ó =OXc@srdZddlZddlmZddlTddlmZddlmZddl m Z m Z m Z m Z ddlmZed d ƒ\ZZZZZed d ƒ\ZZged d ƒD]Ze eƒ^qÁ\ZZZZZged d ƒD]Ze eƒ^qø\ZZd e fd„ƒYZ!de!fd„ƒYZ"de fd„ƒYZ#de fd„ƒYZ$dS(sõ This module provides GSS-API / SSPI Key Exchange as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. note:: `RFC 4462 Section 2.2 `_ says we are not required to implement GSS-API error messages. Thus, in many methods within this module, if an error occurs an exception will be thrown and the connection will be terminated. .. seealso:: :doc:`/api/ssh_gss` .. versionadded:: 1.15 iÿÿÿÿN(tsha1(t*(tutil(tMessage(tbyte_chrtlongt byte_masktbyte_ord(t SSHExceptionii#i(i*t KexGSSGroup1cBseZdZdZdZedƒedZedZ dZ d„Z d„Z d „Z d „Zd „Zd „Zd „Zd„Zd„ZRS(sŸ GSS-API / SSPI Authenticated Diffie-Hellman Key Exchange as defined in `RFC 4462 Section 2 `_ lEÿÿÿÿ8Ê{3If?ñE yéZô3¢Vý58nÛoP·eõ?a-û ÓtBLè ûy3W[<‘p¨6m5ÂÝPøß&aÌF!Í33*¾w& ãAR‘M;L}. c|&A“@”h\Š&&# -D¨v‡dÿÿÿÿiiiis(gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==cCs@||_|jj|_d|_d|_d|_d|_dS(Ni(t transportt kexgss_ctxttkexgsstNonetgss_hosttxtetf(tselfR ((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyt__init__Fs     cCsót|j_|jƒ|jjrTt|j|j|jƒ|_ |jj t ƒdSt|j|j|jƒ|_ |jj |_ tƒ}|jtƒ|j|jjd|j ƒƒ|j|j ƒ|jj|ƒ|jj ttttƒdS(sU Start the GSS-API / SSPI Authenticated Diffie-Hellman Key Exchange. Nttarget(tTrueR t gss_kex_usedt _generate_xt server_modetpowtGRtPRt_expect_packettMSG_KEXGSS_INITRRRtadd_bytetc_MSG_KEXGSS_INITt add_stringR tssh_init_sec_contextt add_mpintt _send_messagetMSG_KEXGSS_HOSTKEYtMSG_KEXGSS_CONTINUEtMSG_KEXGSS_COMPLETEtMSG_KEXGSS_ERROR(Rtm((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyt start_kexNs"      cCsÃ|jjr%|tkr%|j|ƒS|jj rK|tkrK|j|ƒS|jjrp|tkrp|j|ƒS|jj r–|tkr–|j |ƒS|t kr¯|j |ƒSt d|ƒ‚dS(s” Parse the next packet. :param char ptype: The type of the incomming packet :param `.Message` m: The paket content s,GSS KexGroup1 asked to handle packet type %dN( R RRt_parse_kexgss_initR$t_parse_kexgss_hostkeyR%t_parse_kexgss_continueR&t_parse_kexgss_completeR't_parse_kexgss_errorR(RtptypeR(((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyt parse_nextgs      cCspxWtjdƒ}t|ddƒ|d}|d |jkr|d |jkrPqqtj|ƒ|_dS(sp generate an "x" (1 < x < q), where q is (p-1)/2. p is a 128-byte (1024-bit) number, where the first 64 bits are 1. therefore q can be approximated as a 2^1023. we drop the subset of potential x where the first 63 bits are 1, because some of those will be larger than q (but this is a tiny tiny subset of potential x). i€iiiiN(tosturandomRtb7ffffffffffffffftb0000000000000000Rt inflate_longR(Rtx_bytes((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR}scCsN|jƒ}||j_|jƒ}|jj||ƒ|jjttƒdS(s› Parse the SSH2_MSG_KEXGSS_HOSTKEY message (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_HOSTKEY message N(t get_stringR thost_keyt _verify_keyRR%R&(RR(R8tsig((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR+s     cCs€|jjs||jƒ}tƒ}|jtƒ|j|jjd|j d|ƒƒ|jj |ƒ|jj t t tƒndS(s Parse the SSH2_MSG_KEXGSS_CONTINUE message. :param `.Message` m: The content of the SSH2_MSG_KEXGSS_CONTINUE message Rt recv_tokenN(R RR7RRtc_MSG_KEXGSS_CONTINUER R R!Rt send_messageRR%R&R'(RR(t srv_token((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR,›s       cCsÅ|jjdkr$tƒ|j_n|jƒ|_|jdksX|j|jdkrgtdƒ‚n|jƒ}|j ƒ}d}|rš|jƒ}nt |j|j |jƒ}t ƒ}|j |jj|jj|jj|jjƒ|j|jjjƒƒ|j|jƒ|j|jƒ|j|ƒ|jj|tt|ƒƒjƒƒ|dk r›|jjd|jd|ƒ|jj||jjƒn|jj||jjƒ|jjƒdS(s Parse the SSH2_MSG_KEXGSS_COMPLETE message (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_COMPLETE message isServer kex "f" is out of rangeRR;N( R R8R t NullHostKeyt get_mpintRRRR7t get_booleanRRRtaddt local_versiontremote_versiontlocal_kex_inittremote_kex_initR t__str__R"Rt_set_K_HRtstrtdigestR R!Rt ssh_check_mict session_idt_activate_outbound(RR(t mic_tokentboolR>tKthm((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR-®s6%    %    c Cs6|jƒ}|jƒ|_|jdks@|j|jdkrOtdƒ‚nt|j|j|jƒ}tƒ|j_ |jj j ƒ}t ƒ}|j |jj |jj|jj|jjƒ|j|ƒ|j|jƒ|j|jƒ|j|ƒt|jƒƒjƒ}|jj||ƒ|jj|j|ƒ}t ƒ}|jjrò|jj|jjdtƒ}|jt ƒ|j|jƒ|j|ƒ|dk rÅ|j"tƒ|j|ƒn |j"t#ƒ|jj$|ƒ|jj%ƒn@|jt&ƒ|j|ƒ|jj$|ƒ|jj't(t)t*ƒdS(s• Parse the SSH2_MSG_KEXGSS_INIT message (server mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_INIT message isClient kex "e" is out of rangetgss_kexN(+R7R@RRRRRR?R R8RGRRBRDRCRFRER R"RRtasbytesRJRHR tssh_accept_sec_contextRt_gss_srv_ctxt_statust ssh_get_micRLRRtc_MSG_KEXGSS_COMPLETER t add_booleantFalseR#RMR<RR%R&R'( RR(t client_tokenRPtkeyRQtHR>RN((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR*ÔsJ %               cCsY|jƒ}|jƒ}|jƒ}|jƒ}tdƒt|ƒt|ƒ|f‚dS(sÝ Parse the SSH2_MSG_KEXGSS_ERROR message (client mode). The server may send a GSS-API error message. if it does, we display the error by throwing an exception (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_ERROR message :raise SSHException: Contains GSS-API major and minor status as well as the error message and the language tag of the message s_GSS-API Error: Major Status: %s Minor Status: %s Error Message: %s N(tget_intR7RRI(RR(t maj_statust min_statusterr_msgtlang_tag((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR.s     (t__name__t __module__t__doc__RRRtmax_byteR3t zero_byteR4tNAMERR)R0RR+R,R-R*R.(((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR :s        & 0t KexGSSGroup14cBs eZdZdZdZdZRS(s« GSS-API / SSPI Authenticated Diffie-Hellman Group14 Key Exchange as defined in `RFC 4462 Section 2 `_ l‰ÿÿÿÿ&•U¢G9 tcb0]Q\-¥:¾$•90.`U´_¼b;YS7x]EkŠ`:xds€! ,wÂ=¶H³G2C’düc_Ÿ.K?&jÚ_†c½}­z[\Vµ_1M.D‰^±/1v5 I ŽjÖV&|Ó Š/òmVÀlRÓ<6#å{n4ó(EY91ÇTï:Ìg8 H ÍAp¢cb4BÑBˆj~Hüÿÿÿÿis)gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==(RbRcRdRRRg(((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyRhst KexGSSGexcBs‰eZdZdZdZdZdZd„Zd„Zd„Z d„Z d „Z d „Z d „Z d „Zd „Zd„Zd„ZRS(s¡ GSS-API / SSPI Authenticated Diffie-Hellman Group Exchange as defined in `RFC 4462 Section 2 `_ s%gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==ii icCsd||_|jj|_d|_d|_d|_d|_d|_d|_ d|_ t |_ dS(N( R R R R RtptqtgRRRRYt old_style(RR ((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR.s        cCs¥t|j_|jjr,|jjtƒdS|jj|_tƒ}|jt ƒ|j |j ƒ|j |j ƒ|j |j ƒ|jj|ƒ|jjtƒdS(sV Start the GSS-API / SSPI Authenticated Diffie-Hellman Group Exchange N(RR RRRtMSG_KEXGSS_GROUPREQRRRtc_MSG_KEXGSS_GROUPREQtadd_inttmin_bitstpreferred_bitstmax_bitsR#tMSG_KEXGSS_GROUP(RR(((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR):s    cCsÃ|tkr|j|ƒS|tkr2|j|ƒS|tkrK|j|ƒS|tkrd|j|ƒS|tkr}|j |ƒS|t kr–|j |ƒS|t kr¯|j |ƒStd|ƒ‚dS(s” Parse the next packet. :param char ptype: The type of the incomming packet :param `.Message` m: The paket content s%KexGex asked to handle packet type %dN(Rnt_parse_kexgss_groupreqRtt_parse_kexgss_groupRt_parse_kexgss_gex_initR$R+R%R,R&R-R'R.R(RR/R(((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR0Ns              cCsÜ|jdd}tj|dƒ}t|dƒ}t|ƒ}d}x"|d@si|dK}|dL}qHWxbtrÎtj|ƒ}t|d|ƒ|d}tj |dƒ}|dkrm||krmPqmqmW||_ dS(Niiiiÿi€( RjRt deflate_longRtlenRR1R2RR5R(RRktqnormtqhbytet byte_counttqmaskR6R((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyRgs    cCsd|jƒ}|jƒ}|jƒ}||jkr?|j}n||jkrZ|j}n||kro|}n||kr„|}n||_||_||_|jjƒ}|dkrÉtdƒ‚n|jjt d|||fƒ|j |||ƒ\|_ |_ t ƒ}|jtƒ|j|j ƒ|j|j ƒ|jj|ƒ|jjtƒdS(s Parse the SSH2_MSG_KEXGSS_GROUPREQ message (server mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_GROUPREQ message s-Can't do server-side gex with no modulus packsPicking p (%d <= %d <= %d bits)N(R]RsRqRrR t_get_modulus_packR Rt_logtDEBUGt get_modulusRlRjRRtc_MSG_KEXGSS_GROUPR"R#RR(RR(tminbitst preferredbitstmaxbitstpack((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyRuys2              !  cCs |jƒ|_|jƒ|_tj|jƒ}|dksH|dkr[td|ƒ‚n|jjtd|ƒ|j ƒt |j|j |jƒ|_ t ƒ}|jtƒ|j|jjd|jƒƒ|j|j ƒ|jj|ƒ|jjttttƒdS(s– Parse the SSH2_MSG_KEXGSS_GROUP message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_GROUP message ii s<Server-generated gex p (don't ask) is out of range (%d bits)sGot server p (%d bits)RN(R@RjRlRt bit_lengthRR RR€RRRRRRRR R R!RR"R#RR$R%R&R'(RR(tbitlen((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyRvŸs"    c Cs¤|jƒ}|jƒ|_|jdks@|j|jdkrOtdƒ‚n|jƒt|j|j|jƒ|_ t|j|j|jƒ}t ƒ|j _ |j j j ƒ}tƒ}|j|j j|j j|j j|j j|ƒ|j|jƒ|j|jƒ|j|jƒ|j|jƒ|j|jƒ|j|jƒ|j|j ƒ|j|ƒt|jƒƒjƒ}|j j||ƒ|jj|j|ƒ}tƒ}|jj r`|jj!|j j"dt#ƒ}|j$t%ƒ|j|j ƒ|j&|ƒ|dk r3|j(t#ƒ|j&|ƒn |j(t)ƒ|j j*|ƒ|j j+ƒn@|j$t,ƒ|j&|ƒ|j j*|ƒ|j j-t.t/t0ƒdS(s” Parse the SSH2_MSG_KEXGSS_INIT message (server mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_INIT message isClient kex "e" is out of rangeRRN(1R7R@RRjRRRRlRRR?R R8RGRRBRDRCRFRERpRqRrRsR"RRSRJRHR RTRRURVRLRRRWR R RXRYR#RMR<RR%R&R'( RR(RZRPR[RQR\R>RN((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyRw¹sX %               cCsN|jƒ}||j_|jƒ}|jj||ƒ|jjttƒdS(sš Parse the SSH2_MSG_KEXGSS_HOSTKEY message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_HOSTKEY message N(R7R R8R9RR%R&(RR(R8R:((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR+ïs     cCs€|jjs||jƒ}tƒ}|jtƒ|j|jjd|j d|ƒƒ|jj |ƒ|jj t t tƒndS(sŽ Parse the SSH2_MSG_KEXGSS_CONTINUE message. :param `Message` m: The content of the SSH2_MSG_KEXGSS_CONTINUE message RR;N(R RR7RRR<R R R!RR=RR%R&R'(RR(R>((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR,ýs       cCs)|jjdkr$tƒ|j_n|jƒ|_|jƒ}|jƒ}d}|rf|jƒ}n|jdks‹|j|jdkršt dƒ‚nt |j|j |jƒ}t ƒ}|j |jj|jj|jj|jj|jjjƒƒ|js|j|jƒn|j|jƒ|jsC|j|jƒn|j|jƒ|j|jƒ|j|jƒ|j|jƒ|j|ƒt|jƒƒjƒ}|jj||ƒ|dk rÿ|jj d|j!d|ƒ|jj"||jj#ƒn|jj"||jj#ƒ|jj$ƒdS(sœ Parse the SSH2_MSG_KEXGSS_COMPLETE message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_COMPLETE message isServer kex "f" is out of rangeRR;N(%R R8R R?R@RR7RARjRRRRRBRCRDRERFRGRmRpRqRrRsR"RlRRRSRJRHR R!RRKRLRM(RR(RNROR>RPRQR\((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR-sF  %        cCsY|jƒ}|jƒ}|jƒ}|jƒ}tdƒt|ƒt|ƒ|f‚dS(sÝ Parse the SSH2_MSG_KEXGSS_ERROR message (client mode). The server may send a GSS-API error message. if it does, we display the error by throwing an exception (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_ERROR message :raise SSHException: Contains GSS-API major and minor status as well as the error message and the language tag of the message s_GSS-API Error: Major Status: %s Minor Status: %s Error Message: %s N(R]R7RRI(RR(R^R_R`Ra((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR.=s     (RbRcRdRgRqRsRrRR)R0RRuRvRwR+R,R-R.(((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyRi$s     &  6   -R?cBs)eZdZd„Zd„Zd„ZRS(s« This class represents the Null Host Key for GSS-API Key Exchange as defined in `RFC 4462 Section 5 `_ cCs d|_dS(Nt(R[(R((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyRXscCs|jS(N(R[(R((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyRG[scCs|jS(N(R[(R((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pytget_name^s(RbRcRdRRGRŠ(((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyR?Rs  (%RdR1thashlibRtparamiko.commontparamikoRtparamiko.messageRtparamiko.py3compatRRRRtparamiko.ssh_exceptionRtrangeRR%R&R$R'RnRttcRR<RWtc_MSG_KEXGSS_HOSTKEYtc_MSG_KEXGSS_ERRORRoR‚tobjectR RhRiR?(((s4/usr/lib/python2.7/site-packages/paramiko/kex_gss.pyt&s   "7.ß ÿ/