asyncssh 2.15.0__tar.gz → 2.16.0__tar.gz

{asyncssh-2.15.0 → asyncssh-2.16.0}/CONTRIBUTING.rst

@@ -68,19 +68,18 @@ contributors list.
 Branches
 --------
 
-There are two long-lived branches in AsyncSSH at the moment:
+There are two long-lived branches in AsyncSSH:
 
 * The master branch is intended to contain the latest stable version
   of the code. All official versions of AsyncSSH are released from
   this branch, and each release has a corresponding tag added
-  matching its release number. Bug fixes and simple improvements
-  may be checked directly into this branch, but most new features
-  will be added to the develop branch first.
-
-* The develop branch is intended to contain features for developers
-  to test before they are ready to be added to an official release.
-  APIs in the develop branch may be subject to change until they
-  are migrated back to master, and there's no guarantee of backward
+  matching its release number.
+
+* The develop branch is intended to contain new features and bug fixes
+  ready to be tested before being added to an official release. APIs
+  in the develop branch may be subject to change until they are
+  migrated back to master, and there's no guarantee of backward
   compatibility in this branch. However, pulling from this branch
   will provide early access to new functionality and a chance to
-  influence this functionality before it is released.
+  influence this functionality before it is released. Also, all
+  pull requests should be submitted against this branch.

{asyncssh-2.15.0/asyncssh.egg-info → asyncssh-2.16.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: asyncssh
-Version: 2.15.0
+Version: 2.16.0
 Summary: AsyncSSH: Asynchronous SSHv2 client and server library
 Home-page: http://asyncssh.timeheart.net
 Author: Ron Frederick

{asyncssh-2.15.0 → asyncssh-2.16.0}/asyncssh/config.py

@@ -321,11 +321,15 @@ class SSHConfig:
 
                 args = []
                 loption = ''
+                allow_equal = True
 
                 for i, arg in enumerate(split_args, 1):
                     if arg.startswith('='):
                         if len(arg) > 1:
                             args.append(arg[1:])
+                    elif not allow_equal:
+                        args.extend(split_args[i-1:])
+                        break
                     elif arg.endswith('='):
                         args.append(arg[:-1])
                     elif '=' in arg:
@@ -337,9 +341,7 @@ class SSHConfig:
 
                     if i == 1:
                         loption = args.pop(0).lower()
-                    elif i > 1 and loption not in self._conditionals:
-                        args.extend(split_args[i:])
-                        break
+                        allow_equal = loption in self._conditionals
 
                 if loption in self._no_split:
                     args = [line.lstrip()[len(loption):].strip()]
@@ -423,7 +425,7 @@ class SSHClientConfig(SSHConfig):
     """Settings from an OpenSSH client config file"""
 
     _conditionals = {'host', 'match'}
-    _no_split = {'remotecommand'}
+    _no_split = {'proxycommand', 'remotecommand'}
     _percent_expand = {'CertificateFile', 'IdentityAgent',
                        'IdentityFile', 'ProxyCommand', 'RemoteCommand'}
 
@@ -557,7 +559,7 @@ class SSHClientConfig(SSHConfig):
         ('PKCS11Provider',                  SSHConfig._set_string),
         ('PreferredAuthentications',        SSHConfig._set_string),
         ('Port',                            SSHConfig._set_int),
-        ('ProxyCommand',                    SSHConfig._set_string_list),
+        ('ProxyCommand',                    SSHConfig._set_string),
         ('ProxyJump',                       SSHConfig._set_string),
         ('PubkeyAuthentication',            SSHConfig._set_bool),
         ('RekeyLimit',                      SSHConfig._set_rekey_limits),

{asyncssh-2.15.0 → asyncssh-2.16.0}/asyncssh/connection.py

@@ -115,7 +115,7 @@ from .misc import ProtocolNotSupported, ServiceNotAvailable
 from .misc import TermModesArg, TermSizeArg
 from .misc import async_context_manager, construct_disc_error
 from .misc import get_symbol_names, ip_address, map_handler_name
-from .misc import parse_byte_count, parse_time_interval
+from .misc import parse_byte_count, parse_time_interval, split_args
 
 from .packet import Boolean, Byte, NameList, String, UInt32, PacketDecodeError
 from .packet import SSHPacket, SSHPacketHandler, SSHPacketLogger
@@ -185,6 +185,10 @@ _ProtocolFactory = Union[_ClientFactory, _ServerFactory]
 _Conn = TypeVar('_Conn', bound='SSHConnection')
 _Options = TypeVar('_Options', bound='SSHConnectionOptions')
 
+_ServerHostKeysHandler = Optional[Callable[[List[SSHKey], List[SSHKey],
+                                            List[SSHKey], List[SSHKey]],
+                                           MaybeAwait[None]]]
+
 class _TunnelProtocol(Protocol):
     """Base protocol for connections to tunnel SSH over"""
 
@@ -227,7 +231,7 @@ _GlobalRequest = Tuple[Optional[_PacketHandler], SSHPacket, bool]
 _GlobalRequestResult = Tuple[int, SSHPacket]
 _KeyOrCertOptions = Mapping[str, object]
 _ListenerArg = Union[bool, SSHListener]
-_ProxyCommand = Optional[Sequence[str]]
+_ProxyCommand = Optional[Union[str, Sequence[str]]]
 _RequestPTY = Union[bool, str]
 
 _TCPServerHandlerFactory = Callable[[str, int], SSHSocketSessionFactory]
@@ -1068,7 +1072,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
             self._set_keepalive_timer()
             self.create_task(self._make_keepalive_request())
 
-    def _force_close(self, exc: Optional[BaseException]) -> None:
+    def _force_close(self, exc: Optional[Exception]) -> None:
         """Force this connection to close immediately"""
 
         if not self._transport:
@@ -1309,7 +1313,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
             error_logger = self.logger
 
         error_logger.debug1('Uncaught exception', exc_info=exc_info)
-        self._force_close(exc_info[1])
+        self._force_close(cast(Exception, exc_info[1]))
 
     def session_started(self) -> None:
         """Handle session start when opening tunneled SSH connection"""
@@ -1995,6 +1999,11 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
                 not self._waiter.cancelled():
             self._waiter.set_result(None)
             self._wait = None
+            return
+
+        # This method is only in SSHServerConnection
+        # pylint: disable=no-member
+        cast(SSHServerConnection, self).send_server_host_keys()
 
     def send_channel_open_confirmation(self, send_chan: int, recv_chan: int,
                                        recv_window: int, recv_pktsize: int,
@@ -2012,6 +2021,13 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         self.send_packet(MSG_CHANNEL_OPEN_FAILURE, UInt32(send_chan),
                          UInt32(code), String(reason), String(lang))
 
+    def _send_global_request(self, request: bytes, *args: bytes,
+                             want_reply: bool = False) -> None:
+        """Send a global request"""
+
+        self.send_packet(MSG_GLOBAL_REQUEST, String(request),
+                         Boolean(want_reply), *args)
+
     async def _make_global_request(self, request: bytes,
                                    *args: bytes) -> Tuple[int, SSHPacket]:
         """Send a global request and wait for the response"""
@@ -2024,8 +2040,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
 
         self._global_request_waiters.append(waiter)
 
-        self.send_packet(MSG_GLOBAL_REQUEST, String(request),
-                         Boolean(True), *args)
+        self._send_global_request(request, *args, want_reply=True)
 
         return await waiter
 
@@ -3266,6 +3281,8 @@ class SSHClientConnection(SSHConnection):
         self._server_host_key_algs: Optional[Sequence[bytes]] = None
         self._server_host_key: Optional[SSHKey] = None
 
+        self._server_host_keys_handler = options.server_host_keys_handler
+
         self._username = options.username
         self._password = options.password
 
@@ -3580,6 +3597,8 @@ class SSHClientConnection(SSHConnection):
             self._get_agent_keys = False
 
         if self._get_pkcs11_keys:
+            assert self._pkcs11_provider is not None
+
             pkcs11_keys = await self._loop.run_in_executor(
                 None, load_pkcs11_keys, self._pkcs11_provider, self._pkcs11_pin)
 
@@ -3924,6 +3943,80 @@ class SSHClientConnection(SSHConnection):
             raise ChannelOpenError(OPEN_CONNECT_FAILED,
                                    'Auth agent forwarding disabled')
 
+    def _process_hostkeys_00_at_openssh_dot_com_global_request(
+            self, packet: SSHPacket) -> None:
+        """Process a list of accepted server host keys"""
+
+        self.create_task(self._finish_hostkeys(packet))
+
+    async def _finish_hostkeys(self, packet: SSHPacket) -> None:
+        """Finish processing hostkeys global request"""
+
+        if not self._server_host_keys_handler:
+            self.logger.debug1('Ignoring server host key message: no handler')
+            self._report_global_response(False)
+            return
+
+        if self._trusted_host_keys is None:
+            self.logger.info('Server host key not verified: handler disabled')
+            self._report_global_response(False)
+            return
+
+        added = []
+        removed = list(self._trusted_host_keys)
+        retained = []
+        revoked = []
+        prove = []
+
+        while packet:
+            try:
+                key_data = packet.get_string()
+                key = decode_ssh_public_key(key_data)
+
+                if key in self._revoked_host_keys:
+                    revoked.append(key)
+                elif key in self._trusted_host_keys:
+                    retained.append(key)
+                    removed.remove(key)
+                else:
+                    prove.append((key, String(key_data)))
+            except KeyImportError:
+                pass
+
+        if prove:
+            pkttype, packet = await self._make_global_request(
+                b'hostkeys-prove-00@openssh.com',
+                b''.join(key_str for _, key_str in prove))
+
+            if pkttype == MSG_REQUEST_SUCCESS:
+                prefix = String('hostkeys-prove-00@openssh.com') + \
+                         String(self._session_id)
+
+                for key, key_str in prove:
+                    sig = packet.get_string()
+
+                    if key.verify(prefix + key_str, sig):
+                        added.append(key)
+                    else:
+                        self.logger.debug1('Server host key validation failed')
+            else:
+                self.logger.debug1('Server host key prove request failed')
+
+        packet.check_end()
+
+        self.logger.info(f'Server host key report: {len(added)} added, '
+                         f'{len(removed)} removed, {len(retained)} retained, '
+                         f'{len(revoked)} revoked')
+
+        result = self._server_host_keys_handler(added, removed,
+                                                retained, revoked)
+
+        if inspect.isawaitable(result):
+            assert result is not None
+            await result
+
+        self._report_global_response(True)
+
     async def attach_x11_listener(self, chan: SSHClientChannel[AnyStr],
                                   display: Optional[str],
                                   auth_path: Optional[str],
@@ -4139,7 +4232,7 @@ class SSHClientConnection(SSHConnection):
         if env:
             try:
                 if isinstance(env, list):
-                    new_env.update((item.split('=', 2) for item in env))
+                    new_env.update((item.split('=', 1) for item in env))
                 else:
                     new_env.update(cast(Mapping[str, str], env))
             except ValueError:
@@ -5594,6 +5687,7 @@ class SSHServerConnection(SSHConnection):
         self._options = options
 
         self._server_host_keys = options.server_host_keys
+        self._all_server_host_keys = options.all_server_host_keys
         self._server_host_key_algs = list(options.server_host_keys.keys())
         self._known_client_hosts = options.known_client_hosts
         self._trust_client_host = options.trust_client_host
@@ -5719,6 +5813,17 @@ class SSHServerConnection(SSHConnection):
 
         return self._server_host_key
 
+    def send_server_host_keys(self) -> None:
+        """Send list of available server host keys"""
+
+        if self._all_server_host_keys:
+            self.logger.info('Sending server host keys')
+
+            keys = [String(key) for key in self._all_server_host_keys.keys()]
+            self._send_global_request(b'hostkeys-00@openssh.com', *keys)
+        else:
+            self.logger.info('Sending server host keys disabled')
+
     def gss_kex_auth_supported(self) -> bool:
         """Return whether GSS key exchange authentication is supported"""
 
@@ -6425,6 +6530,26 @@ class SSHServerConnection(SSHConnection):
 
         return chan, session
 
+    def _process_hostkeys_prove_00_at_openssh_dot_com_global_request(
+            self, packet: SSHPacket) -> None:
+        """Prove the server has private keys for all requested host keys"""
+
+        prefix = String('hostkeys-prove-00@openssh.com') + \
+                 String(self._session_id)
+
+        signatures = []
+
+        while packet:
+            try:
+                key_data = packet.get_string()
+                key = self._all_server_host_keys[key_data]
+                signatures.append(String(key.sign(prefix + String(key_data))))
+            except (KeyError, KeyImportError):
+                self._report_global_response(False)
+                return
+
+        self._report_global_response(b''.join(signatures))
+
     async def attach_x11_listener(self, chan: SSHServerChannel[AnyStr],
                                   auth_proto: bytes, auth_data: bytes,
                                   screen: int) -> Optional[str]:
@@ -7019,11 +7144,13 @@ class SSHConnectionOptions(Options):
         self.tunnel = tunnel if tunnel != () else config.get('ProxyJump')
         self.passphrase = passphrase
 
+        if proxy_command == ():
+            proxy_command = cast(Optional[str], config.get('ProxyCommand'))
+
         if isinstance(proxy_command, str):
-            proxy_command = shlex.split(proxy_command)
+            proxy_command = split_args(proxy_command)
 
-        self.proxy_command = proxy_command if proxy_command != () else \
-            cast(Sequence[str], config.get('ProxyCommand'))
+        self.proxy_command = proxy_command
 
         self.family = cast(int, family if family != () else
             config.get('AddressFamily', socket.AF_UNSPEC))
@@ -7178,6 +7305,17 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
                          caution, as it can result in a host key mismatch
                          if the client trusts only a subset of the host
                          keys the server might return.
+       :param server_host_keys_handler: (optional)
+          A `callable` or coroutine handler function which if set will be
+          called when a global request from the server is received which
+          provides an updated list of server host keys. The handler takes
+          four arguments (added, removed, retained, and revoked), each of
+          which is a list of SSHKey public keys, reflecting differences
+          between what the server reported and what is currently matching
+          in known_hosts.
+
+               .. note:: This handler will only be called when known
+                         host checking is enabled and the check succeeded.
        :param x509_trusted_certs: (optional)
            A list of certificates which should be trusted for X.509 server
            certificate authentication. If no trusted certificates are
@@ -7513,6 +7651,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
        :type known_hosts: *see* :ref:`SpecifyingKnownHosts`
        :type host_key_alias: `str`
        :type server_host_key_algs: `str` or `list` of `str`
+       :type server_host_keys_handler: `callable` or coroutine
        :type x509_trusted_certs: *see* :ref:`SpecifyingCertificates`
        :type x509_trusted_cert_paths: `list` of `str`
        :type x509_purposes: *see* :ref:`SpecifyingX509Purposes`
@@ -7542,7 +7681,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
        :type agent_identities:
            *see* :ref:`SpecifyingPublicKeys` and :ref:`SpecifyingCertificates`
        :type agent_forwarding: `bool`
-       :type pkcs11_provider: `str`
+       :type pkcs11_provider: `str` or `None`
        :type pkcs11_pin: `str`
        :type client_version: `str`
        :type kex_algs: `str` or `list` of `str`
@@ -7583,6 +7722,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
     known_hosts: KnownHostsArg
     host_key_alias: Optional[str]
     server_host_key_algs: Union[str, Sequence[str]]
+    server_host_keys_handler: _ServerHostKeysHandler
     username: str
     password: Optional[str]
     client_host_keysign: Optional[str]
@@ -7602,7 +7742,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
     agent_path: Optional[str]
     agent_identities: Optional[Sequence[bytes]]
     agent_forward_path: Optional[str]
-    pkcs11_provider: Optional[FilePath]
+    pkcs11_provider: Optional[str]
     pkcs11_pin: Optional[str]
     command: Optional[str]
     subsystem: Optional[str]
@@ -7650,6 +7790,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
                 known_hosts: KnownHostsArg = (),
                 host_key_alias: DefTuple[Optional[str]] = (),
                 server_host_key_algs: _AlgsArg = (),
+                server_host_keys_handler: _ServerHostKeysHandler = None,
                 username: DefTuple[str] = (), password: Optional[str] = None,
                 client_host_keysign: DefTuple[KeySignPath] = (),
                 client_host_keys: Optional[_ClientKeysArg] = None,
@@ -7668,7 +7809,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
                 agent_path: DefTuple[Optional[str]] = (),
                 agent_identities: DefTuple[Optional[IdentityListArg]] = (),
                 agent_forwarding: DefTuple[bool] = (),
-                pkcs11_provider: DefTuple[Optional[FilePath]] = (),
+                pkcs11_provider: DefTuple[Optional[str]] = (),
                 pkcs11_pin: Optional[str] = None,
                 command: DefTuple[Optional[str]] = (),
                 subsystem: Optional[str] = None, env: DefTuple[_Env] = (),
@@ -7758,6 +7899,8 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
         _select_host_key_algs(server_host_key_algs,
             cast(DefTuple[str], config.get('HostKeyAlgorithms', ())), [])
 
+        self.server_host_keys_handler = server_host_keys_handler
+
         self.username = saslprep(cast(str, username if username != () else
                                       config.get('User', local_username)))
 
@@ -7823,9 +7966,9 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
 
         if pkcs11_provider == ():
             pkcs11_provider = \
-                cast(Optional[FilePath], config.get('PKCS11Provider'))
+                cast(Optional[str], config.get('PKCS11Provider'))
 
-        pkcs11_provider: Optional[FilePath]
+        pkcs11_provider: Optional[str]
 
         if ignore_encrypted == ():
             ignore_encrypted = client_keys == ()
@@ -7933,6 +8076,20 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
        :param server_host_certs: (optional)
            A list of optional certificates which can be paired with the
            provided server host keys.
+       :param send_server_host_keys: (optional)
+           Whether or not to send a list of the allowed server host keys
+           for clients to use to update their known hosts like for the
+           server.
+
+               .. note:: Enabling this option will allow multiple server
+                         host keys of the same type to be configured. Only
+                         the first key of each type will be actively used
+                         during key exchange, but the others will be
+                         reported as reserved keys that clients should
+                         begin to trust, to allow for future key rotation.
+                         If this option is disabled, specifying multiple
+                         server host keys of the same type is treated as
+                         a configuration error.
        :param passphrase: (optional)
            The passphrase to use to decrypt server host keys if they are
            encrypted, or a `callable` or coroutine which takes a filename
@@ -8174,6 +8331,7 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
        :type family: `socket.AF_UNSPEC`, `socket.AF_INET`, or `socket.AF_INET6`
        :type server_host_keys: *see* :ref:`SpecifyingPrivateKeys`
        :type server_host_certs: *see* :ref:`SpecifyingCertificates`
+       :type send_server_host_keys: `bool`
        :type passphrase: `str` or `bytes`
        :type known_client_hosts: *see* :ref:`SpecifyingKnownHosts`
        :type trust_client_host: `bool`
@@ -8227,6 +8385,8 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
     server_factory: _ServerFactory
     server_version: bytes
     server_host_keys: 'OrderedDict[bytes, SSHKeyPair]'
+    all_server_host_keys: 'OrderedDict[bytes, SSHKeyPair]'
+    send_server_host_keys: bool
     known_client_hosts: KnownHostsArg
     trust_client_host: bool
     authorized_client_keys: DefTuple[Optional[SSHAuthorizedKeys]]
@@ -8283,6 +8443,7 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
                 keepalive_count_max: DefTuple[int] = (),
                 server_host_keys: KeyPairListArg = (),
                 server_host_certs: CertListArg = (),
+                send_server_host_keys: bool = False,
                 passphrase: Optional[BytesOrStr] = None,
                 known_client_hosts: KnownHostsArg = None,
                 trust_client_host: bool = False,
@@ -8354,14 +8515,21 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
                                     server_host_certs, loop=loop)
 
         self.server_host_keys = OrderedDict()
+        self.all_server_host_keys = OrderedDict()
 
         for keypair in server_keys:
             for alg in keypair.host_key_algorithms:
-                if alg in self.server_host_keys:
-                    raise ValueError('Multiple keys of type %s found' %
-                                     alg.decode('ascii'))
+                if alg in self.server_host_keys and not send_server_host_keys:
+                    raise ValueError('Multiple keys of type '
+                                     f'{alg.decode("ascii")} found: '
+                                     'Enable send_server_host_keys to '
+                                     'allow reserved keys to be configured')
+
+                if alg not in self.server_host_keys:
+                    self.server_host_keys[alg] = keypair
 
-                self.server_host_keys[alg] = keypair
+                if send_server_host_keys:
+                    self.all_server_host_keys[keypair.public_data] = keypair
 
         self.known_client_hosts = known_client_hosts
         self.trust_client_host = trust_client_host
@@ -9058,7 +9226,7 @@ async def create_server(server_factory: _ServerFactory,
 async def get_server_host_key(
         host = '', port: DefTuple[int] = (), *,
         tunnel: DefTuple[_TunnelConnector] = (),
-        proxy_command: DefTuple[str] = (), family: DefTuple[int] = (),
+        proxy_command: DefTuple[_ProxyCommand] = (), family: DefTuple[int] = (),
         flags: int = 0, local_addr: DefTuple[HostPort] = (),
         sock: Optional[socket.socket] = None,
         client_version: DefTuple[BytesOrStr] = (),
@@ -9202,7 +9370,7 @@ async def get_server_host_key(
 async def get_server_auth_methods(
         host = '', port: DefTuple[int] = (), username: DefTuple[str] = (), *,
         tunnel: DefTuple[_TunnelConnector] = (),
-        proxy_command: DefTuple[str] = (), family: DefTuple[int] = (),
+        proxy_command: DefTuple[_ProxyCommand] = (), family: DefTuple[int] = (),
         flags: int = 0, local_addr: DefTuple[HostPort] = (),
         sock: Optional[socket.socket] = None,
         client_version: DefTuple[BytesOrStr] = (),

{asyncssh-2.15.0 → asyncssh-2.16.0}/asyncssh/crypto/cipher.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2014-2021 by Ron Frederick <ronf@timeheart.net> and others.
+# Copyright (c) 2014-2024 by Ron Frederick <ronf@timeheart.net> and others.
 #
 # This program and the accompanying materials are made available under
 # the terms of the Eclipse Public License v2.0 which accompanies this
@@ -20,22 +20,23 @@
 
 """A shim around PyCA for accessing symmetric ciphers needed by AsyncSSH"""
 
+from types import ModuleType
 from typing import Any, MutableMapping, Optional, Tuple
 import warnings
 
 from cryptography.exceptions import InvalidTag
 from cryptography.hazmat.primitives.ciphers import Cipher, CipherContext
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
-from cryptography.hazmat.primitives.ciphers.algorithms import AES, ARC4
-from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
 from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR
 
-with warnings.catch_warnings():
-    warnings.simplefilter('ignore')
+import cryptography.hazmat.primitives.ciphers.algorithms as _algs
+
+_decrepit_algs: Optional[ModuleType]
 
-    from cryptography.hazmat.primitives.ciphers.algorithms import Blowfish
-    from cryptography.hazmat.primitives.ciphers.algorithms import CAST5
-    from cryptography.hazmat.primitives.ciphers.algorithms import SEED
+try:
+    import cryptography.hazmat.decrepit.ciphers.algorithms as _decrepit_algs
+except ImportError:
+    _decrepit_algs = None
 
 
 _CipherAlgs = Tuple[Any, Any, int]
@@ -140,27 +141,44 @@ def get_cipher_params(cipher_name: str) -> _CipherParams:
 
 
 _cipher_alg_list = (
-    ('aes128-cbc',   AES,       CBC,     0, 16, 16, 16),
-    ('aes192-cbc',   AES,       CBC,     0, 24, 16, 16),
-    ('aes256-cbc',   AES,       CBC,     0, 32, 16, 16),
-    ('aes128-ctr',   AES,       CTR,     0, 16, 16, 16),
-    ('aes192-ctr',   AES,       CTR,     0, 24, 16, 16),
-    ('aes256-ctr',   AES,       CTR,     0, 32, 16, 16),
-    ('aes128-gcm',   None,      None,    0, 16, 12, 16),
-    ('aes256-gcm',   None,      None,    0, 32, 12, 16),
-    ('arcfour',      ARC4,      None,    0, 16,  1,  1),
-    ('arcfour40',    ARC4,      None,    0,  5,  1,  1),
-    ('arcfour128',   ARC4,      None, 1536, 16,  1,  1),
-    ('arcfour256',   ARC4,      None, 1536, 32,  1,  1),
-    ('blowfish-cbc', Blowfish,  CBC,     0, 16,  8,  8),
-    ('cast128-cbc',  CAST5,     CBC,     0, 16,  8,  8),
-    ('des-cbc',      TripleDES, CBC,     0,  8,  8,  8),
-    ('des2-cbc',     TripleDES, CBC,     0, 16,  8,  8),
-    ('des3-cbc',     TripleDES, CBC,     0, 24,  8,  8),
-    ('seed-cbc',     SEED,      CBC,     0, 16, 16, 16)
+    ('aes128-cbc',   'AES',       CBC,     0, 16, 16, 16),
+    ('aes192-cbc',   'AES',       CBC,     0, 24, 16, 16),
+    ('aes256-cbc',   'AES',       CBC,     0, 32, 16, 16),
+    ('aes128-ctr',   'AES',       CTR,     0, 16, 16, 16),
+    ('aes192-ctr',   'AES',       CTR,     0, 24, 16, 16),
+    ('aes256-ctr',   'AES',       CTR,     0, 32, 16, 16),
+    ('aes128-gcm',   None,        None,    0, 16, 12, 16),
+    ('aes256-gcm',   None,        None,    0, 32, 12, 16),
+    ('arcfour',      'ARC4',      None,    0, 16,  1,  1),
+    ('arcfour40',    'ARC4',      None,    0,  5,  1,  1),
+    ('arcfour128',   'ARC4',      None, 1536, 16,  1,  1),
+    ('arcfour256',   'ARC4',      None, 1536, 32,  1,  1),
+    ('blowfish-cbc', 'Blowfish',  CBC,     0, 16,  8,  8),
+    ('cast128-cbc',  'CAST5',     CBC,     0, 16,  8,  8),
+    ('des-cbc',      'TripleDES', CBC,     0,  8,  8,  8),
+    ('des2-cbc',     'TripleDES', CBC,     0, 16,  8,  8),
+    ('des3-cbc',     'TripleDES', CBC,     0, 24,  8,  8),
+    ('seed-cbc',     'SEED',      CBC,     0, 16, 16, 16)
 )
 
-for _cipher_name, _cipher, _mode, _initial_bytes, \
-        _key_size, _iv_size, _block_size in _cipher_alg_list:
-    _cipher_algs[_cipher_name] = (_cipher, _mode, _initial_bytes)
-    register_cipher(_cipher_name, _key_size, _iv_size, _block_size)
+with warnings.catch_warnings():
+    warnings.simplefilter('ignore')
+
+    for _cipher_name, _alg, _mode, _initial_bytes, \
+            _key_size, _iv_size, _block_size in _cipher_alg_list:
+        if _alg:
+            try:
+                _cipher = getattr(_algs, _alg)
+            except AttributeError as exc: # pragma: no cover
+                if _decrepit_algs:
+                    try:
+                        _cipher = getattr(_decrepit_algs, _alg)
+                    except AttributeError:
+                        raise exc from None
+                else:
+                    raise
+        else:
+            _cipher = None
+
+        _cipher_algs[_cipher_name] = (_cipher, _mode, _initial_bytes)
+        register_cipher(_cipher_name, _key_size, _iv_size, _block_size)

{asyncssh-2.15.0 → asyncssh-2.16.0}/asyncssh/crypto/x509.py

@@ -404,7 +404,8 @@ def generate_x509_certificate(signing_key: PyCAKey, key: PyCAKey,
     except KeyError:
         raise ValueError('Unknown hash algorithm') from None
 
-    cert = builder.sign(cast(PyCAPrivateKey, signing_key), hash_alg)
+    cert = builder.sign(cast(PyCAPrivateKey, signing_key),
+                        hash_alg) # type: ignore
     data = cert.public_bytes(Encoding.DER)
 
     return X509Certificate(cert, data)