#!/usr/bin/python """ Implementation of the p9sk1 authentication. This module requires the Python Cryptography Toolkit from http://www.amk.ca/python/writing/pycrypt/pycrypt.html """ import socket import random from Crypto.Cipher import DES import P9 class Error(P9.Error) : pass class AuthError(Error) : pass class AuthsrvError(Error) : pass TickReqLen = 141 TickLen = 72 AuthLen = 13 AuthTreq,AuthChal,AuthPass,AuthOK,AuthErr,AuthMod = range(1,7) AuthTs,AuthTc,AuthAs,AuthAc,AuthTp,AuthHr = range(64, 70) AUTHPORT = 567 _par = [ 0x01, 0x02, 0x04, 0x07, 0x08, 0x0b, 0x0d, 0x0e, 0x10, 0x13, 0x15, 0x16, 0x19, 0x1a, 0x1c, 0x1f, 0x20, 0x23, 0x25, 0x26, 0x29, 0x2a, 0x2c, 0x2f, 0x31, 0x32, 0x34, 0x37, 0x38, 0x3b, 0x3d, 0x3e, 0x40, 0x43, 0x45, 0x46, 0x49, 0x4a, 0x4c, 0x4f, 0x51, 0x52, 0x54, 0x57, 0x58, 0x5b, 0x5d, 0x5e, 0x61, 0x62, 0x64, 0x67, 0x68, 0x6b, 0x6d, 0x6e, 0x70, 0x73, 0x75, 0x76, 0x79, 0x7a, 0x7c, 0x7f, 0x80, 0x83, 0x85, 0x86, 0x89, 0x8a, 0x8c, 0x8f, 0x91, 0x92, 0x94, 0x97, 0x98, 0x9b, 0x9d, 0x9e, 0xa1, 0xa2, 0xa4, 0xa7, 0xa8, 0xab, 0xad, 0xae, 0xb0, 0xb3, 0xb5, 0xb6, 0xb9, 0xba, 0xbc, 0xbf, 0xc1, 0xc2, 0xc4, 0xc7, 0xc8, 0xcb, 0xcd, 0xce, 0xd0, 0xd3, 0xd5, 0xd6, 0xd9, 0xda, 0xdc, 0xdf, 0xe0, 0xe3, 0xe5, 0xe6, 0xe9, 0xea, 0xec, 0xef, 0xf1, 0xf2, 0xf4, 0xf7, 0xf8, 0xfb, 0xfd, 0xfe ] def _expandKey(key) : """Expand a 7-byte DES key into an 8-byte DES key""" k = map(ord, key) k64 = [ k[0]>>1, (k[1]>>2) | (k[0]<<6), (k[2]>>3) | (k[1]<<5), (k[3]>>4) | (k[2]<<4), (k[4]>>5) | (k[3]<<3), (k[5]>>6) | (k[4]<<2), (k[6]>>7) | (k[5]<<1), k[6]<<0] return "".join([chr(_par[x & 0x7f]) for x in k64]) def _newKey(key) : return DES.new(_expandKey(key), DES.MODE_ECB) def lencrypt(key, l) : """Encrypt a list of characters, returning a list of characters""" return list(key.encrypt("".join(l))) def ldecrypt(key, l) : return list(key.decrypt("".join(l))) def makeKey(password) : """ Hash a password into a key. """ password = password[:28-1] + '\0' n = len(password) - 1 password = P9.pad(password, 28, ' ') buf = list(password) while 1 : t = map(ord, buf[:8]) k = [(((t[i]) >> i) + (t[i+1] << (8-(i+1))) & 0xff) for i in xrange(7)] key = "".join([chr(x) for x in k]) if n <= 8 : return key n -= 8 if n < 8 : buf[:n] = [] else : buf[:8] = [] buf[:8] = lencrypt(_newKey(key), buf[:8]) def randChars(n) : """ XXX This is *NOT* a secure way to generate random strings! This should be fixed if this code is ever used in a serious manner. """ return "".join([chr(random.randint(0,255)) for x in xrange(n)]) class Marshal(P9.Marshal) : def __init__(self) : self.ks = None self.kn = None def setKs(self, ks) : self.ks = _newKey(ks) def setKn(self, kn) : self.kn = _newKey(kn) def _encrypt(self, n, key) : """Encrypt the last n bytes of the buffer with weird chaining.""" idx = len(self.bytes) - n n -= 1 for dummy in xrange(n / 7) : self.bytes[idx : idx+8] = lencrypt(key, self.bytes[idx : idx+8]) idx += 7 if n % 7 : self.bytes[-8:] = lencrypt(key, self.bytes[-8:]) def _decrypt(self, n, key) : """Decrypt the first n bytes of the buffer.""" if key is None : return m = n - 1 if m % 7 : self.bytes[n-8:n] = ldecrypt(key, self.bytes[n-8:n]) idx = m - m%7 for dummy in xrange(m / 7) : idx -= 7 self.bytes[idx : idx+8] = ldecrypt(key, self.bytes[idx : idx+8]) def _encPad(self, x, l) : self._encX(P9.pad(x, l)) def _decPad(self, l) : x = self._decX(l) idx = x.find('\0') if idx >= 0 : x = x[:idx] return x def _encChal(self, x) : self._checkLen(x, 8) self._encX(x) def _decChal(self) : return self._decX(8) def _encTicketReq(self, x) : type,authid,authdom,chal,hostid,uid = x self._enc1(type) self._encPad(authid, 28) self._encPad(authdom, 48) self._encChal(chal) self._encPad(hostid, 28) self._encPad(uid, 28) def _decTicketReq(self) : return [self._dec1(), self._decPad(28), self._decPad(48), self._decChal(), self._decPad(28), self._decPad(28)] def _encTicket(self, x) : num,chal,cuid,suid,key = x self._checkLen(key, 7) self._enc1(num) self._encChal(chal) self._encPad(cuid, 28) self._encPad(suid, 28) self._encX(key) self._encrypt(1 + 8 + 28 + 28 + 7, self.ks) def _decTicket(self) : self._decrypt(1 + 8 + 28 + 28 + 7, self.ks) return [self._dec1(), self._decChal(), self._decPad(28), self._decPad(28), self._decX(7)] def _encAuth(self, x) : num,chal,id = x self._enc1(num) self._encChal(chal) self._enc4(id) self._encrypt(1 + 8 + 4, self.kn) def _decAuth(self) : self._decrypt(1 + 8 + 4, self.kn) return [self._dec1(), self._decChal(), self._dec4()] def _encTattach(self, x) : tick,auth = x self._checkLen(tick, 72) self._encX(tick) self._encAuth(auth) def _decTattach(self) : return self._decX(72), self._decAuth() def getTicket(con, sk1, treq) : """ Connect to the auth server and request a set of tickets. Con is an open handle to the auth server, sk1 is a handle to a P9sk1 marshaller with Kc set and treq is a ticket request. Return the (opaque) server ticket and the (decoded) client ticket. Raises an AuthsrvError on failure. """ sk1.setBuf() sk1._encTicketReq(treq) con.send(sk1.getBuf()) ch = con.recv(1) if ch == chr(5) : err = con.recv(64) raise AuthsrvError(err) elif ch != chr(4) : raise AuthsrvError("invalid reply type %r" % ch) ctick = con.recv(72) stick = con.recv(72) if len(stick) + len(ctick) != 72*2 : raise AuthsrvError("short auth reply") sk1.setBuf(ctick) return sk1._decTicket(), stick # this could be cleaner def clientAuth(cl, afid, user, Kc, authsrv, authport=567) : """ Authenticate ourselves to the server. Cl is a P9 RpcClient, afid is the fid to use, user is the user name, Kc is the user's key, authsrv and authport specify the auth server to use for requesting tickets. XXX perhaps better if the auth server can be prompted for based on the domain in the negotiation. """ CHc = randChars(8) sk1 = Marshal() sk1.setKs(Kc) pos = [0] gen = 0 def rd(l) : x = cl.read(afid, pos[0], l) pos[0] += len(x) return x def wr(x) : l = cl.write(afid, pos[0], x) pos[0] += l return l # negotiate proto = rd(128) v2 = 0 if proto[:10] == 'v.2 p9sk1@' : v2 = 1 proto = proto[4:] if proto[:6] != 'p9sk1@' : raise AuthError("unknown protocol %r" % proto) wr(proto.replace("@", " ", 1)) if v2 : if rd(3) != 'OK\0' : raise AuthError("v.2 protocol botch") # Tsession sk1.setBuf() sk1._encChal(CHc) wr(sk1.getBuf()) # Rsession sk1.setBuf(rd(TickReqLen)) treq = sk1._decTicketReq() if v2 and treq[0] == 0 : # kenfs is fast and loose with auth formats treq[0] = AuthTreq; if treq[0] != AuthTreq : raise AuthError("bad server") CHs = treq[3] # request ticket from authsrv treq[-2],treq[-1] = user,user s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((authsrv, authport),) (num,CHs2,cuid,suid,Kn),stick = getTicket(s, sk1, treq) # XXX catch s.close() if num != AuthTc or CHs != CHs2 : raise AuthError("bad password for %s or bad auth server" % user) sk1.setKn(Kn) # Tattach sk1.setBuf() sk1._encTattach([stick, [AuthAc, CHs, gen]]) wr(sk1.getBuf()) sk1.setBuf(rd(AuthLen)) num,CHc2,gen2 = sk1._decAuth() if num != AuthAs or CHc2 != CHc : # XXX check gen2 for replay raise AuthError("bad server") return