base Package

base Package

ctypes Module

impl Module

gssapi.base.impl.acceptSecContext(input_token, acceptor_cred=None, ctx=None, channel_bindings=None)

Accepts a GSS Security Context

(Server) This method accepts a GSSAPI security context based on the given parameters, including the token sent by the client returned from initSecContext()

Parameters:
  • input_token (str) – the token sent from the client
  • acceptor_cred – the handle for the credentials (returned from acquireCred) used to accept the context, or None to use the default acceptor principal
  • ctx – the current context, or None for a new context
  • channel_bindings – the requested channel bindings (currently on None is accepted)
Returns:

a tuple containing the (potentially modified) context, the authenticated name of the context initiator, the mechanism type used, the output token (to send to the client), the flags in use, the TTL for the context, and the delegated credential handle (or None if RequirementFlags.delegate_to_peer is not present in the flags) (i.e. (context, name, MechType, bytes, [RequirementFlag], int, delegated_cred, continue_needed))

Raises GSSError:
 

gssapi.base.impl.acquireCred(name, ttl=0, mechs=None, cred_usage=None)

Acquires GSSAPI Credentials

This method acquires credentials for the given name (imported with importName()) for the desired mechanims, with permissions to either initiate security contexts, accept them, or both.

Parameters:
  • name – the name object for which to get credentials
  • input_ttl (int) – the requested TTL for these credentials
  • mechs ([gssapi.base.types.MechType] or None) – the mechanims types with which these credentials are to be used, or None for the default set
  • cred_usage (bool or None) – How these credentials are going to be used: To accept a context (True), to initiate a context (False), or both (None)
Returns:

a tuple containing the actual credentials, the mechanisms for which these credentials are valid, and the actual TTL (which may be 0) (i.e. (creds, [MechType], ttl))

gssapi.base.impl.canonicalizeName(name, mech_type)

Canonicalizes a GSSAPI Name into a Mechanism Name

This method turns any GSSAPI name into a “mechanism name”, i.e. a name that would be returned as initator principal from acceptSecContext.

Warning

Unlike other methods, a mechanism type must be explicitly provided here; No default is available for this method.

Parameters:
Returns:

a canonicalized name

Return type:

PyCapsule

Raises GSSError:
 

gssapi.base.impl.compareName(name1, name2)

Compares Two GSSAPI Names

This method compares to GSSAPI names to see if they are equal.

Parameters:
  • name1 – the first name to compare
  • name2 – the second name to compare
Returns:

whether or not the two names are equal

Return type:

bool

gssapi.base.impl.deleteSecContext(context, output_needed=False)[source]

Releases a security context

This method releases a security context, potentially providing an output buffer as the result

Parameters:
  • context – the context to be released
  • output_needed (bool) – is an output_buffer desired?
Return type:

bytes or None

Returns:

an output token, if requested (otherwise None)

gssapi.base.impl.displayName(name)

Converts a GSSAPI Name into a String

This function is essentially the opposite of importName(): it takes a GSSAPI name and converts it back into a string and name type.

Parameters:name – a GSSAPI name capsule
Returns:a tuple containing the string-version of the name and its name type
Return type:(bytes, gssapi.base.types.NameType)
Raises GSSError:
 
gssapi.base.impl.duplicateName(name)

Duplicates a GSSAPI Name

This method duplicates an existing GSSAPI name. Releasing the old name will not release the new name, etc.

Parameters:name – the name to duplicate
Returns:a new name identical to the old name
Return type:PyCapsule
Raises GSSError:
 
gssapi.base.impl.exportName(name)

Exports a GSSAPI Mechanism Name

This method “produces a canonical contiguous string representation of a mechanism name, suitable for direct comparison for use in authorization functions”. The input name must be a valid GSSAPI mechanism name, as generated by acceptSecContext or canonicalizeName.

Note

A mechanism name does not, in fact, refer to the name of a mechanism. Instead, it refers to a canonicalized name, such as the initiator name returned by acceptSecContext

Parameters:name – a valid GSSAPI mechanism name
Returns:a string version of the mechanism name
Return type:bytes
Raises GSSError:
 
gssapi.base.impl.getMIC(ctx, message, qop=None)

Generates a MIC for a Message

This method generates a cryptographic message integrity code for the supplied method. The QoP can be changed to vary the algorithm used. The output is a token that can be transfered to a peer application.

Parameters:
  • ctx – the current security context
  • message (bytes) – the message for which the MIC is to be generated
  • qop (int or None) – the quality of protection (used to change which algorithm is used) (supply None for default)
Returns:

the MIC encoded into a token

Return type:

bytes

Raises GSSError:
 

gssapi.base.impl.getMechanismType(mech_type)[source]

Converts a value from the MechType enum into a gss_OID

This method converts a value from the MechType enum into a gss_OID, which can be used in GSSAPI methods such as initSecContext

Parameters:mech_type (MechType) – the mechanism type
Returns:a gss_OID capsule representing the selected mechanism type
gssapi.base.impl.importName(name, name_type=<EnumValue: NameType.hostbased_service [value=0]>)[source]

Gets a GSSAPI Name

This method converts a string name and type into a ‘name’ string usable in future calls to GSSAPI.

NOTE: This name needs to have its name released when finished

Parameters:
  • name (str) – the plain ‘name’ to obtain
  • name_type (NameType) – the type of the name we are passing in
Return type:

bytes

Returns:

the GSSAPI name string for use in other GSSAPI methods

Raises GSSError:
 

gssapi.base.impl.indicateMechs()

Gets the Currently Supported GSS Mechanisms

This method gets a list of the GSS mechanisms supported by the current GSSAPI implementation

Returns:the supported mechanisms
Return type:[gssapi.base.types.MechType]
Raises GSSError:
 
gssapi.base.impl.initSecContext(target_name, cred=None, context=None, mech_type=None, flags=None, time=0, channel_bindings=None, input_token=None)[source]

Initializes a GSS Security Context

(Client) This method initializes a GSSAPI security context with the given parameters. The default flags for the flags field are MUTUAL and SEQUENCE.

Parameters:
  • target_name – the name of the target (commonly the server name, retrieved using importName)
  • cred – The handle for credentials claimed (returned from acquireCred), or None to use the default initiator principal
  • context – The current context, or None if this is the first call
  • mech_type – the mechanism type (None for default, otherwise a capsule from getMechanismType())
  • flags ([RequirementFlag]) – the requested flags
  • time (int) – the requested TTL for this context (0 uses the default TTL)
  • channel_bindings – the requested input channel bindings (currently only None is supported)
  • input_token (bytes) – the input token (use None for the first call)
Returns:

a tuple containing the (potentially modified) context, the actual mechanism type used, the output token, the actual flags provided, the actual TTL for this context, and whether or not a continue is needed (i.e. (context, MechType, [RequirementFlag], bytes, TTL, continue_needed))

Raises GSSError:
 

gssapi.base.impl.releaseCred(cred_obj)

Releases GSSAPI credentials

This method releases GSSAPI credentials that were allocated with acquireCred

Parameters:cred_obj – the name credentials object to be released
Returns:None
gssapi.base.impl.releaseName(name_obj)[source]

Releases a GSSAPI Name

This method releases a GSSAPI name that was allocated with importName

Parameters:name_obj – the name object to be released
Returns:None
gssapi.base.impl.unwrap(context, message)[source]

Unwraps a wrapped message

This method unwraps a message that was previously wrapped by the other party

Parameters:
  • context (bytes) – the context of the current connection
  • message (bytes) – the input message
Return type:

(bytes, bool, int)

Returns:

a tuple containing the decrypted message, whether confidentiality was used, and the QoP used

Raises GSSError:
 

gssapi.base.impl.verifyMIC(ctx, message, token, return_bool=False)

Verifies a Message’s MIC

This method verifies that the message matches the given message integrity code (token).

Note

This method does not throw an error on GSS_S_DUPLICATE_TOKEN, which simply indicates that the token was valid and contained the correct MIC for the message, but had already be processed. Instead, it simply returns that the MIC was valid, since this is not really an error.

Parameters:
  • ctx – the current security context
  • message (bytes) – the message in question
  • token (bytes) – the MIC token for the message in question
  • return_bool (bool) – see return value explanation
Returns:

this depends on the value of return_bool. If False, the QoP used to generate the MIC is returned if the verification is successfull, and and error is raised otherwise. If True, a tuple is returned containing whether or not the MIC was valid, the QoP used, the major result code, and the minor result code (which can be interpreted with gssapi.base.status_utils.displayStatus())

Return type:

int or (bool, int, int, int)

Raises GSSError:
 

if there is an error and return_bool is set to False

gssapi.base.impl.wrap(context, message, confidential=True, qop=None)[source]

Wraps a message

This method wraps a message with a MIC and potentially encrypts the message using the requested QoP

Parameters:
  • context (bytes) – the context of the current connection
  • message ((unicode) str or bytes) – the message to encrypt
  • confidential (bool) – whether or not to use confidentiality
  • qop (int or None) – specifies the quality of protection required (use None for the default)
Return type:

(bytes, bool)

Returns:

a tuple containing the output message and whether confidentiality was used

Raises GSSError:
 

gssapi.base.impl.wrapSizeLimit(ctx, output_size, confidential=True, qop=None)

Calculates the Max Message Size

This method calculates the maxium size that a message can be in order to have the wrapped message fit within the given size.

Parameters:
  • ctx – the current security context
  • output_size (int) – the desired maxiumum wrapped message size
  • conf_req (bool) – whether or not encryption is to be used when wrapping the message
  • qop (int or None) – the desired Quality of Protection (or None for default)
Returns:

the max unwrapped message size

Return type:

int

status_utils Module

gssapi.base.status_utils.displayStatus(err_code, is_major_code, mech_type=None, message_context=0)[source]

Convert a GSSAPI status code into a human-readable string

Converts the given general GSSAPI (major) status code or mechanism-specific (minor) status code into a human-readable string. This method may need to be called multiple times, which is what the message_context parameter is for.

Parameters:
  • err_code (int) – the status code in question
  • is_major_code (bool) – is this a general GSS status code (True) or a mechanism-specific status code (False)
  • mech_type – the OID of the mechanism type, or None for a default value (currently only this is supported)
  • message_context (int) – the “context” for this call of displayStatus, returned from previous calls to displayStatus
Return type:

(str, int, bool)

Returns:

a tuple containing the result message, the message context for any further calls, and whether or not further calls can be made

types Module

exception gssapi.base.types.GSSError(maj_code, min_code)[source]

Bases: exceptions.Exception

GSSAPI Error

This Exception represents an error returned from the GSSAPI C bindings. It contains the major and minor status codes returned by the method which caused the error, and can generate human-readable string messages from the error codes

gen_message()[source]

Retrieves all messages for this error’s status codes

This method retrieves all messages for this error’s status codes, and forms them into a string for use as an exception message

Return type:str
Returns:a string for use as this error’s message
get_all_statuses(code, is_maj)[source]

Retrieves all messages for a status code

This method retrieves all human-readable messages available for the given status code.

Parameters:
  • code (int) – the status code in question
  • is_maj (bool) – whether this is a major status code (True) or minor status code (False)
Return type:

[str]

Returns:

a list of string messages for this error code

class gssapi.base.types.MechType[source]

Bases: flufl.enum._enum.IntEnum

GSSAPI Mechanism Types

This IntEnum represents explicit GSSAPI mechanism types (to be used with initSecContext).

Note that the integers behind these enum members do not correspond to any numbers in the GSSAPI C bindings, and are subject oto change at any point.

kerberos = <EnumValue: MechType.kerberos [value=0]>
class gssapi.base.types.NameType[source]

Bases: flufl.enum._enum.IntEnum

GSSAPI Name Types

This IntEnum represents GSSAPI name types (to be used with importName, etc)

Note that the integers behind these enum members do not correspond to any numbers in the GSSAPI C bindings, and are subject to change at any point.

anonymous = <EnumValue: NameType.anonymous [value=3]>
export = <EnumValue: NameType.export [value=6]>
hostbased_service = <EnumValue: NameType.hostbased_service [value=0]>
machine_uid = <EnumValue: NameType.machine_uid [value=4]>
principal = <EnumValue: NameType.principal [value=1]>
string_uid = <EnumValue: NameType.string_uid [value=5]>
user = <EnumValue: NameType.user [value=2]>
class gssapi.base.types.RequirementFlag[source]

Bases: flufl.enum._enum.IntEnum

GSSAPI Requirement Flags

This IntEnum represents flags to be used in the service flags parameter of initSecContext.

The numbers behind the values correspond directly to their C counterparts.

anonymous = <EnumValue: RequirementFlag.anonymous [value=6]>
confidentiality = <EnumValue: RequirementFlag.confidentiality [value=4]>
delegate_to_peer = <EnumValue: RequirementFlag.delegate_to_peer [value=0]>
integrity = <EnumValue: RequirementFlag.integrity [value=5]>
mutual_authentication = <EnumValue: RequirementFlag.mutual_authentication [value=1]>
out_of_sequence_detection = <EnumValue: RequirementFlag.out_of_sequence_detection [value=3]>
replay_detection = <EnumValue: RequirementFlag.replay_detection [value=2]>
transferable = <EnumValue: RequirementFlag.transferable [value=7]>

Table Of Contents

Previous topic

base Package

This Page