search

jborean93 / pyspnego

Python SPNEGO authentication library
MIT License
52 stars 11 forks source link

Fix SPNEGO mechListMIC logic #17

Closed jborean93 closed 3 years ago

jborean93 commented 3 years ago

Older SPNEGO logic with NTLM (and possibly others) had the mechListMIC in the NegTokenResp set to the same value as the responseToken. While most modern servers no longer do this it's still possible to encounter something out there that still follows this behaviour causing the client to fail to the authentication because the mechListMIC was invalid

SpnegoError (6): A token had an invalid Message Integrity Check (MIC), Context: Invalid Message integrity Check (MIC) detected

When checking MIT krb5 we can see that they ignore the duplicate value when it matches what is set for responseToken so this behaviour is just replicated here https://github.com/krb5/krb5/blob/3f5a348287646d65700854650fe668b9c4249013/src/lib/gssapi/spnego/spnego_mech.c#L3734-L3744.

Fixes https://github.com/jborean93/smbprotocol/issues/137 - where the issue was originally reported

codecov[bot] commented 3 years ago

Codecov Report

Merging #17 (0561e98) into main (35395ba) will increase coverage by 0.00%. The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main      #17   +/-   ##
=======================================
  Coverage   99.58%   99.58%           
=======================================
  Files          25       25           
  Lines        4302     4304    +2     
=======================================
+ Hits         4284     4286    +2     
  Misses         18       18
Impacted Files Coverage Δ
spnego/negotiate.py 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 35395ba...0561e98. Read the comment docs.