Hello community,
here is the log from the commit of package python-pyspnego for openSUSE:Factory
checked in at 2020-12-04 21:29:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-pyspnego (Old)
and /work/SRC/openSUSE:Factory/.python-pyspnego.new.5913 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyspnego"
Fri Dec 4 21:29:18 2020 rev:4 rq:853075 version:0.1.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-pyspnego/python-pyspnego.changes
2020-11-02 09:41:45.109688135 +0100
+++
/work/SRC/openSUSE:Factory/.python-pyspnego.new.5913/python-pyspnego.changes
2020-12-04 21:29:19.646197106 +0100
@@ -1,0 +2,9 @@
+Fri Dec 4 08:13:16 UTC 2020 - Martin Hauke <mar...@gmx.de>
+
+- Update to version 0.1.4
+ * Only send negState: request-mic for the first reply from an
+ acceptor for Negotiate auth.
+ * Strict interpretations of SPNEGO will fail if the initiator
+ sends this state as it is against the RFC.
+
+-------------------------------------------------------------------
Old:
----
pyspnego-0.1.3.tar.gz
New:
----
pyspnego-0.1.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-pyspnego.spec ++++++
--- /var/tmp/diff_new_pack.mwLcUr/_old 2020-12-04 21:29:20.150197829 +0100
+++ /var/tmp/diff_new_pack.mwLcUr/_new 2020-12-04 21:29:20.154197835 +0100
@@ -19,7 +19,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
Name: python-pyspnego
-Version: 0.1.3
+Version: 0.1.4
Release: 0
Summary: Python SPNEGO authentication library
License: MIT
++++++ pyspnego-0.1.3.tar.gz -> pyspnego-0.1.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyspnego-0.1.3/CHANGELOG.md
new/pyspnego-0.1.4/CHANGELOG.md
--- old/pyspnego-0.1.3/CHANGELOG.md 2020-10-29 09:25:04.000000000 +0100
+++ new/pyspnego-0.1.4/CHANGELOG.md 2020-12-02 10:24:05.000000000 +0100
@@ -1,8 +1,13 @@
# Changelog
+## 0.1.4 - 2020-12-02
+
+* Only send `negState: request-mic` for the first reply from an acceptor for
Negotiate auth.
+ * Strict interpretations of SPNEGO will fail if the initiator sends this
state as it is against the RFC.
+
## 0.1.3 - 2020-10-29
-* Added Python 3.9 to CI and build Windows wheel for this versoin
+* Added Python 3.9 to CI and build Windows wheel for this version
## 0.1.2 - 2020-10-01
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyspnego-0.1.3/azure-pipelines.yml
new/pyspnego-0.1.4/azure-pipelines.yml
--- old/pyspnego-0.1.3/azure-pipelines.yml 2020-10-29 09:25:04.000000000
+0100
+++ new/pyspnego-0.1.4/azure-pipelines.yml 2020-12-02 10:24:05.000000000
+0100
@@ -49,6 +49,7 @@
versionSpec: $(python.version)
- script: |
+ sudo apt-get update
sudo apt-get install -y \
gcc \
gss-ntlmssp \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyspnego-0.1.3/spnego/_version.py
new/pyspnego-0.1.4/spnego/_version.py
--- old/pyspnego-0.1.3/spnego/_version.py 2020-10-29 09:25:04.000000000
+0100
+++ new/pyspnego-0.1.4/spnego/_version.py 2020-12-02 10:24:05.000000000
+0100
@@ -4,4 +4,4 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type # noqa (fixes E402 for the imports below)
-__version__ = '0.1.3'
+__version__ = '0.1.4'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyspnego-0.1.3/spnego/negotiate.py
new/pyspnego-0.1.4/spnego/negotiate.py
--- old/pyspnego-0.1.3/spnego/negotiate.py 2020-10-29 09:25:04.000000000
+0100
+++ new/pyspnego-0.1.4/spnego/negotiate.py 2020-12-02 10:24:05.000000000
+0100
@@ -169,15 +169,18 @@
self._init_sent = True
self._mech_list = in_token.mech_types
+ # If the preferred initiator token does not match the
preferred acceptor token then the acceptor
+ # must send the request-mic negState.
+ preferred_mech = self._preferred_mech_list()[0]
+ if preferred_mech.value != in_token.mech_types[0]:
+ self._mic_required = True
+
elif isinstance(in_token, NegTokenResp):
mech_list_mic = in_token.mech_list_mic
token = in_token.response_token
# If we have received the supported_mech then we don't need to
send our own.
if in_token.supported_mech:
- if in_token.supported_mech != self._chosen_mech.value:
- self._mic_required = True
-
self.__chosen_mech =
GSSMech.from_oid(in_token.supported_mech)
self._mech_sent = True
@@ -237,7 +240,7 @@
if self._mic_sent:
self._complete = True
- if self._mic_required and not self._mic_sent:
+ if self._context.complete and self._mic_required and not
self._mic_sent:
out_mic = self.sign(pack_mech_type_list(self._mech_list))
self._reset_ntlm_crypto_state()
@@ -259,21 +262,22 @@
return NegTokenInit(self._mech_list, **init_kwargs).pack()
elif not self.complete:
+ state = NegState.accept_incomplete
+
# As per RFC 4178 - 4.2.2: supportedMech should only be present in
the first reply from the target.
+ # Also 'negState: request-mic' MUST only be in the first reply
from the target if it is needed.
# https://tools.ietf.org/html/rfc4178#section-4.2.2
supported_mech = None
if not self._mech_sent:
supported_mech = self._chosen_mech.value
- self._mech_sent = True
+ if self._mic_required:
+ state = NegState.request_mic
- state = NegState.accept_incomplete
+ self._mech_sent = True
- if self._context.complete:
- if self._mic_sent and not self._mic_recv:
- state = NegState.request_mic
- else:
- state = NegState.accept_complete
- self._complete = True
+ if self._context.complete and (not self._mic_required or
(self._mic_sent and self._mic_recv)):
+ state = NegState.accept_complete
+ self._complete = True
return NegTokenResp(neg_state=state,
supported_mech=supported_mech, response_token=out_token,
mech_list_mic=out_mic).pack()
@@ -325,6 +329,11 @@
def _convert_iov_buffer(self, iov):
pass # Handled in the underlying context. # pragma: no cover
+ def _preferred_mech_list(self): # type: () -> List[GSSMech]
+ """ Get a list of mechs that can be used in priority order (highest to
lowest). """
+ available_protocols = [p for p in
self.available_protocols(self.options) if p != 'negotiate']
+ return [getattr(GSSMech, p) for p in available_protocols]
+
def _rebuild_context_list(self, mech_types=None): # type:
(Optional[List[str]]) -> List[str]
""" Builds a new context list that are available to the client. """
context_kwargs = {
@@ -338,19 +347,17 @@
'options': self.options,
'_is_wrapped': True,
}
- gssapi_protocols = [p for p in
GSSAPIProxy.available_protocols(options=self.options) if p != 'negotiate']
- all_protocols = gssapi_protocols[:]
- if 'ntlm' not in all_protocols:
- all_protocols.append('ntlm')
+ gssapi_protocols =
GSSAPIProxy.available_protocols(options=self.options)
+ all_protocols = self._preferred_mech_list()
self._context_list = collections.OrderedDict()
mech_list = []
last_err = None
- for protocol in all_protocols:
- mech = getattr(GSSMech, protocol)
+ for mech in all_protocols:
if mech_types and mech.value not in mech_types:
continue
+ protocol = mech.name
try:
proxy_obj = GSSAPIProxy if protocol in gssapi_protocols else
NTLMProxy
context = proxy_obj(protocol=protocol, **context_kwargs)
_______________________________________________
openSUSE Commits mailing list -- commit@lists.opensuse.org
To unsubscribe, email commit-le...@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
