github/plexpy
1
0
Fork 0
mirror of https://github.com/Tautulli/Tautulli.git synced 2025-07-06 13:11:15 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Bump dnspython from 2.0.0 to 2.2.0 (#1618)

Browse source 
* Bump dnspython from 2.0.0 to 2.2.0

Bumps [dnspython]() from 2.0.0 to 2.2.0.

---
updated-dependencies:
- dependency-name: dnspython
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update dnspython==2.2.0

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: JonnyWong16 <9099342+JonnyWong16@users.noreply.github.com>

[skip ci]
This commit is contained in:
dependabot[bot] 2022-01-25 11:08:24 -08:00 committed by GitHub
parent 515a5d42d3
commit 3c93b5600f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
143 changed files with 7498 additions and 2054 deletions
Download patch file Download diff file Expand all files Collapse all files

170
lib/dns/tsig.py
View file

@ -71,31 +71,142 @@ class PeerBadTruncation(PeerError):
"""The peer didn't like amount of truncation in the TSIG we sent"""
# TSIG Algorithms
HMAC_MD5 = dns.name.from_text("HMAC-MD5.SIG-ALG.REG.INT")
HMAC_SHA1 = dns.name.from_text("hmac-sha1")
HMAC_SHA224 = dns.name.from_text("hmac-sha224")
HMAC_SHA256 = dns.name.from_text("hmac-sha256")
HMAC_SHA256_128 = dns.name.from_text("hmac-sha256-128")
HMAC_SHA384 = dns.name.from_text("hmac-sha384")
HMAC_SHA384_192 = dns.name.from_text("hmac-sha384-192")
HMAC_SHA512 = dns.name.from_text("hmac-sha512")
_hashes = {
HMAC_SHA224: hashlib.sha224,
HMAC_SHA256: hashlib.sha256,
HMAC_SHA384: hashlib.sha384,
HMAC_SHA512: hashlib.sha512,
HMAC_SHA1: hashlib.sha1,
HMAC_MD5: hashlib.md5,
}
HMAC_SHA512_256 = dns.name.from_text("hmac-sha512-256")
GSS_TSIG = dns.name.from_text("gss-tsig")
default_algorithm = HMAC_SHA256
class GSSTSig:
"""
GSS-TSIG TSIG implementation. This uses the GSS-API context established
in the TKEY message handshake to sign messages using GSS-API message
integrity codes, per the RFC.
In order to avoid a direct GSSAPI dependency, the keyring holds a ref
to the GSSAPI object required, rather than the key itself.
"""
def __init__(self, gssapi_context):
self.gssapi_context = gssapi_context
self.data = b''
self.name = 'gss-tsig'
def update(self, data):
self.data += data
def sign(self):
# defer to the GSSAPI function to sign
return self.gssapi_context.get_signature(self.data)
def verify(self, expected):
try:
# defer to the GSSAPI function to verify
return self.gssapi_context.verify_signature(self.data, expected)
except Exception:
# note the usage of a bare exception
raise BadSignature
class GSSTSigAdapter:
def __init__(self, keyring):
self.keyring = keyring
def __call__(self, message, keyname):
if keyname in self.keyring:
key = self.keyring[keyname]
if isinstance(key, Key) and key.algorithm == GSS_TSIG:
if message:
GSSTSigAdapter.parse_tkey_and_step(key, message, keyname)
return key
else:
return None
@classmethod
def parse_tkey_and_step(cls, key, message, keyname):
# if the message is a TKEY type, absorb the key material
# into the context using step(); this is used to allow the
# client to complete the GSSAPI negotiation before attempting
# to verify the signed response to a TKEY message exchange
try:
rrset = message.find_rrset(message.answer, keyname,
dns.rdataclass.ANY,
dns.rdatatype.TKEY)
if rrset:
token = rrset[0].key
gssapi_context = key.secret
return gssapi_context.step(token)
except KeyError:
pass
class HMACTSig:
"""
HMAC TSIG implementation. This uses the HMAC python module to handle the
sign/verify operations.
"""
_hashes = {
HMAC_SHA1: hashlib.sha1,
HMAC_SHA224: hashlib.sha224,
HMAC_SHA256: hashlib.sha256,
HMAC_SHA256_128: (hashlib.sha256, 128),
HMAC_SHA384: hashlib.sha384,
HMAC_SHA384_192: (hashlib.sha384, 192),
HMAC_SHA512: hashlib.sha512,
HMAC_SHA512_256: (hashlib.sha512, 256),
HMAC_MD5: hashlib.md5,
}
def __init__(self, key, algorithm):
try:
hashinfo = self._hashes[algorithm]
except KeyError:
raise NotImplementedError(f"TSIG algorithm {algorithm} " +
"is not supported")
# create the HMAC context
if isinstance(hashinfo, tuple):
self.hmac_context = hmac.new(key, digestmod=hashinfo[0])
self.size = hashinfo[1]
else:
self.hmac_context = hmac.new(key, digestmod=hashinfo)
self.size = None
self.name = self.hmac_context.name
if self.size:
self.name += f'-{self.size}'
def update(self, data):
return self.hmac_context.update(data)
def sign(self):
# defer to the HMAC digest() function for that digestmod
digest = self.hmac_context.digest()
if self.size:
digest = digest[: (self.size // 8)]
return digest
def verify(self, expected):
# re-digest and compare the results
mac = self.sign()
if not hmac.compare_digest(mac, expected):
raise BadSignature
def _digest(wire, key, rdata, time=None, request_mac=None, ctx=None,
multi=None):
"""Return a context containing the TSIG rdata for the input parameters
@rtype: hmac.HMAC object
@rtype: dns.tsig.HMACTSig or dns.tsig.GSSTSig object
@raises ValueError: I{other_data} is too long
@raises NotImplementedError: I{algorithm} is not supported
"""
@ -131,7 +242,7 @@ def _digest(wire, key, rdata, time=None, request_mac=None, ctx=None,
def _maybe_start_digest(key, mac, multi):
"""If this is the first message in a multi-message sequence,
start a new context.
@rtype: hmac.HMAC object
@rtype: dns.tsig.HMACTSig or dns.tsig.GSSTSig object
"""
if multi:
ctx = get_context(key)
@ -146,17 +257,14 @@ def sign(wire, key, rdata, time=None, request_mac=None, ctx=None, multi=False):
"""Return a (tsig_rdata, mac, ctx) tuple containing the HMAC TSIG rdata
for the input parameters, the HMAC MAC calculated by applying the
TSIG signature algorithm, and the TSIG digest context.
@rtype: (string, hmac.HMAC object)
@rtype: (string, dns.tsig.HMACTSig or dns.tsig.GSSTSig object)
@raises ValueError: I{other_data} is too long
@raises NotImplementedError: I{algorithm} is not supported
"""
ctx = _digest(wire, key, rdata, time, request_mac, ctx, multi)
mac = ctx.digest()
tsig = dns.rdtypes.ANY.TSIG.TSIG(dns.rdataclass.ANY, dns.rdatatype.TSIG,
key.algorithm, time, rdata.fudge, mac,
rdata.original_id, rdata.error,
rdata.other)
mac = ctx.sign()
tsig = rdata.replace(time_signed=time, mac=mac)
return (tsig, _maybe_start_digest(key, mac, multi))
@ -169,7 +277,7 @@ def validate(wire, key, owner, rdata, now, request_mac, tsig_start, ctx=None,
@raises BadTime: There is too much time skew between the client and the
server.
@raises BadSignature: The TSIG signature did not validate
@rtype: hmac.HMAC object"""
@rtype: dns.tsig.HMACTSig or dns.tsig.GSSTSig object"""
(adcount,) = struct.unpack("!H", wire[10:12])
if adcount == 0:
@ -194,25 +302,21 @@ def validate(wire, key, owner, rdata, now, request_mac, tsig_start, ctx=None,
if key.algorithm != rdata.algorithm:
raise BadAlgorithm
ctx = _digest(new_wire, key, rdata, None, request_mac, ctx, multi)
mac = ctx.digest()
if not hmac.compare_digest(mac, rdata.mac):
raise BadSignature
return _maybe_start_digest(key, mac, multi)
ctx.verify(rdata.mac)
return _maybe_start_digest(key, rdata.mac, multi)
def get_context(key):
"""Returns an HMAC context foe the specified key.
"""Returns an HMAC context for the specified key.
@rtype: HMAC context
@raises NotImplementedError: I{algorithm} is not supported
"""
try:
digestmod = _hashes[key.algorithm]
except KeyError:
raise NotImplementedError(f"TSIG algorithm {key.algorithm} " +
"is not supported")
return hmac.new(key.secret, digestmod=digestmod)
if key.algorithm == GSS_TSIG:
return GSSTSig(key.secret)
else:
return HMACTSig(key.secret, key.algorithm)
class Key:
@ -232,3 +336,11 @@ class Key:
self.name == other.name and
self.secret == other.secret and
self.algorithm == other.algorithm)
def __repr__(self):
r = f"<DNS key name='{self.name}', " + \
f"algorithm='{self.algorithm}'"
if self.algorithm != GSS_TSIG:
r += f", secret='{base64.b64encode(self.secret).decode()}'"
r += ">"
return r