Add require_cbt support on HTTP (not S) server (#4726)

gpotter2 · web-flow · commit e44c79e9219a · 2025-04-22T15:35:52.000+02:00
diff --git a/scapy/layers/gssapi.py b/scapy/layers/gssapi.py
@@ -346,9 +346,13 @@ def fromssl(
             # RFC5929 sect 4.1
             if h == hashes.MD5 or h == hashes.SHA1:
                 h = hashes.SHA256
+            # Get bytes of first certificate if there are multiple
+            c = cert.x509Cert.copy()
+            c.remove_payload()
+            cdata = bytes(c)
             # Calc hash of certificate
             digest = hashes.Hash(h)
-            digest.update(bytes(cert.x509Cert))
+            digest.update(cdata)
             cbdata = digest.finalize()
         elif token_type == ChannelBindingType.TLS_UNIQUE:
             # RFC5929 sect 3
@@ -414,7 +418,7 @@ class CONTEXT:
 
         __slots__ = ["state", "_flags", "passive"]
 
-        def __init__(self, req_flags: Optional['GSS_C_FLAGS | GSS_S_FLAGS'] = None):
+        def __init__(self, req_flags: Optional["GSS_C_FLAGS | GSS_S_FLAGS"] = None):
             if req_flags is None:
                 # Default
                 req_flags = (
diff --git a/scapy/layers/http.py b/scapy/layers/http.py
@@ -1027,6 +1027,9 @@ class HTTP_Server(Automaton):
 
     :param ssp: the SSP to serve. If None, unauthenticated (or basic).
     :param mech: the HTTP_AUTH_MECHS to use (default: NONE)
+    :param require_cbt: require Channel Bindings to be valid (default: False)
+    :param cbt_cert: the path to the certificate used for channel bindings.
+                     Useful if behind a reverse proxy. (default: None)
 
     Other parameters:
 
@@ -1042,6 +1045,8 @@ def __init__(
         mech=HTTP_AUTH_MECHS.NONE,
         verb=True,
         ssp=None,
+        require_cbt: bool = False,
+        cbt_cert: str = None,
         *args,
         **kwargs,
     ):
@@ -1053,8 +1058,20 @@ def __init__(
         self.ssp = ssp
         self.authmethod = mech.value
         self.sspcontext = None
+
+        # CBT settings
         self.ssp_req_flags = GSS_S_FLAGS.GSS_S_ALLOW_MISSING_BINDINGS
-        self.chan_bindings = GSS_C_NO_CHANNEL_BINDINGS
+        if require_cbt:
+            self.ssp_req_flags &= ~GSS_S_FLAGS.GSS_S_ALLOW_MISSING_BINDINGS
+        if cbt_cert:
+            self.chan_bindings = GssChannelBindings.fromssl(
+                ChannelBindingType.TLS_SERVER_END_POINT,
+                certfile=cbt_cert,
+            )
+        else:
+            self.chan_bindings = GSS_C_NO_CHANNEL_BINDINGS
+
+        # Auth settings
         self.basic = False
         self.BASIC_IDENTITIES = kwargs.pop("BASIC_IDENTITIES", {})
         self.BASIC_REALM = kwargs.pop("BASIC_REALM", "default")
@@ -1311,16 +1328,8 @@ def __init__(
             mech=mech,
             verb=verb,
             ssp=ssp,
+            cbt_cert=cert,
+            require_cbt=require_cbt,
             *args,
             **kwargs,
         )
-
-        # Set channel binding
-        if cert:
-            self.chan_bindings = GssChannelBindings.fromssl(
-                ChannelBindingType.TLS_SERVER_END_POINT,
-                certfile=cert,
-            )
-        if require_cbt:
-            # We require CBT by removing GSS_S_ALLOW_MISSING_BINDINGS
-            self.ssp_req_flags &= ~GSS_S_FLAGS.GSS_S_ALLOW_MISSING_BINDINGS
