled_encoders, get_packet_encoding_caps digests = get_digests() #"hmac" is the legacy name, "xor" and "des" should not be used for salt: salt_digests = [x for x in digests if x not in ("hmac", "xor", "des")] caps = { "digest" : digests, "salt-digest" : salt_digests, "compressors" : get_enabled_compressors(), "encoders" : get_enabled_encoders(), "mmap" : MMAP_SUPPORTED, } caps.update(get_crypto_caps()) caps.update(get_compression_caps()) caps.update(get_packet_encoding_caps()) return caps