secdev · gpotter2 · Apr 18, 2025 · Apr 18, 2025
diff --git a/scapy/layers/http.py b/scapy/layers/http.py
@@ -1073,47 +1073,17 @@ def BEGIN(self):
         self.authenticated = False
         self.sspcontext = None
 
-    @ATMT.condition(BEGIN, prio=0)
-    def should_authenticate(self):
+    @ATMT.receive_condition(BEGIN, prio=1)
+    def should_authenticate(self, pkt):
         if self.authmethod == HTTP_AUTH_MECHS.NONE.value:
-            raise self.SERVE()
+            raise self.SERVE(pkt)
         else:
-            raise self.AUTH()
+            raise self.AUTH(pkt)
 
     @ATMT.state()
-    def AUTH(self):
-        pass
-
-    @ATMT.state()
-    def AUTH_ERROR(self, proxy):
-        self.sspcontext = None
-        self._ask_authorization(proxy, self.authmethod)
-        self.vprint("AUTH ERROR")
-
-    @ATMT.condition(AUTH_ERROR)
-    def allow_reauth(self):
-        raise self.AUTH()
-
-    def _ask_authorization(self, proxy, data):
-        if proxy:
-            self.send(
-                HTTPResponse(
-                    Status_Code=b"407",
-                    Reason_Phrase=b"Proxy Authentication Required",
-                    Proxy_Authenticate=data,
-                )
-            )
-        else:
-            self.send(
-                HTTPResponse(
-                    Status_Code=b"401",
-                    Reason_Phrase=b"Unauthorized",
-                    WWW_Authenticate=data,
-                )
-            )
-
-    @ATMT.receive_condition(AUTH, prio=1)
-    def received_unauthenticated(self, pkt):
+    def AUTH(self, pkt=None):
+        if pkt is None:
+            return
         if HTTPRequest in pkt:
             self.vprint(pkt.summary())
             if pkt.Method == b"CONNECT":
@@ -1137,10 +1107,12 @@ def received_unauthenticated(self, pkt):
             # Parse authorization
             method, data = authorization.split(b" ", 1)
             if plain_str(method) != self.authmethod:
+                self.debug(3, "Bad auth method.")
                 raise self.AUTH_ERROR(proxy)
             try:
                 data = base64.b64decode(data)
             except Exception:
+                self.debug(3, "Couldn't unpack base64 of auth.")
                 raise self.AUTH_ERROR(proxy)
             # Now process the authorization
             if not self.basic:
@@ -1149,6 +1121,7 @@ def received_unauthenticated(self, pkt):
                 except Exception:
                     self.sspcontext = None
                     self._ask_authorization(proxy, self.authmethod)
+                    self.debug(3, "Couldn't unpack GSSAPI_BLOB of auth.")
                     raise self.AUTH_ERROR(proxy)
                 # And call the SSP
                 self.sspcontext, tok, status = self.ssp.GSS_Accept_sec_context(
@@ -1164,9 +1137,11 @@ def received_unauthenticated(self, pkt):
                     )
                     tok, status = None, GSS_S_COMPLETE
                 except StopIteration:
+                    self.debug(3, "Basic authentication failed with 'unknown user'.")
                     tok, status = None, GSS_S_FAILURE
             # Send answer
             if status not in [GSS_S_COMPLETE, GSS_S_CONTINUE_NEEDED]:
+                self.debug(3, "Authentication failed.")
                 raise self.AUTH_ERROR(proxy)
             elif status == GSS_S_CONTINUE_NEEDED:
                 data = self.authmethod.encode()
@@ -1180,6 +1155,38 @@ def received_unauthenticated(self, pkt):
                 self.vprint("AUTH OK")
                 raise self.SERVE(pkt)
 
+    @ATMT.state()
+    def AUTH_ERROR(self, proxy):
+        self.sspcontext = None
+        self._ask_authorization(proxy, self.authmethod)
+        self.vprint("AUTH ERROR")
+
+    @ATMT.condition(AUTH_ERROR)
+    def allow_reauth(self):
+        raise self.AUTH()
+
+    def _ask_authorization(self, proxy, data):
+        if proxy:
+            self.send(
+                HTTPResponse(
+                    Status_Code=b"407",
+                    Reason_Phrase=b"Proxy Authentication Required",
+                    Proxy_Authenticate=data,
+                )
+            )
+        else:
+            self.send(
+                HTTPResponse(
+                    Status_Code=b"401",
+                    Reason_Phrase=b"Unauthorized",
+                    WWW_Authenticate=data,
+                )
+            )
+
+    @ATMT.receive_condition(AUTH, prio=1)
+    def received_unauthenticated(self, pkt):
+        raise self.AUTH(pkt)
+
     @ATMT.eof(AUTH)
     def auth_eof(self):
         raise self.CLOSED()

diff --git a/scapy/layers/kerberos.py b/scapy/layers/kerberos.py
@@ -2108,11 +2108,21 @@ class KRB_GSS_EXT(Packet):
 class KRB_AuthenticatorChecksum(Packet):
     fields_desc = [
         FieldLenField("Lgth", None, length_of="Bnd", fmt="<I"),
-        PacketLenField(
-            "Bnd",
-            GssChannelBindings(),
-            GssChannelBindings,
-            length_from=lambda pkt: pkt.Lgth,
+        MultipleTypeField(
+            [
+                (
+                    # If using a MD5 hash.
+                    XStrFixedLenField("Bnd", b"", length=16),
+                    lambda pkt: pkt.Lgth == 16,
+                ),
+            ],
+            # Default to using the gss_channel_bindings_struct
+            PacketLenField(
+                "Bnd",
+                GssChannelBindings(),
+                GssChannelBindings,
+                length_from=lambda pkt: pkt.Lgth,
+            ),
         ),
         FlagsField(
             "Flags",