PyPI - asyncssh - Versions diffs - 2.22.0__tar.gz → 2.23.1__tar.gz - Mend

asyncssh 2.22.0tar.gz → 2.23.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (177) hide show

{asyncssh-2.22.0/asyncssh.egg-info → asyncssh-2.23.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: asyncssh
-Version: 2.22.0
+Version: 2.23.1
 Summary: AsyncSSH: Asynchronous SSHv2 client and server library
 Author-email: Ron Frederick <ronf@timeheart.net>
 License: EPL-2.0 OR GPL-2.0-or-later
@@ -32,10 +32,10 @@ Provides-Extra: bcrypt
 Requires-Dist: bcrypt>=3.1.3; extra == "bcrypt"
 Provides-Extra: fido2
 Requires-Dist: fido2>=2; extra == "fido2"
+Provides-Extra: ifaddr
+Requires-Dist: ifaddr>=0.2.0; extra == "ifaddr"
 Provides-Extra: gssapi
 Requires-Dist: gssapi>=1.2.0; extra == "gssapi"
-Provides-Extra: libnacl
-Requires-Dist: libnacl>=1.4.2; extra == "libnacl"
 Provides-Extra: pkcs11
 Requires-Dist: python-pkcs11>=0.7.0; extra == "pkcs11"
 Provides-Extra: pyopenssl
@@ -196,6 +196,9 @@ functionality:
 * Install fido2 from https://pypi.org/project/fido2 if you want support
   for key exchange and authentication with U2F/FIDO2 security keys.
+* Install ifaddr from https://pypi.org/project/ifaddr/ if you want
+  support for matching on local network IP addresses.
 * Install python-pkcs11 from https://pypi.org/project/python-pkcs11 if
   you want support for accessing PIV keys on PKCS#11 security tokens.
@@ -221,24 +224,25 @@ easy to install any or all of these dependencies:
   | bcrypt
   | fido2
+  | ifaddr
   | gssapi
   | pkcs11
   | pyOpenSSL
   | pywin32
-For example, to install bcrypt, fido2, gssapi, pkcs11, and pyOpenSSL
+For example, to install bcrypt, fido2, gssapi, ifaddr, pkcs11, and pyOpenSSL
 on UNIX, you can run:
   ::
-    pip install 'asyncssh[bcrypt,fido2,gssapi,pkcs11,pyOpenSSL]'
+    pip install 'asyncssh[bcrypt,fido2,gssapi,ifaddr,pkcs11,pyOpenSSL]'
-To install bcrypt, fido2, pkcs11, pyOpenSSL, and pywin32 on Windows,
+To install bcrypt, fido2, ifaddr, pkcs11, pyOpenSSL, and pywin32 on Windows,
 you can run:
   ::
-    pip install 'asyncssh[bcrypt,fido2,pkcs11,pyOpenSSL,pywin32]'
+    pip install 'asyncssh[bcrypt,fido2,ifaddr,pkcs11,pyOpenSSL,pywin32]'
 Note that you will still need to manually install the libnettle library
 for UMAC support. Unfortunately, since liboqs and libnettle are not

{asyncssh-2.22.0 → asyncssh-2.23.1}/README.rst RENAMED Viewed

@@ -150,6 +150,9 @@ functionality:
 * Install fido2 from https://pypi.org/project/fido2 if you want support
   for key exchange and authentication with U2F/FIDO2 security keys.
+* Install ifaddr from https://pypi.org/project/ifaddr/ if you want
+  support for matching on local network IP addresses.
 * Install python-pkcs11 from https://pypi.org/project/python-pkcs11 if
   you want support for accessing PIV keys on PKCS#11 security tokens.
@@ -175,24 +178,25 @@ easy to install any or all of these dependencies:
   | bcrypt
   | fido2
+  | ifaddr
   | gssapi
   | pkcs11
   | pyOpenSSL
   | pywin32
-For example, to install bcrypt, fido2, gssapi, pkcs11, and pyOpenSSL
+For example, to install bcrypt, fido2, gssapi, ifaddr, pkcs11, and pyOpenSSL
 on UNIX, you can run:
   ::
-    pip install 'asyncssh[bcrypt,fido2,gssapi,pkcs11,pyOpenSSL]'
+    pip install 'asyncssh[bcrypt,fido2,gssapi,ifaddr,pkcs11,pyOpenSSL]'
-To install bcrypt, fido2, pkcs11, pyOpenSSL, and pywin32 on Windows,
+To install bcrypt, fido2, ifaddr, pkcs11, pyOpenSSL, and pywin32 on Windows,
 you can run:
   ::
-    pip install 'asyncssh[bcrypt,fido2,pkcs11,pyOpenSSL,pywin32]'
+    pip install 'asyncssh[bcrypt,fido2,ifaddr,pkcs11,pyOpenSSL,pywin32]'
 Note that you will still need to manually install the libnettle library
 for UMAC support. Unfortunately, since liboqs and libnettle are not

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/agent.py RENAMED Viewed

@@ -121,9 +121,7 @@ class SSHAgentKeyPair(SSHKeyPair):
         else:
             sig_algorithm = algorithm
-        # Neither Pageant nor the Win10 OpenSSH agent seems to support the
-        # ssh-agent protocol flags used to request RSA SHA2 signatures yet
-        if sig_algorithm == b'ssh-rsa' and sys.platform != 'win32':
+        if sig_algorithm == b'ssh-rsa':
             sig_algorithms: Sequence[bytes] = \
                 (b'rsa-sha2-256', b'rsa-sha2-512', b'ssh-rsa')
         else:

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/config.py RENAMED Viewed

@@ -1,4 +1,4 @@
-# Copyright (c) 2020-2024 by Ron Frederick <ronf@timeheart.net> and others.
+# Copyright (c) 2020-2026 by Ron Frederick <ronf@timeheart.net> and others.
 #
 # This program and the accompanying materials are made available under
 # the terms of the Eclipse Public License v2.0 which accompanies this
@@ -29,20 +29,27 @@ import subprocess
 from hashlib import sha1
 from pathlib import Path, PurePath
 from subprocess import DEVNULL
-from typing import Callable, Dict, List, NoReturn, Optional, Sequence
-from typing import Set, Tuple, Union, cast
+from typing import Callable, Dict, Iterator, List, NoReturn, Optional
+from typing import Sequence, Set, Tuple, Union, cast
 from .constants import DEFAULT_PORT
 from .logging import logger
-from .misc import DefTuple, FilePath, ip_address
+from .misc import DefTuple, FilePath, IllegalUserName, ip_address
 from .pattern import HostPatternList, WildcardPatternList
+try:
+    import ifaddr
+    _ifaddr_available = True
+except ImportError: # pragma: no cover
+    _ifaddr_available = False
 ConfigPaths = Union[None, FilePath, Sequence[FilePath]]
 _token_pattern = re.compile(r'%(.)')
-_env_pattern = re.compile(r'\${(.*)}')
+_env_pattern = re.compile(r'\${(.*?)}')
+_unsafe_user_pattern = re.compile(r'^\.\.$|^~|^[A-Za-z]:|[/\\]|\$\{.*?\}')
 def _exec(cmd: str) -> bool:
@@ -52,6 +59,18 @@ def _exec(cmd: str) -> bool:
                           stdout=DEVNULL, stderr=DEVNULL).returncode == 0
+def _get_local_ips() -> Iterator[str]:
+    """Return local IP addresses of the system"""
+    for adapter in ifaddr.get_adapters():
+        for ip in adapter.ips:
+            if isinstance(ip.ip, tuple):
+                addr, _, scope_id = ip.ip
+                yield f'{addr}%{scope_id}' if scope_id else addr
+            else:
+                yield ip.ip
 class ConfigParseError(ValueError):
     """Configuration parsing exception"""
@@ -183,6 +202,10 @@ class SSHConfig:
             elif match == 'final':
                 result = cast(bool, self._final)
             else:
+                if (match == 'localnetwork' and
+                        not _ifaddr_available): # pragma: no cover
+                    self._error('Local network match requires ifaddr module')
                 match_val = self._match_val(match)
                 if match != 'exec' and match_val is None:
@@ -201,6 +224,15 @@ class SSHConfig:
                         ip = ip_address(cast(str, match_val)) \
                             if match_val else None
                         result = host_pat.matches(None, match_val, ip)
+                    elif match == 'localnetwork':
+                        host_pat = HostPatternList(arg)
+                        for addr in cast(Iterator[str], match_val):
+                            if host_pat.matches(None, addr, ip_address(addr)):
+                                result = True
+                                break
+                        else:
+                            result = False
                     else:
                         wild_pat = WildcardPatternList(arg)
                         result = wild_pat.matches(match_val)
@@ -514,6 +546,8 @@ class SSHClientConfig(SSHConfig):
             return self._options.get('Hostname', self._orig_host)
         elif match == 'originalhost':
             return self._orig_host
+        elif match == 'localnetwork':
+            return _get_local_ips()
         elif match == 'localuser':
             return self._local_user
         elif match == 'user':
@@ -677,7 +711,23 @@ class SSHServerConfig(SSHConfig):
             return None
     def _set_tokens(self) -> None:
-        """Set the tokens available for percent expansion"""
+        """Set the tokens available for percent expansion
+           Only allow "safe" username substitutions. Unsafe usernames are:
+               - a username of exactly ".."
+               - a username beginning with a "~"
+               - a username beginning with a Windows drive letter and a ":"
+               - a username containing forward or backward slashes
+               - a username containing an env substitution like "${...}"
+           Note: this code assumes that saslprep has already been performed
+           on the username before it is accessed here.
+        """
+        if _unsafe_user_pattern.search(self._user):
+            raise IllegalUserName('Unsafe username substitution')
         self._tokens.update({'u': self._user})

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/connection.py RENAMED Viewed

@@ -82,6 +82,7 @@ from .constants import OPEN_UNKNOWN_CHANNEL_TYPE
 from .encryption import Encryption, get_encryption_algs
 from .encryption import get_default_encryption_algs
+from .encryption import encryption_needs_mac
 from .encryption import get_encryption_params, get_encryption
 from .forward import SSHForwarder
@@ -196,6 +197,9 @@ class _TunnelProtocol(Protocol):
     def close(self) -> None:
         """Close this tunnel"""
+    async def wait_closed(self):
+        """Wait for this tunnel to close"""
 class _TunnelConnectorProtocol(_TunnelProtocol, Protocol):
     """Protocol to open a connection to tunnel an SSH connection over"""
@@ -279,7 +283,7 @@ async def _canonicalize_host(loop: asyncio.AbstractEventLoop,
                              options: 'SSHConnectionOptions') -> Optional[str]:
     """Canonicalize a host name"""
-    host = options.host
+    host = options.orig_host
     if not options.canonicalize_hostname or not options.canonical_domains:
         logger.info('Host canonicalization disabled')
@@ -387,6 +391,11 @@ async def _open_proxy(
             self._conn.connection_lost(exc)
+        def process_exited(self):
+            """Called when the child process has exited"""
+            self._close_event.set()
         def write(self, data: bytes) -> None:
             """Write data to this tunnel"""
@@ -403,13 +412,20 @@ async def _open_proxy(
             if self._transport: # pragma: no cover
                 self._transport.close()
+                self._transport = None
-            self._close_event.set()
+        async def wait_closed(self):
+            """Wait for this subprocess to exit"""
+            await self._close_event.wait()
+    _, tunnel = await loop.subprocess_exec(_ProxyCommandTunnel, *command,
+                                           start_new_session=True)
-    _, tunnel = await loop.subprocess_exec(_ProxyCommandTunnel, *command)
+    conn = cast(_Conn, cast(_ProxyCommandTunnel, tunnel).get_conn())
+    conn.set_tunnel(tunnel)
-    return cast(_Conn, cast(_ProxyCommandTunnel, tunnel).get_conn())
+    return conn
 async def _open_tunnel(tunnels: object, options: _Options,
@@ -437,8 +453,8 @@ async def _open_tunnel(tunnels: object, options: _Options,
             last_conn = conn
             conn = await connect(host, port, username=username,
-                                 passphrase=options.passphrase, tunnel=conn,
-                                 config=config)
+                                 passphrase=options.passphrase,
+                                 tunnel=conn or (), config=config)
             conn.set_tunnel(last_conn)
             if options.canonicalize_hostname != 'always':
@@ -459,7 +475,7 @@ async def _connect(options: _Options, config: DefTuple[ConfigPaths],
     canon_host = await _canonicalize_host(loop, options)
-    host = canon_host if canon_host else options.host
+    host = canon_host if canon_host else options.orig_host
     canonical = bool(canon_host)
     final = options.config.has_match_final()
@@ -537,7 +553,7 @@ async def _connect(options: _Options, config: DefTuple[ConfigPaths],
 async def _listen(options: _Options, config: DefTuple[ConfigPaths],
                   loop: asyncio.AbstractEventLoop, flags: int,
                   backlog: int, sock: Optional[socket.socket],
-                  reuse_address: bool, reuse_port: bool,
+                  reuse_address: Optional[bool], reuse_port: Optional[bool],
                   conn_factory: Callable[[], _Conn],
                   msg: str) -> 'SSHAcceptor':
     """Make inbound TCP or SSH tunneled listener"""
@@ -651,7 +667,8 @@ def _expand_algs(alg_type: str, algs: str,
 def _select_algs(alg_type: str, algs: _AlgsArg, config_algs: _AlgsArg,
                  possible_algs: List[bytes], default_algs: List[bytes],
-                 none_value: Optional[bytes] = None) -> Sequence[bytes]:
+                 none_value: Optional[bytes] = None,
+                 allow_empty: bool = False) -> Sequence[bytes]:
     """Select a set of allowed algorithms"""
     if algs == ():
@@ -682,6 +699,8 @@ def _select_algs(alg_type: str, algs: _AlgsArg, config_algs: _AlgsArg,
         return result
     elif none_value:
         return [none_value]
+    elif allow_empty:
+        return []
     else:
         raise ValueError(f'No {alg_type} algorithms selected')
@@ -714,7 +733,7 @@ def _validate_algs(config: SSHConfig, kex_algs_arg: _AlgsArg,
                             get_default_encryption_algs())
     mac_algs = _select_algs('MAC', mac_algs_arg,
                             cast(_AlgsArg, config.get('MACs', ())),
-                            get_mac_algs(), get_default_mac_algs())
+                            get_mac_algs(), get_default_mac_algs(), None, True)
     cmp_algs = _select_algs('compression', cmp_algs_arg,
                             cast(_AlgsArg, config.get_compression_algs()),
                             get_compression_algs(),
@@ -1090,15 +1109,15 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
             self._owner = None
+        if self._tunnel:
+            self._tunnel.close()
+            self._tunnel = None
         self._cancel_login_timer()
         self._close_event.set()
         self._inpbuf = b''
-        if self._tunnel:
-            self._tunnel.close()
-            self._tunnel = None
     def _cancel_login_timer(self) -> None:
         """Cancel the login timer"""
@@ -1489,8 +1508,8 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         raise KeyExchangeFailed(
             f'No matching {alg_type} algorithm found, sent '
-            f'{b",".join(local_algs).decode("ascii")} and received '
-            f'{b",".join(remote_algs).decode("ascii")}')
+            f'{b",".join(local_algs).decode("ascii") or "<None>"} and received '
+            f'{b",".join(remote_algs).decode("ascii") or "<None>"}')
     def _get_extra_kex_algs(self) -> List[bytes]:
         """Return the extra kex algs to add"""
@@ -1852,7 +1871,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         self.logger.debug2('  Key exchange algs: %s', kex_algs)
         self.logger.debug2('  Host key algs: %s', host_key_algs)
         self.logger.debug2('  Encryption algs: %s', self._enc_algs)
-        self.logger.debug2('  MAC algs: %s', self._mac_algs)
+        self.logger.debug2('  MAC algs: %s', self._mac_algs or '<None>')
         self.logger.debug2('  Compression algs: %s', self._cmp_algs)
         cookie = os.urandom(16)
@@ -1905,12 +1924,6 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         mac_keysize_sc, mac_hashsize_sc, etm_sc = \
             get_encryption_params(self._enc_alg_sc, self._mac_alg_sc)
-        if mac_keysize_cs == 0:
-            self._mac_alg_cs = self._enc_alg_cs
-        if mac_keysize_sc == 0:
-            self._mac_alg_sc = self._enc_alg_sc
         cmp_after_auth_cs = get_compression_params(self._cmp_alg_cs)
         cmp_after_auth_sc = get_compression_params(self._cmp_alg_sc)
@@ -2406,11 +2419,11 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         self.logger.debug2('  Host key algs: %s', peer_host_key_algs)
         self.logger.debug2('  Client to server:')
         self.logger.debug2('    Encryption algs: %s', enc_algs_cs)
-        self.logger.debug2('    MAC algs: %s', mac_algs_cs)
+        self.logger.debug2('    MAC algs: %s', mac_algs_cs or '<None>')
         self.logger.debug2('    Compression algs: %s', cmp_algs_cs)
         self.logger.debug2('  Server to client:')
         self.logger.debug2('    Encryption algs: %s', enc_algs_sc)
-        self.logger.debug2('    MAC algs: %s', mac_algs_sc)
+        self.logger.debug2('    MAC algs: %s', mac_algs_sc or '<None>')
         self.logger.debug2('    Compression algs: %s', cmp_algs_sc)
         kex_alg = self._choose_alg('key exchange', kex_algs, peer_kex_algs)
@@ -2431,8 +2444,17 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         self._enc_alg_sc = self._choose_alg('encryption', self._enc_algs,
                                             enc_algs_sc)
-        self._mac_alg_cs = self._choose_alg('MAC', self._mac_algs, mac_algs_cs)
-        self._mac_alg_sc = self._choose_alg('MAC', self._mac_algs, mac_algs_sc)
+        if encryption_needs_mac(self._enc_alg_cs):
+            self._mac_alg_cs = self._choose_alg('MAC', self._mac_algs,
+                                                mac_algs_cs)
+        else:
+            self._mac_alg_cs = self._enc_alg_cs
+        if encryption_needs_mac(self._enc_alg_sc):
+            self._mac_alg_sc = self._choose_alg('MAC', self._mac_algs,
+                                                mac_algs_sc)
+        else:
+            self._mac_alg_sc = self._enc_alg_sc
         self._cmp_alg_cs = self._choose_alg('compression', self._cmp_algs,
                                             cmp_algs_cs)
@@ -2851,6 +2873,9 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         if self._agent:
             await self._agent.wait_closed()
+        if self._tunnel:
+            await self._tunnel.wait_closed()
         await self._close_event.wait()
     def disconnect(self, code: int, reason: str,
@@ -7277,6 +7302,7 @@ class SSHConnectionOptions(Options, Generic[_Options]):
     waiter: Optional[asyncio.Future]
     protocol_factory: _ProtocolFactory
     version: bytes
+    orig_host: str
     host: str
     port: int
     tunnel: object
@@ -7369,6 +7395,7 @@ class SSHConnectionOptions(Options, Generic[_Options]):
         self.protocol_factory = protocol_factory
         self.version = _validate_version(version)
+        self.orig_host = host
         self.host = cast(str, config.get('Hostname', host))
         self.port = cast(int, port if port != () else
             config.get('Port', DEFAULT_PORT))
@@ -9326,7 +9353,8 @@ async def listen(host = '', port: DefTuple[int] = (), *,
                  tunnel: DefTuple[_TunnelListener] = (),
                  family: DefTuple[int] = (), flags:int = socket.AI_PASSIVE,
                  backlog: int = 100, sock: Optional[socket.socket] = None,
-                 reuse_address: bool = False, reuse_port: bool = False,
+                 reuse_address: Optional[bool] = None,
+                 reuse_port: Optional[bool] = None,
                  acceptor: _AcceptHandler = None,
                  error_handler: _ErrorHandler = None,
                  config: DefTuple[ConfigPaths] = (),
@@ -9384,7 +9412,7 @@ async def listen(host = '', port: DefTuple[int] = (), *,
            port other existing sockets are bound to, so long as they all
            set this flag when being created. If not specified, the
            default is to not allow this. This option is not supported
-           on Windows or Python versions prior to 3.4.4.
+           on Windows.
        :param acceptor: (optional)
            A `callable` or coroutine which will be called when the
            SSH handshake completes on an accepted connection, taking
@@ -9414,8 +9442,8 @@ async def listen(host = '', port: DefTuple[int] = (), *,
        :type flags: flags to pass to :meth:`getaddrinfo() <socket.getaddrinfo>`
        :type backlog: `int`
        :type sock: :class:`socket.socket` or `None`
-       :type reuse_address: `bool`
-       :type reuse_port: `bool`
+       :type reuse_address: `bool` or `None`
+       :type reuse_port: `bool` or `None`
        :type acceptor: `callable` or coroutine
        :type error_handler: `callable`
        :type config: `list` of `str`
@@ -9451,7 +9479,8 @@ async def listen_reverse(host = '', port: DefTuple[int] = (), *,
                          family: DefTuple[int] = (),
                          flags: int = socket.AI_PASSIVE, backlog: int = 100,
                          sock: Optional[socket.socket] = None,
-                         reuse_address: bool = False, reuse_port: bool = False,
+                         reuse_address: Optional[bool] = None,
+                         reuse_port: Optional[bool] = None,
                          acceptor: _AcceptHandler = None,
                          error_handler: _ErrorHandler = None,
                          config: DefTuple[ConfigPaths] = (),
@@ -9518,7 +9547,7 @@ async def listen_reverse(host = '', port: DefTuple[int] = (), *,
            port other existing sockets are bound to, so long as they all
            set this flag when being created. If not specified, the
            default is to not allow this. This option is not supported
-           on Windows or Python versions prior to 3.4.4.
+           on Windows.
        :param acceptor: (optional)
            A `callable` or coroutine which will be called when the
            SSH handshake completes on an accepted connection, taking
@@ -9553,8 +9582,8 @@ async def listen_reverse(host = '', port: DefTuple[int] = (), *,
        :type flags: flags to pass to :meth:`getaddrinfo() <socket.getaddrinfo>`
        :type backlog: `int`
        :type sock: :class:`socket.socket` or `None`
-       :type reuse_address: `bool`
-       :type reuse_port: `bool`
+       :type reuse_address: `bool` or `None`
+       :type reuse_port: `bool` or `None`
        :type acceptor: `callable` or coroutine
        :type error_handler: `callable`
        :type config: `list` of `str`

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/crypto/pq.py RENAMED Viewed

@@ -58,10 +58,12 @@ class PQDH:
             self.pubkey_bytes, self.privkey_bytes, \
             self.ciphertext_bytes, self.secret_bytes, \
             oqs_name = _pq_algs[alg_name]
-        except KeyError: # pragma: no cover, other algs not registered
-            raise ValueError(f'Unknown PQ algorithm {oqs_name}') from None
+        except KeyError:
+            raise ValueError('Unknown PQ algorithm ' +
+                             alg_name.decode()) from None
-        if not hasattr(_oqs, 'OQS_' + oqs_name + '_keypair'): # pragma: no cover
+        if not hasattr(_oqs, 'OQS_' + oqs_name + # pragma: no cover
+                       '_keypair'):
             oqs_name += '_ipd'
         self._keypair = getattr(_oqs, 'OQS_' + oqs_name + '_keypair')

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/encryption.py RENAMED Viewed

@@ -46,6 +46,12 @@ class Encryption:
         raise NotImplementedError
+    @classmethod
+    def needs_mac(cls) -> bool:
+        """Return whether a MAC algorithm is needed for this encryption"""
+        return True
     @classmethod
     def get_mac_params(cls, mac_alg: bytes) -> Tuple[int, int, bool]:
         """Get parameters of the MAC algorithm used with this encryption"""
@@ -161,6 +167,12 @@ class GCMEncryption(Encryption):
         return cls(GCMCipher(cipher_name, key, iv))
+    @classmethod
+    def needs_mac(cls) -> bool:
+        """GCM encryption doesn't need an external MAC algorithm"""
+        return False
     @classmethod
     def get_mac_params(cls, mac_alg: bytes) -> Tuple[int, int, bool]:
         """Get parameters of the MAC algorithm used with this encryption"""
@@ -200,6 +212,12 @@ class ChachaEncryption(Encryption):
         return cls(ChachaCipher(key))
+    @classmethod
+    def needs_mac(cls) -> bool:
+        """Chacha20 encryption doesn't need an external MAC algorithm"""
+        return False
     @classmethod
     def get_mac_params(cls, mac_alg: bytes) -> Tuple[int, int, bool]:
         """Get parameters of the MAC algorithm used with this encryption"""
@@ -258,8 +276,14 @@ def get_default_encryption_algs() -> List[bytes]:
     return _default_enc_algs
-def get_encryption_params(enc_alg: bytes,
-                          mac_alg: bytes = b'') -> _EncParams:
+def encryption_needs_mac(enc_alg: bytes) -> bool:
+    """Return whether an encryption algorithm needs a MAC algorithm"""
+    encryption, _ = _enc_params[enc_alg]
+    return encryption.needs_mac()
+def get_encryption_params(enc_alg: bytes, mac_alg: bytes = b'') -> _EncParams:
     """Get parameters of an encryption and MAC algorithm"""
     encryption, cipher_name = _enc_params[enc_alg]

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/kex.py RENAMED Viewed

@@ -35,7 +35,7 @@ if TYPE_CHECKING:
 _KexAlgList = List[bytes]
-_KexAlgMap = Dict[bytes, Tuple[Type['Kex'], HashType, object]]
+_KexAlgMap = Dict[bytes, Tuple[Type['Kex'], HashType, Tuple]]
 _kex_algs: _KexAlgList = []

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/misc.py RENAMED Viewed

@@ -251,7 +251,7 @@ def _normalize_scoped_ip(addr: str) -> str:
     if addrinfo[0] == socket.AF_INET6:
         sa = addrinfo[4]
-        addr = sa[0]
+        addr = cast(str, sa[0])
         idx = addr.find('%')
         if idx >= 0: # pragma: no cover

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/scp.py RENAMED Viewed

@@ -136,6 +136,10 @@ def _parse_cd_args(args: bytes) -> Tuple[int, int, bytes]:
     try:
         permissions, size, name = args.split(None, 2)
+        if b'/' in name or b'\\' in name or name == b'..':
+            raise _scp_error(SFTPBadMessage, 'Invalid filename')
         return int(permissions, 8), int(size), name
     except ValueError:
         raise _scp_error(SFTPBadMessage,
@@ -346,7 +350,8 @@ class _SCPHandler:
         if isinstance(exc, SFTPError):
             reason = exc.reason.encode('utf-8')
-        elif isinstance(exc, OSError): # pragma: no branch (win32)
+        elif isinstance(exc, OSError) and \
+                exc.strerror: # pragma: no branch (win32)
             reason = exc.strerror.encode('utf-8')
             filename = cast(BytesOrStr, exc.filename)

{asyncssh-2.22.0 → asyncssh-2.23.1}/asyncssh/server.py RENAMED Viewed

@@ -854,6 +854,10 @@ class SSHServer:
                      * An :class:`SSHListener` object
                      * `True` to set up standard port forwarding
                      * `False` to reject the request
+                     * A callable to use as an accept handler, taking
+                       arguments of the original host and port of the
+                       client and returning a boolean to indicate
+                       whether or not to allow connection forwarding.
                      * A coroutine object which returns one of the above
         """

asyncssh 2.22.0__tar.gz → 2.23.1__tar.gz

asyncssh 2.22.0tar.gz → 2.23.1tar.gz