Mh_dZddlZddlmZddlmZmZmZmZm Z m Z ddl m Z ddl mZddlmZedd \ZZZZZed d \ZZedd Dcgc] }e| c}\ZZZZZed d Dcgc] }e| c}\ZZGd d Z Gdde Z!GddZ"GddZ#ycc}wcc}w)a This module provides GSS-API / SSPI Key Exchange as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. note:: `RFC 4462 Section 2.2 `_ says we are not required to implement GSS-API error messages. Thus, in many methods within this module, if an error occurs an exception will be thrown and the connection will be terminated. .. seealso:: :doc:`/api/ssh_gss` .. versionadded:: 1.15 N)sha1)DEBUGmax_byte zero_bytebyte_chr byte_maskbyte_ord)util)Message) SSHException#(*cxeZdZdZdZdZededzzZe dzZ dZ dZ d Z d Zd Zd Zd ZdZdZdZy) KexGSSGroup1z GSS-API / SSPI Authenticated Diffie-Hellman Key Exchange as defined in `RFC 4462 Section 2 `_ lE8{3If?E yZ3V58noPe?a- tBL y3W[> % %0DF NN ) )/ : TVVTVVTVV,// I $% T[[55T]]5KL DFF $$Q' %%      r#c|jjr|tk(r|j|S|jjs|tk(r|j |S|jjr|t k(r|j|S|jjs|tk(r|j|S|tk(r|j|Sd}t|j|) Parse the next packet. :param ptype: The (string) type of the incoming packet :param `.Message` m: The packet content z.GSS KexGroup1 asked to handle packet type {:d})rr(r-_parse_kexgss_initr4_parse_kexgss_hostkeyr5_parse_kexgss_continuer6_parse_kexgss_completer7_parse_kexgss_errorr formatr ptyper9msgs r! parse_nextzKexGSSGroup1.parse_next{s >> % %5O+C**1- -++:L1L--a0 0 ^^ ' 'U6I-I..q1 1++:M1M..q1 1 & &++A. .>3::e,--r#c tjd}t|dd|ddz}|dd}||j|jfvrnKt j ||_y)ap generate an "x" (1 < x < q), where q is (p-1)/2. p is a 128-byte (1024-bit) number, where the first 64 bits are 1. therefore q can be approximated as a 2^1023. we drop the subset of potential x where the first 63 bits are 1, because some of those will be larger than q (but this is a tiny tiny subset of potential x). rrNr)osurandomrb7fffffffffffffffb0000000000000000r inflate_longr)r x_bytesfirsts r!r'zKexGSSGroup1._generate_xsojjoG D1GABK?GBQKET33T5K5KLL  ""7+r#c|j}||j_|j}|jj|||jj t t y)z Parse the SSH2_MSG_KEXGSS_HOSTKEY message (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_HOSTKEY message N get_stringrhost_key _verify_keyr,r5r6r r9rTsigs r!r>z"KexGSSGroup1._parse_kexgss_hostkeyP<<>"*lln ""8S1 %%&9;NOr#c|jjs|j}t}|j t |j |jj|j||jj||jjtttyy)z Parse the SSH2_MSG_KEXGSS_CONTINUE message. :param `.Message` m: The content of the SSH2_MSG_KEXGSS_CONTINUE message r& recv_tokenNrr(rSr r.c_MSG_KEXGSS_CONTINUEr0rr1r send_messager,r5r6r7r r9 srv_tokens r!r?z#KexGSSGroup1._parse_kexgss_continues~~)) I A JJ, - LL 00==Y1  NN ' ' * NN ) )#%8:J  r#c|jjt|j_|j|_|jdks|j|j dz kDr t d|j}|j}d}|r|j}t|j|j|j }t}|j|jj|jj|jj|jj |j#|jjj%|j'|j(|j'|j|j'|t+t-|j/}|jj1|||D|j2j5|j6||j2j9||n|j2j9||d|j_|jj=y)z Parse the SSH2_MSG_KEXGSS_COMPLETE message (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_COMPLETE message NrHServer kex "f" is out of rangerZT)rrT NullHostKey get_mpintrr+r rS get_booleanr)rr add local_versionremote_versionlocal_kex_initremote_kex_initr0__str__r2rrstrdigest_set_K_Hrr1r ssh_check_mic gss_kex_used_activate_outboundr r9 mic_tokenboolr`KhmHs r!r@z#KexGSSGroup1._parse_kexgss_completes >> " " *&1mDNN # FFQJDFFTVVaZ/?@ @LLN }}  I  'Y  NN ( ( NN ) ) NN ) ) NN * *  dnn--5578 TVV TVV Q RM " 1%  KK , ,}} -  KK % %i 3 KK % %i 3&*# ))+r#c|j}|j|_|jdks|j|jdz kDr t dt |j|j |j}t|j_ |jjj}t}|j|jj|jj|jj|jj |j#||j%|j|j%|j&|j%|t)|j+j-}|jj/|||j0j3|j4|}t}|j0j6r|j0j9|jj:d}|j=t>|j%|j&|j#||#|jAd|j#|n|jAd|jjC|d|j_"|jjGy|j=tH|j#||jjC||jjKtLtNtPy)z Parse the SSH2_MSG_KEXGSS_INIT message (server mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_INIT message rHClient kex "e" is out of rangeTgss_kexNF))rSrdrr+r r)rrcrrTrkr rfrhrgrjrir0r2rrasbytesrmrnrssh_accept_sec_contextr_gss_srv_ctxt_status ssh_get_mic session_idr.c_MSG_KEXGSS_COMPLETE add_booleanr3rprqr]r,r5r6r7 r r9 client_tokenrukeyrvrwr`rss r!r=zKexGSSGroup1._parse_kexgss_initsY||~  FFQJDFFTVVaZ/?@ @  '"--nn%%--/Y  NN ) ) NN ( ( NN * * NN ) )  c TVV TVV Q   % % ' 1%KK66 MM<  I ;; + + //))40I JJ, - KK  LL #$ d# Y' e$ NN ( ( +*.DNN ' NN - - / JJ, - LL # NN ( ( + NN ) )#%8:J r#c|j}|j}|j}|jtdj|||)a Parse the SSH2_MSG_KEXGSS_ERROR message (client mode). The server may send a GSS-API error message. if it does, we display the error by throwing an exception (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_ERROR message :raise SSHException: Contains GSS-API major and minor status as well as the error message and the language tag of the message CGSS-API Error: Major Status: {} Minor Status: {} Error Message: {} get_intrSr rBr r9 maj_status min_statuserr_msgs r!rAz KexGSSGroup1._parse_kexgss_error*SYY[ YY[ ,,.   FJ   r#N)__name__ __module__ __qualname____doc__r+r*rrrLrrMNAMEr"r:rFr'r>r?r@r=rAr#r!rrLsf KA A A5!A  5D 4.,, P.+,Z6p r#rceZdZdZdZdZdZy) KexGSSGroup14z GSS-API / SSPI Authenticated Diffie-Hellman Group14 Key Exchange as defined in `RFC 4462 Section 2 `_ l&UG9 tcb0]Q\-:$90.`U_b;YS7x]Ek`:xds! ,w=HG2Cdc_.K?&j_c}z[\V_1M.D^/1v5 I jV&| /mVlR<6#{n4(EY91T:g8 H Apcb4BBj~Hrz)gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==N)rrrrr+r*rrr#r!rrDs KA A 6Dr#rcbeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZy) KexGSSGexz GSS-API / SSPI Authenticated Diffie-Hellman Group Exchange as defined in `RFC 4462 Section 2 `_ z%gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g== ic||_|jj|_d|_d|_d|_d|_d|_d|_d|_ d|_ y)NF) rrrrpqgrrr old_stylers r!r"zKexGSSGex.__init__[sR"nn00  r#c|jjr |jjty|jj|_t }|j t|j|j|j|j|j|j|jj||jjty)zV Start the GSS-API / SSPI Authenticated Diffie-Hellman Group Exchange N)rr(r,MSG_KEXGSS_GROUPREQrr r.c_MSG_KEXGSS_GROUPREQadd_intmin_bitspreferred_bitsmax_bitsr3MSG_KEXGSS_GROUPr8s r!r:zKexGSSGex.start_kexgs >> % % NN ) )*= > // I () $--  $%%& $--  $$Q' %%&67r#c|tk(r|j|S|tk(r|j|S|tk(r|j |S|t k(r|j|S|tk(r|j|S|tk(r|j|S|tk(r|j|Sd}t|j|)r<z'KexGex asked to handle packet type {:d})r_parse_kexgss_groupreqr_parse_kexgss_groupr-_parse_kexgss_gex_initr4r>r5r?r6r@r7rAr rBrCs r!rFzKexGSSGex.parse_nextzs ' '..q1 1 & &++A. . o %..q1 1 ( (--a0 0 ) )..q1 1 ) )..q1 1 & &++A. .73::e,--r#c\|jdz dz}tj|d}t|d}t |}d}|dzs|dz}|dz}|dzs t j |}t|d||ddz}tj|d}|dkDr||kr ||_ yT)NrHrrrI) rr deflate_longr lenrJrKrrNr)r rqnormqhbyte byte_countqmaskrOrs r!r'zKexGSSGex._generate_xs VVaZA !!!Q'%(#Z D= qLF aKED=jj,G E2WQR[@G!!'1-AAAE r#c$|j}|j}|j}||jkDr |j}||jkr |j}||kDr|}||kr|}||_||_||_|jj }| t d|jjtdj||||j|||\|_ |_ t}|jt|j!|j|j!|j|jj#||jj%t&y)z Parse the SSH2_MSG_KEXGSS_GROUPREQ message (server mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_GROUPREQ message Nz-Can't do server-side gex with no modulus packzPicking p ({} <= {} <= {} bits))rrrrr_get_modulus_packr _logrrB get_modulusrrr r.c_MSG_KEXGSS_GROUPr2r3r,r-)r r9minbits preferredbitsmaxbitspacks r!rz KexGSSGex._parse_kexgss_groupreqsD))+ ))+ 4== ( MMM 4== ( MMM ] "#G ] "#G + ~~//1 <NO O   - 4 4  ))'='J I %& DFF DFF $$Q' %%o6r#c,|j|_|j|_tj|j}|dks|dkDrt dj ||jjtdj ||jt|j|j|j|_ t}|jt |j#|j$j'|j(|j+|j|jj-||jj/t0t2t4t6y)z Parse the SSH2_MSG_KEXGSS_GROUP message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_GROUP message rrz|}t}|j:j@r|j:jC|jjDd}|jGtH|j1|j|jK||#|jMd|jK|n|jMd|jjO|d|j_(|jjSy|jGtT|jK||jjO||jjWtXtZt\y)z Parse the SSH2_MSG_KEXGSS_INIT message (server mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_INIT message rHryTrzNF)/rSrdrrr r'r)rrrrcrrTrkr rfrhrgrjrirrrrr2rr|rmrnrr}rr~rrr.rr0rr3rprqr]r,r5r6r7rs r!rz KexGSSGex._parse_kexgss_gex_inits ||~  FFQJDFFTVVaZ/?@ @ TVVTVVTVV,  '"--nn%%--/Y  NN ) ) NN ( ( NN * * NN ) )    4==! 4&&' 4==! TVV TVV TVV TVV Q   % % ' 1%KK66 MM<  I ;; + + //))40I JJ, - KK  LL #$ d# Y' e$ NN ( ( +*.DNN ' NN - - / JJ, - LL # NN ( ( + NN ) )#%8:J r#c|j}||j_|j}|jj|||jj t t y)z Parse the SSH2_MSG_KEXGSS_HOSTKEY message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_HOSTKEY message NrRrVs r!r>zKexGSSGex._parse_kexgss_hostkey1rXr#c|jjs|j}t}|j t |j |jj|j||jj||jjtttyy)z Parse the SSH2_MSG_KEXGSS_CONTINUE message. :param `Message` m: The content of the SSH2_MSG_KEXGSS_CONTINUE message rZNr\r_s r!r?z KexGSSGex._parse_kexgss_continue>s ~~)) I A JJ, - LL 00==Y1  NN ' ' * NN ) )#%8:J  r#cD|jjt|j_|j|_|j }|j }d}|r|j }|jdks|j|jdz kDr tdt|j|j|j}t}|j|jj|jj|jj|jj |jjj#|j$s|j'|j(|j'|j*|j$s|j'|j,|j/|j|j/|j0|j/|j2|j/|j|j/|t5|j7j9}|jj;|||D|j<j?|j@||j<jC||n|j<jC||d|j_"|jjGy)z Parse the SSH2_MSG_KEXGSS_COMPLETE message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_COMPLETE message NrHrbrZT)$rrTrcrdrrSrerr r)rr rfrgrhrirjrkrrrrrr2rrrr|rmrnrr1rrorprqrrs r!r@z KexGSSGex._parse_kexgss_completeTs! >> " " *&1mDNN #LLN }}  I FFQJDFFTVVaZ/?@ @  'Y  NN ( ( NN ) ) NN ) ) NN * * NN # # + + -  ~~ JJt}} % 4&&'~~ JJt}} % TVV TVV TVV TVV Q   % % ' 1%  KK , ,}} -  KK % %i 3 KK % %i 3&*# ))+r#c|j}|j}|j}|jtdj|||)a Parse the SSH2_MSG_KEXGSS_ERROR message (client mode). The server may send a GSS-API error message. if it does, we display the error by throwing an exception (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_ERROR message :raise SSHException: Contains GSS-API major and minor status as well as the error message and the language tag of the message rrrs r!rAzKexGSSGex._parse_kexgss_errorrr#N)rrrrrrrrr"r:rFr'rrrr>r?r@rArr#r!rrPsY 3DHHN 8&.4$*7X B<| P,0,d r#rc"eZdZdZdZdZdZy)rcz This class represents the Null Host Key for GSS-API Key Exchange as defined in `RFC 4462 Section 5 `_ cd|_y)Nrr s r!r"zNullHostKey.__init__s r#c|jSNrrs r!rkzNullHostKey.__str__ xxr#c|jSrrrs r!get_namezNullHostKey.get_namerr#N)rrrrr"rkrrr#r!rcrcs r#rc)$rrJhashlibrparamiko.commonrrrrrr paramikor paramiko.messager paramiko.ssh_exceptionr ranger-r5r6r4r7rrr/r]rc_MSG_KEXGSS_HOSTKEYc_MSG_KEXGSS_ERRORrrrrrrc)cs0r!rs." $/ "bM */B-'& B-(QXa[( r2/HQK/+* u u p 7L 7M M ` u)/s B78B<