def challenge(self, challenge):
in_params = dict([part.split('=') for part in challenge.split('&')])
out_params = {'nonce': in_params['nonce']}
out_params = self._fb_client._add_session_args(out_params)
out_params = self._fb_client._build_post_args(in_params['method'], out_params)
import urllib
return Response(urllib.urlencode(out_params))
def challenge(self, challenge):
in_params = dict([part.split('=') for part in challenge.split('&')])
out_params = {'nonce': in_params['nonce']}
out_params = add_session_args(out_params, self._fb_client.session_key)
out_params = build_post_args(in_params['method'], out_params,
self._fb_client.secret)
return Response(urllib.urlencode(out_params))
def challenge(self, challenge):
if self.step == 0:
rc = kerberos.authGSSClientStep(self._gss,
base64.b64encode(challenge))
if rc != kerberos.AUTH_GSS_CONTINUE:
self.step = 1
elif self.step == 1:
rc = kerberos.authGSSClientUnwrap(self._gss,
base64.b64encode(challenge))
response = kerberos.authGSSClientResponse(self._gss)
rc = kerberos.authGSSClientWrap(self._gss, response, self.username)
response = kerberos.authGSSClientResponse(self._gss)
if response is None:
return Response("")
else:
return Response(base64.b64decode(response))
def start(self, username, authzid):
self.username = username
self.authzid = authzid
# TODO: This isn't very XEP-0178'ish.
# XEP-0178 says "=" should be sent when only one id-on-xmppAddr is
# in the cert, but we don't know that. Still, this conforms to the
# standard and works.
return Response(self.authzid, encode=True)
def challenge(self, challenge):
"""Process the challenge and return the response.
:Parameters:
- `challenge`: the challenge.
:Types:
- `challenge`: `str`
:return: the response or a failure indicator.
:returntype: `sasl.Response` or `sasl.Failure`"""
_unused = challenge
if self.finished:
self.__logger.debug("Already authenticated")
return Failure("extra-challenge")
self.finished=1
if self.password is None:
self.password,pformat=self.password_manager.get_password(self.username)
if not self.password or pformat!="plain":
self.__logger.debug("Couldn't retrieve plain password")
return Failure("password-unavailable")
return Response("%s\000%s\000%s" % ( to_utf8(self.authzid),
to_utf8(self.username),
to_utf8(self.password)))
def _final_challenge(self, challenge):
"""Process the second challenge from the server and return the response.
:Parameters:
- `challenge`: the challenge from server.
:Types:
- `challenge`: `str`
:return: the response or a failure indicator.
:returntype: `sasl.Response` or `sasl.Failure`"""
if self.rspauth_checked:
return Failure("extra-challenge")
challenge = challenge.split('\x00')[0]
rspauth = None
while challenge:
m = _param_re.match(challenge)
if not m:
self.__logger.debug("Challenge syntax error: %r" %
(challenge, ))
return Failure("bad-challenge")
challenge = m.group("rest")
var = m.group("var")
val = m.group("val")
self.__logger.debug("%r: %r" % (var, val))
if var == "rspauth":
rspauth = val
if not rspauth:
self.__logger.debug("Final challenge without rspauth")
return Failure("bad-success")
if rspauth == self.response_auth:
self.rspauth_checked = 1
return Response("")
else:
self.__logger.debug("Wrong rspauth value - peer is cheating?")
self.__logger.debug("my rspauth: %r" % (self.response_auth, ))
return Failure("bad-success")
def start(self, username, authzid):
"""Start the authentication process initializing client state.
:Parameters:
- `username`: username (authentication id).
- `authzid`: authorization id.
:Types:
- `username`: `unicode`
- `authzid`: `unicode`
:return: the (empty) initial response
:returntype: `sasl.Response` or `sasl.Failure`"""
self.username = from_utf8(username)
if authzid:
self.authzid = from_utf8(authzid)
else:
self.authzid = ""
self.password = None
self.pformat = None
self.nonce_count = 0
self.response_auth = None
self.rspauth_checked = 0
self.realm = None
return Response()
def start(self, ignored_username, ignored_authzid):
return Response()
def _make_response(self, charset, realms, nonce):
"""Make a response for the first challenge from the server.
:Parameters:
- `charset`: charset name from the challenge.
- `realms`: realms list from the challenge.
- `nonce`: nonce value from the challenge.
:Types:
- `charset`: `str`
- `realms`: `str`
- `nonce`: `str`
:return: the response or a failure indicator.
:returntype: `sasl.Response` or `sasl.Failure`"""
params = []
realm = self._get_realm(realms, charset)
if isinstance(realm, Failure):
return realm
elif realm:
realm = _quote(realm)
params.append('realm="%s"' % (realm, ))
try:
username = self.username.encode(charset)
except UnicodeError:
self.__logger.debug("Couldn't encode username to %r" % (charset, ))
return Failure("incompatible-charset")
username = _quote(username)
params.append('username="******"' % (username, ))
cnonce = self.password_manager.generate_nonce()
cnonce = _quote(cnonce)
params.append('cnonce="%s"' % (cnonce, ))
params.append('nonce="%s"' % (_quote(nonce), ))
self.nonce_count += 1
nonce_count = "%08x" % (self.nonce_count, )
params.append('nc=%s' % (nonce_count, ))
params.append('qop=auth')
serv_type = self.password_manager.get_serv_type().encode("us-ascii")
host = self.password_manager.get_serv_host().encode("idna")
serv_name = self.password_manager.get_serv_name().encode("utf-8")
if serv_name and serv_name != host:
digest_uri = "%s/%s/%s" % (serv_type, host, serv_name)
else:
digest_uri = "%s/%s" % (serv_type, host)
digest_uri = _quote(digest_uri)
params.append('digest-uri="%s"' % (digest_uri, ))
if self.authzid:
try:
authzid = self.authzid.encode(charset)
except UnicodeError:
self.__logger.debug("Couldn't encode authzid to %r" %
(charset, ))
return Failure("incompatible-charset")
authzid = _quote(authzid)
else:
authzid = ""
if self.pformat == "md5:user:realm:pass":
urp_hash = self.password
else:
urp_hash = _make_urp_hash(username, realm, self.password)
response = _compute_response(urp_hash, nonce, cnonce, nonce_count,
authzid, digest_uri)
self.response_auth = _compute_response_auth(urp_hash, nonce, cnonce,
nonce_count, authzid,
digest_uri)
params.append('response=%s' % (response, ))
if authzid:
params.append('authzid="%s"' % (authzid, ))
return Response(",".join(params))
def challenge(self, challenge):
in_params = WebFormData.parse(challenge, utf8=True)
out_params = {'nonce': in_params['nonce'].encode('utf-8')}
out_params = self.api.prepare_call(in_params['method'].encode('utf-8'),
**out_params)
return Response(out_params)
def challenge(self, challenge):
if self.password is None:
self.password, pformat = self.password_manager.get_password(
self.username)
if not self.password or pformat != "plain":
self.__logger.debug("Couldn't retrieve plain password")
return Failure("password-unavailable")
if self.step == 0:
self.step = 1
return Response(''.join(
pstrIlist([to_utf8(self.authzid),
to_utf8(self.username)])))
elif self.step == 1:
self.step = 2
srv_rsa_key = None
self.__logger.critical("loading server certificate")
try:
srv_cert = M2Crypto.X509.load_cert_string(challenge)
if srv_cert is not None:
self.__logger.critical("retrieving server pubkey")
srv_key = srv_cert.get_pubkey()
if srv_key is not None:
self.__logger.critical("retrieving server RSA pubkey")
srv_rsa_key = srv_key.get_rsa()
except Exception:
traceback.print_exc()
if srv_rsa_key is None:
return Failure("bad-server-cert")
if not srv_cert.verify(ROOT_CERT.get_pubkey()):
return Failure("bad-server-cert")
self.srv_rsa_key = srv_rsa_key
self.__logger.critical("generating Nonce")
from M2Crypto import m2
nonce = m2.rand_bytes(16)
self.__logger.critical("encrypting Nonce")
enonce = digsbyrsa.DIGSBY_RSA_public_encrypt(
nonce, srv_rsa_key, M2Crypto.RSA.pkcs1_oaep_padding)
self.__logger.critical("loading key")
try:
self.key = _get_client_key_pem(self.username, self.password)
except Exception:
self.key = None
if self.key is None:
self.__logger.critical("generating new key")
self.key = M2Crypto.RSA.gen_key(2048, 0x10001)
self.__logger.critical("saving new key")
if not self.key.check_key():
raise ValueError("failed to generate key")
try:
_save_client_key_pem(self.key, self.username,
self.password)
except Exception:
traceback.print_exc()
self.__logger.critical("creating buffer")
buff = M2Crypto.BIO.MemoryBuffer()
self.__logger.critical("serializing client public key to buffer")
self.key.save_pub_key_bio(buff)
self.__logger.critical_s("Nonce: %r", nonce)
genkey = buff.getvalue()
self.__logger.critical_s("Key: %r", genkey)
eKey = pstrAES(nonce, genkey)
self.__logger.critical("returning response")
return Response(''.join(pstrIlist([enonce, eKey])))
elif self.step == 2:
self.step = 3
package_nonce_C_userpub, package_C_AES_C_serverpriv = unpackpstrlist(
challenge)
package_nonce = digsbyrsa.DIGSBY_RSA_private_decrypt(
package_nonce_C_userpub, self.key,
M2Crypto.RSA.pkcs1_oaep_padding)
package_C_serverpriv = util.cryptography.decrypt(
package_nonce,
package_C_AES_C_serverpriv,
padchar=None,
mode=util.cryptography.Mode.CBC)
nonce = digsbyrsa.DIGSBY_RSA_public_decrypt(
package_C_serverpriv, self.srv_rsa_key,
M2Crypto.RSA.pkcs1_padding)
return Response(pstrAES(nonce, self.password))
else:
return Failure("extra-challenge")
