From bd1b291dc2119df113d7b8a79b53dd35688f0fc0 Mon Sep 17 00:00:00 2001 From: gpotter2 <10530980+gpotter2@users.noreply.github.com> Date: Fri, 18 Apr 2025 10:02:02 +0200 Subject: [PATCH] Better logging, cleanup of HTTP_Server code, fix in ChannelBindings of Kerberos --- scapy/layers/http.py | 81 ++++++++++++++++++++++------------------ scapy/layers/kerberos.py | 20 +++++++--- 2 files changed, 59 insertions(+), 42 deletions(-) diff --git a/scapy/layers/http.py b/scapy/layers/http.py index 00f1b9d6f18..f8a74e7b2b3 100644 --- a/scapy/layers/http.py +++ b/scapy/layers/http.py @@ -1073,47 +1073,17 @@ def BEGIN(self): self.authenticated = False self.sspcontext = None - @ATMT.condition(BEGIN, prio=0) - def should_authenticate(self): + @ATMT.receive_condition(BEGIN, prio=1) + def should_authenticate(self, pkt): if self.authmethod == HTTP_AUTH_MECHS.NONE.value: - raise self.SERVE() + raise self.SERVE(pkt) else: - raise self.AUTH() + raise self.AUTH(pkt) @ATMT.state() - def AUTH(self): - pass - - @ATMT.state() - def AUTH_ERROR(self, proxy): - self.sspcontext = None - self._ask_authorization(proxy, self.authmethod) - self.vprint("AUTH ERROR") - - @ATMT.condition(AUTH_ERROR) - def allow_reauth(self): - raise self.AUTH() - - def _ask_authorization(self, proxy, data): - if proxy: - self.send( - HTTPResponse( - Status_Code=b"407", - Reason_Phrase=b"Proxy Authentication Required", - Proxy_Authenticate=data, - ) - ) - else: - self.send( - HTTPResponse( - Status_Code=b"401", - Reason_Phrase=b"Unauthorized", - WWW_Authenticate=data, - ) - ) - - @ATMT.receive_condition(AUTH, prio=1) - def received_unauthenticated(self, pkt): + def AUTH(self, pkt=None): + if pkt is None: + return if HTTPRequest in pkt: self.vprint(pkt.summary()) if pkt.Method == b"CONNECT": @@ -1137,10 +1107,12 @@ def received_unauthenticated(self, pkt): # Parse authorization method, data = authorization.split(b" ", 1) if plain_str(method) != self.authmethod: + self.debug(3, "Bad auth method.") raise self.AUTH_ERROR(proxy) try: data = base64.b64decode(data) except Exception: + self.debug(3, "Couldn't unpack base64 of auth.") raise self.AUTH_ERROR(proxy) # Now process the authorization if not self.basic: @@ -1149,6 +1121,7 @@ def received_unauthenticated(self, pkt): except Exception: self.sspcontext = None self._ask_authorization(proxy, self.authmethod) + self.debug(3, "Couldn't unpack GSSAPI_BLOB of auth.") raise self.AUTH_ERROR(proxy) # And call the SSP self.sspcontext, tok, status = self.ssp.GSS_Accept_sec_context( @@ -1164,9 +1137,11 @@ def received_unauthenticated(self, pkt): ) tok, status = None, GSS_S_COMPLETE except StopIteration: + self.debug(3, "Basic authentication failed with 'unknown user'.") tok, status = None, GSS_S_FAILURE # Send answer if status not in [GSS_S_COMPLETE, GSS_S_CONTINUE_NEEDED]: + self.debug(3, "Authentication failed.") raise self.AUTH_ERROR(proxy) elif status == GSS_S_CONTINUE_NEEDED: data = self.authmethod.encode() @@ -1180,6 +1155,38 @@ def received_unauthenticated(self, pkt): self.vprint("AUTH OK") raise self.SERVE(pkt) + @ATMT.state() + def AUTH_ERROR(self, proxy): + self.sspcontext = None + self._ask_authorization(proxy, self.authmethod) + self.vprint("AUTH ERROR") + + @ATMT.condition(AUTH_ERROR) + def allow_reauth(self): + raise self.AUTH() + + def _ask_authorization(self, proxy, data): + if proxy: + self.send( + HTTPResponse( + Status_Code=b"407", + Reason_Phrase=b"Proxy Authentication Required", + Proxy_Authenticate=data, + ) + ) + else: + self.send( + HTTPResponse( + Status_Code=b"401", + Reason_Phrase=b"Unauthorized", + WWW_Authenticate=data, + ) + ) + + @ATMT.receive_condition(AUTH, prio=1) + def received_unauthenticated(self, pkt): + raise self.AUTH(pkt) + @ATMT.eof(AUTH) def auth_eof(self): raise self.CLOSED() diff --git a/scapy/layers/kerberos.py b/scapy/layers/kerberos.py index f7b0cc19a46..b4d5d59f767 100644 --- a/scapy/layers/kerberos.py +++ b/scapy/layers/kerberos.py @@ -2108,11 +2108,21 @@ class KRB_GSS_EXT(Packet): class KRB_AuthenticatorChecksum(Packet): fields_desc = [ FieldLenField("Lgth", None, length_of="Bnd", fmt="