o 2c+@sdZddlZddlZddlZddlZddlZddlZddlZddl ZGdddej j Z Gdddej j Z Gdddej j ZGd d d ej j ZGd d d ej j ZGd ddeZGdddeZGdddeZGdddeZejdZejdZejdZejdZejdZejdZejdZejdZejdZejdZ eZ!Gdd d Z"Gd!d"d"Z#Gd#d$d$Z$  d2d%d&Z%d'd(Z&d3d*d+Z'  )d4d,d-Z(d.d/Z)Gd0d1d1Z*dS)5zDNS TSIG support.Nc@eZdZdZdS)BadTimez8The current time is not within the TSIG's validity time.N__name__ __module__ __qualname____doc__r r >/var/www/html/gps/gps/lib/python3.10/site-packages/dns/tsig.pyrrc@r) BadSignaturez#The TSIG signature fails to verify.Nrr r r r r #r r c@r)BadKeyz2The TSIG record owner name does not match the key.Nrr r r r r (r r c@r) BadAlgorithmz*The TSIG algorithm does not match the key.Nrr r r r r-r rc@r) PeerErrorz;Base class for all TSIG errors generated by the remote peerNrr r r r r2r rc@r) PeerBadKeyz$The peer didn't know the key we usedNrr r r r r7r rc@r)PeerBadSignaturez*The peer didn't like the signature we sentNrr r r r r<r rc@r) PeerBadTimez%The peer didn't like the time we sentNrr r r r rAr rc@r)PeerBadTruncationz=The peer didn't like amount of truncation in the TSIG we sentNrr r r r rFr rzHMAC-MD5.SIG-ALG.REG.INTz hmac-sha1z hmac-sha224z hmac-sha256zhmac-sha256-128z hmac-sha384zhmac-sha384-192z hmac-sha512zhmac-sha512-256gss-tsigc@s0eZdZdZddZddZddZdd Zd S) GSSTSigaG GSS-TSIG TSIG implementation. This uses the GSS-API context established in the TKEY message handshake to sign messages using GSS-API message integrity codes, per the RFC. In order to avoid a direct GSSAPI dependency, the keyring holds a ref to the GSSAPI object required, rather than the key itself. cCs||_d|_d|_dS)Nr)gssapi_contextdataname)selfrr r r __init__ds zGSSTSig.__init__cCs|j|7_dSN)rrrr r r updateiszGSSTSig.updatecCs|j|jSr)r get_signaturerrr r r signlsz GSSTSig.signcCs&z |j|j|WStytwr)rverify_signaturer Exceptionr )rexpectedr r r verifyps  zGSSTSig.verifyN)rrrrrrr!r%r r r r r[s  rc@s(eZdZddZddZeddZdS)GSSTSigAdaptercCs ||_dSr)keyring)rr'r r r rzs zGSSTSigAdapter.__init__cCsB||jvr|j|}t|tr|jtkr|rt||||SdSr)r' isinstanceKey algorithmGSS_TSIGr&parse_tkey_and_step)rmessagekeynamekeyr r r __call__}s  zGSSTSigAdapter.__call__cCsVz ||j|tjjtjj}|r|dj}|j}| |WSWdSt y*YdSw)Nr) find_rrsetanswerdns rdataclassANY rdatatypeTKEYr/secretstepKeyError)clsr/r-r.rrsettokenrr r r r,s    z"GSSTSigAdapter.parse_tkey_and_stepN)rrrrr0 classmethodr,r r r r r&ys  r&c@sveZdZdZeejeeje ej e ej dfe ej eej dfeejeejdfeeji ZddZddZd d Zd d Zd S)HMACTSigzo HMAC TSIG implementation. This uses the HMAC python module to handle the sign/verify operations. cCsz|j|}Wntytd|ddwt|tr.tj||dd|_|d|_n tj||d|_d|_|jj |_ |jrN|j d|j7_ dSdS)NzTSIG algorithm  zis not supportedr) digestmod-) _hashesr:NotImplementedErrorr(tuplehmacnew hmac_contextsizer)rr/r*hashinfor r r rs      zHMACTSig.__init__cCs |j|Sr)rLrrr r r rs zHMACTSig.updatecCs&|j}|jr|d|jd}|S)N)rLdigestrM)rrPr r r r!s z HMACTSig.signcCs|}t||s tdSr)r!rJcompare_digestr )rr$macr r r r%s zHMACTSig.verifyN)rrrr HMAC_SHA1hashlibsha1 HMAC_SHA224sha224 HMAC_SHA256sha256HMAC_SHA256_128 HMAC_SHA384sha384HMAC_SHA384_192 HMAC_SHA512sha512HMAC_SHA512_256HMAC_MD5md5rGrrr!r%r r r r r?s      r?c Cs0|o| }|rt|}|r|tdt||||td|j||dd|rN||j|tdtj j |tdd|durU|j }|d?d@}|d@} td || |j } t|j } | dkrutd |r||j| |td |j| |j |S|| |S) zReturn a context containing the TSIG rdata for the input parameters @rtype: dns.tsig.HMACTSig or dns.tsig.GSSTSig object @raises ValueError: I{other_data} is too long @raises NotImplementedError: I{algorithm} is not supported !HNz!Ir ilz!HIHz TSIG Other Data is > 65535 bytesz!HH) get_contextrstructpacklen original_idr to_digestabler3r4r5 time_signedfudgeother ValueErrorr*error) wirer/rdatatime request_macctxmultifirst upper_time lower_time time_encoded other_lenr r r _digests4     r|cCs4|rt|}|tdt||||SdS)zIf this is the first message in a multi-message sequence, start a new context. @rtype: dns.tsig.HMACTSig or dns.tsig.GSSTSig object rcN)rfrrgrhri)r/rRrvrur r r _maybe_start_digests  r}Fc Cs:t|||||||}|}|j||d}|t|||fS)a~Return a (tsig_rdata, mac, ctx) tuple containing the HMAC TSIG rdata for the input parameters, the HMAC MAC calculated by applying the TSIG signature algorithm, and the TSIG digest context. @rtype: (string, dns.tsig.HMACTSig or dns.tsig.GSSTSig object) @raises ValueError: I{other_data} is too long @raises NotImplementedError: I{algorithm} is not supported )rlrR)r|r!replacer}) rqr/rrrsrtrurvrRtsigr r r r!s r!c Cstd|dd\} | dkrtjj| d8} |ddtd| |d|} |jdkrY|jtjjkr7t |jtjj kr@t |jtjj krIt |jtjjkrRttd|jt|j||jkret|j|krlt|j|jkrttt| ||d|||}||jt||j|S)aFValidate the specified TSIG rdata against the other input parameters. @raises FormError: The TSIG is badly formed. @raises BadTime: There is too much time skew between the client and the server. @raises BadSignature: The TSIG signature did not validate @rtype: dns.tsig.HMACTSig or dns.tsig.GSSTSig objectrc rrEzunknown TSIG error code %dN)rgunpackr3 exception FormErrorrhrprcodeBADSIGrBADKEYrBADTIMErBADTRUNCrrabsrlrmrrr r*rr|r%rRr}) rqr/ownerrrnowrt tsig_startrurvadcountnew_wirer r r validates0 $    rcCs"|jtkr t|jSt|j|jS)zReturns an HMAC context for the specified key. @rtype: HMAC context @raises NotImplementedError: I{algorithm} is not supported )r*r+rr8r?)r/r r r rf5s  rfc@s(eZdZefddZddZddZdS)r)cCsZt|tr tj|}||_t|trt|}||_t|tr(tj|}||_ dSr) r(strr3r from_textbase64 decodebytesencoder8r*)rrr8r*r r r rCs      z Key.__init__cCs.t|to|j|jko|j|jko|j|jkSr)r(r)rr8r*)rrnr r r __eq__Ns    z Key.__eq__cCs4d|jdd|jddt|jdS)Nz)rr*r b64encoder8decoder r r r __repr__Ts  z Key.__repr__N)rrrdefault_algorithmrrrr r r r r)Bs  r))NNNN)NNNF)NF)+rrrTrJrg dns.exceptionr3dns.rdataclassdns.name dns.rcoder DNSExceptionrr r rrrrrrrrrarSrVrXrZr[r]r^r`r+rrr&r?r|r}r!rrfr)r r r r sT           5 $  %