def setup(self, name): if not self.security_settings['encrypted']: if not self.security_settings['unencrypted_plain']: raise SASLCancelled('PLAIN without encryption') else: if not self.security_settings['encrypted_plain']: raise SASLCancelled('PLAIN with encryption')
def setup(self, name): self.hash_name = name[5:] self.hash = hash(self.hash_name) if self.hash is None: raise SASLCancelled('Unknown hash: %s' % self.hash_name) if not self.security_settings['encrypted']: if not self.security_settings['unencrypted_cram']: raise SASLCancelled('Unecrypted CRAM-%s' % self.hash_name)
def setup(self, name): self.hash_name = name[7:] self.hash = hash(self.hash_name) if self.hash is None: raise SASLCancelled('Unknown hash: %s' % self.hash_name) if not self.security_settings['encrypted']: if not self.security_settings['unencrypted_digest']: raise SASLCancelled('Unencrypted DIGEST') self.qops = [b'auth'] self.qop = b'auth' self.maxbuf = b'65536' self.nonce = b'' self.cnonce = b'' self.nonce_count = 1
def process(self, challenge=b''): b64_challenge = b64encode(challenge) try: if self.step == 0: result = kerberos.authGSSClientStep( self.gss, b64_challenge) if result != kerberos.AUTH_GSS_CONTINUE: self.step = 1 elif not challenge: kerberos.authGSSClientClean(self.gss) return b'' elif self.step == 1: username = self.credentials['username'] kerberos.authGSSClientUnwrap(self.gss, b64_challenge) resp = kerberos.authGSSClientResponse(self.gss) kerberos.authGSSClientWrap(self.gss, resp, username) resp = kerberos.authGSSClientResponse(self.gss) except kerberos.GSSError as e: raise SASLCancelled('Kerberos error: %s' % e) if not resp: return b'' else: return b64decode(resp)
def setup(self, name): self.use_channel_binding = False if name[-5:] == '-PLUS': name = name[:-5] self.use_channel_binding = True self.hash_name = name[6:] self.hash = hash(self.hash_name) if self.hash is None: raise SASLCancelled('Unknown hash: %s' % self.hash_name) if not self.security_settings['encrypted']: if not self.security_settings['unencrypted_scram']: raise SASLCancelled('Unencrypted SCRAM') self.step = 0 self._mutual_auth = False
def process_2(self, challenge): self.step = 2 data = self.parse(challenge) if b'm' in data: raise SASLCancelled('Received reserved attribute.') salt = b64decode(data[b's']) iteration_count = int(data[b'i']) nonce = data[b'r'] if nonce[:len(self.cnonce)] != self.cnonce: raise SASLCancelled('Invalid nonce') cbind_data = b'' if self.use_channel_binding: cbind_data = self.credentials['channel_binding'] cbind_input = self.gs2_header + cbind_data channel_binding = b'c=' + b64encode(cbind_input).replace(b'\n', b'') client_final_message_without_proof = channel_binding + b',' + \ b'r=' + nonce salted_password = self.Hi(self.credentials['password'], salt, iteration_count) client_key = self.HMAC(salted_password, b'Client Key') stored_key = self.H(client_key) auth_message = self.client_first_message_bare + b',' + \ challenge + b',' + \ client_final_message_without_proof client_signature = self.HMAC(stored_key, auth_message) client_proof = XOR(client_key, client_signature) server_key = self.HMAC(salted_password, b'Server Key') self.server_signature = self.HMAC(server_key, auth_message) client_final_message = client_final_message_without_proof + \ b',p=' + b64encode(client_proof) return client_final_message