o bw! @sdZddlmZmZmZmZddlmZmZm Z ddl m Z GdddeZ Gddde Z Gd d d e ZGd d d e Ze eGd ddZe eGdddZe eGdddZe eGdddZe eGdddZe eGdddZe eGdddZe e GdddZeeeeeeeedZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*S)+z SSH key exchange handling. )sha1sha256sha384sha512) Attribute Interface implementer)errorc@ eZdZdZedZedZdS)_IKexAlgorithmzB An L{_IKexAlgorithm} describes a key exchange algorithm. zAn L{int} giving the preference of the algorithm when negotiating key exchange. Algorithms with lower precedence values are more preferred.zqA callable hash algorithm constructor (e.g. C{hashlib.sha256}) suitable for use with this key exchange algorithm.N)__name__ __module__ __qualname____doc__r preference hashProcessorrr8/usr/lib/python3/dist-packages/twisted/conch/ssh/_kex.pyr sr c@r )_IFixedGroupKexAlgorithmzu An L{_IFixedGroupKexAlgorithm} describes a key exchange algorithm with a fixed prime / generator group. zdAn L{int} giving the prime number used in Diffie-Hellman key exchange, or L{None} if not applicable.zAn L{int} giving the generator number used in Diffie-Hellman key exchange, or L{None} if not applicable. (This is not related to Python generator functions.)N)r r rrrprime generatorrrrrr"src@eZdZdZdS)#_IEllipticCurveExchangeKexAlgorithmz An L{_IEllipticCurveExchangeKexAlgorithm} describes a key exchange algorithm that uses an elliptic curve exchange between the client and server. Nr r rrrrrrr4rc@r)_IGroupExchangeKexAlgorithmz An L{_IGroupExchangeKexAlgorithm} describes a key exchange algorithm that uses group exchange between the client and server. A prime / generator group should be chosen at run time based on the requested size. See RFC 4419. Nrrrrrr;rrc@eZdZdZdZeZdS)_Curve25519SHA256z Elliptic Curve Key Exchange using Curve25519 and SHA256. Defined in U{https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-curves/}. Nr r rrrrrrrrrrErc@r)_Curve25519SHA256LibSSHzN As L{_Curve25519SHA256}, but with a pre-standardized algorithm name. Nrrrrrr!Psr!c@r)_ECDH256aX Elliptic Curve Key Exchange with SHA-256 as HASH. Defined in RFC 5656. Note that C{ecdh-sha2-nistp256} takes priority over nistp384 or nistp512. This is the same priority from OpenSSH. C{ecdh-sha2-nistp256} is considered preety good cryptography. If you need something better consider using C{curve25519-sha256}. Nrrrrrr#Zs r#c@r)_ECDH384zT Elliptic Curve Key Exchange with SHA-384 as HASH. Defined in RFC 5656. N)r r rrrrrrrrrr%kr r%c@r)_ECDH512zT Elliptic Curve Key Exchange with SHA-512 as HASH. Defined in RFC 5656. N)r r rrrrrrrrrr'vr r'c@r)_DHGroupExchangeSHA256zc Diffie-Hellman Group and Key Exchange with SHA-256 as HASH. Defined in RFC 4419, 4.2. Nrrrrrr)r r)c@r)_DHGroupExchangeSHA1za Diffie-Hellman Group and Key Exchange with SHA-1 as HASH. Defined in RFC 4419, 4.1. N)r r rrrrrrrrrr+r r+c@s$eZdZdZdZeZedZdZ dS)_DHGroup14SHA1z Diffie-Hellman key exchange with SHA-1 as HASH and Oakley Group 14 (2048-bit MODP Group). Defined in RFC 4253, 8.2. i32317006071311007300338913926423828248817941241140239112842009751400741706634354222619689417363569347117901737909704191754605873209195028853758986185622153212175412514901774520270235796078236248884246189477587641105928646099411723245426622522193230540919037680524235519125679715870117001058055877651038861847280257976054903569732561526167081339361799541336476559160368317896729073178384589680639671900977202194168647225871031411336429319536193471636533209717077448227988588565369208645296636077250268955505928362751121174096972998068410554359584866583291642136218231078990999448652468262416972035911852507045361090559r"N) r r rrrrrintrrrrrrr-s r-)curve25519-sha256scurve25519-sha256@libssh.orgs$diffie-hellman-group-exchange-sha256s"diffie-hellman-group-exchange-sha1sdiffie-hellman-group14-sha1secdh-sha2-nistp256secdh-sha2-nistp384secdh-sha2-nistp521cCs |tvr td|t|S)aY Get a description of a named key exchange algorithm. @param kexAlgorithm: The key exchange algorithm name. @type kexAlgorithm: L{bytes} @return: A description of the key exchange algorithm named by C{kexAlgorithm}. @rtype: L{_IKexAlgorithm} @raises ConchError: if the key exchange algorithm is not found. z$Unsupported key exchange algorithm: )_kexAlgorithmsr ConchError kexAlgorithmrrrgetKexs r6cCtt|S)a  Returns C{True} if C{kexAlgorithm} is an elliptic curve. @param kexAlgorithm: The key exchange algorithm name. @type kexAlgorithm: C{str} @return: C{True} if C{kexAlgorithm} is an elliptic curve, otherwise C{False}. @rtype: C{bool} )r providedByr6r4rrrisEllipticCurve r9cCr7)a+ Returns C{True} if C{kexAlgorithm} has a fixed prime / generator group. @param kexAlgorithm: The key exchange algorithm name. @type kexAlgorithm: L{bytes} @return: C{True} if C{kexAlgorithm} has a fixed prime / generator group, otherwise C{False}. @rtype: L{bool} )rr8r6r4rrr isFixedGroupr:r;cCst|}|jS)a Get the hash algorithm callable to use in key exchange. @param kexAlgorithm: The key exchange algorithm name. @type kexAlgorithm: L{bytes} @return: A callable hash algorithm constructor (e.g. C{hashlib.sha256}). @rtype: C{callable} )r6rr5kexrrrgetHashProcessors r>cCst|}|j|jfS)z Get the generator and the prime to use in key exchange. @param kexAlgorithm: The key exchange algorithm name. @type kexAlgorithm: L{bytes} @return: A L{tuple} containing L{int} generator and L{int} prime. @rtype: L{tuple} )r6rrr<rrrgetDHGeneratorAndPrimes r?csddlm}ddlm}ddlm}|}ttD]+}| dr5| dd}| | ||}n | dr?| }nd}|sH|qtfd d d S) z Get a list of supported key exchange algorithm names in order of preference. @return: A C{list} of supported key exchange algorithm names. @rtype: C{list} of L{bytes} r)default_backend)ec) _curveTablesecdhsecdsar1Tcs |jS)N)rr4 kexAlgorithmsrr$s z*getSupportedKeyExchanges..)key)cryptography.hazmat.backendsr@)cryptography.hazmat.primitives.asymmetricrAtwisted.conch.ssh.keysrBr2copylist startswithreplace+elliptic_curve_exchange_algorithm_supportedECDHx25519_supportedpopsorted)r@rArBbackend keyAlgorithmkeyAlgorithmDsa supportedrrCrgetSupportedKeyExchangess(           rWN)rhashlibrrrrzope.interfacerrr twisted.conchr r rrrrr!r#r%r'r)r+r-r2r6r9r;r>r?rWrrrrsN