v0.6.6 release

VERSION

@@ -1 +1 @@
-0.4.7
+0.6.6

examples/factoids.py

@@ -154,8 +154,8 @@ async def main(hostname: str, channel: str, nickname: str):
     params = ConnectionParams(
         nickname,
         hostname,
-        6697,
-        tls=True)
+        6697
+    )
     await bot.add_server("freenode", params)
     await bot.run()
 

examples/sasl.py

@@ -23,7 +23,6 @@ async def main():
         "MyNickname",
         host = "chat.freenode.invalid",
         port = 6697,
-        tls  = True,
         sasl = sasl_params)
 
     await bot.add_server("freenode", params)

examples/simple.py

@@ -25,7 +25,7 @@ class Bot(BaseBot):
 async def main():
     bot = Bot()
     for name, host in SERVERS:
-        params = ConnectionParams("BitBotNewTest", host, 6697, True)
+        params = ConnectionParams("BitBotNewTest", host, 6697)
         await bot.add_server(name, params)
 
     await bot.run()

ircrobots/__init__.py

@@ -3,3 +3,4 @@ from .server import Server
 from .params import (ConnectionParams, SASLUserPass, SASLExternal, SASLSCRAM,
     STSPolicy, ResumePolicy)
 from .ircv3  import Capability
+from .security import TLS

ircrobots/interface.py

@@ -6,6 +6,7 @@ from ircstates import Server, Emit
 from irctokens import Line, Hostmask
 
 from .params   import ConnectionParams, SASLParams, STSPolicy, ResumePolicy
+from .security import TLS
 
 class ITCPReader(object):
     async def read(self, byte_count: int):
@@ -24,11 +25,10 @@ class ITCPWriter(object):
 
 class ITCPTransport(object):
     async def connect(self,
-            hostname:   str,
-            port:       int,
-            tls:        bool,
-            tls_verify: bool=True,
-            bindhost:   Optional[str]=None
+            hostname: str,
+            port:     int,
+            tls:      Optional[TLS],
+            bindhost: Optional[str]=None
             ) -> Tuple[ITCPReader, ITCPWriter]:
         pass
 

ircrobots/ircv3.py

@@ -8,6 +8,7 @@ from .contexts  import ServerContext
 from .matching  import Response, ANY
 from .interface import ICapability
 from .params    import ConnectionParams, STSPolicy, ResumePolicy
+from .security  import TLSVerifyChain
 
 class Capability(ICapability):
     def __init__(self,
@@ -101,12 +102,12 @@ def _cap_dict(s: str) -> Dict[str, str]:
     return d
 
 async def sts_transmute(params: ConnectionParams):
-    if not params.sts is None and not params.tls:
+    if not params.sts is None and params.tls is None:
         now   = time()
         since = (now-params.sts.created)
         if since <= params.sts.duration:
             params.port = params.sts.port
-            params.tls  = True
+            params.tls  = TLSVerifyChain()
 async def resume_transmute(params: ConnectionParams):
     if params.resume is not None:
         params.host = params.resume.address
@@ -182,7 +183,7 @@ class CAPContext(ServerContext):
             if not params.tls:
                 if "port" in sts_dict:
                     params.port = int(sts_dict["port"])
-                    params.tls  = True
+                    params.tls  = TLSVerifyChain()
 
                     await self.server.bot.disconnect(self.server)
                     await self.server.bot.add_server(self.server.name, params)

ircrobots/matching/params.py

@@ -73,8 +73,7 @@ class Formatless(IMatchResponseParam):
     def __init__(self, value: TYPE_MAYBELIT_VALUE):
         self._value = _assure_lit(value)
     def __repr__(self) -> str:
-        brepr = super().__repr__()
-        return f"Formatless({brepr})"
+        return f"Formatless({self._value!r})"
     def match(self, server: IServer, arg: str) -> bool:
         strip = formatting.strip(arg)
         return self._value.match(server, strip)

ircrobots/params.py

@@ -1,6 +1,9 @@
+from re          import compile as re_compile
 from typing      import List, Optional
 from dataclasses import dataclass, field
 
+from .security import TLS, TLSNoVerify, TLSVerifyChain
+
 class SASLParams(object):
     mechanism: str
 
@@ -28,19 +31,24 @@ class ResumePolicy(object):
     address: str
     token:   str
 
+RE_IPV6HOST = re_compile("\[([a-fA-F0-9:]+)\]")
+
+_TLS_TYPES = {
+    "+": TLSVerifyChain,
+    "~": TLSNoVerify,
+}
 @dataclass
 class ConnectionParams(object):
     nickname: str
     host:     str
     port:     int
-    tls:      bool
+    tls:      Optional[TLS] = field(default_factory=TLSVerifyChain)
 
     username: Optional[str] = None
     realname: Optional[str] = None
     bindhost: Optional[str] = None
 
     password:   Optional[str] = None
-    tls_verify: bool = True
     sasl:       Optional[SASLParams] = None
 
     sts:    Optional[STSPolicy]    = None
@@ -57,15 +65,19 @@ class ConnectionParams(object):
             hoststring: str
             ) -> "ConnectionParams":
 
-        host, _, port_s = hoststring.strip().partition(":")
+        ipv6host = RE_IPV6HOST.search(hoststring)
+        if ipv6host is not None and ipv6host.start() == 0:
+            host = ipv6host.group(1)
+            port_s = hoststring[ipv6host.end()+1:]
+        else:
+            host, _, port_s = hoststring.strip().partition(":")
 
-        if port_s.startswith("+"):
-            tls    = True
-            port_s = port_s.lstrip("+") or "6697"
-        elif not port_s:
-            tls    = False
+        tls_type: Optional[TLS] = None
+        if not port_s:
             port_s = "6667"
         else:
-            tls    = False
+            tls_type = _TLS_TYPES.get(port_s[0], lambda: None)()
+            if tls_type is not None:
+                port_s = port_s[1:] or "6697"
 
-        return ConnectionParams(nickname, host, int(port_s), tls)
+        return ConnectionParams(nickname, host, int(port_s), tls_type)

ircrobots/security.py

@@ -1,13 +1,29 @@
 import ssl
+from dataclasses import dataclass
+from typing import Optional, Tuple
+
+@dataclass
+class TLS:
+    client_keypair: Optional[Tuple[str, str]] = None
+
+# tls without verification
+class TLSNoVerify(TLS):
+    pass
+
+# verify via CAs
+class TLSVerifyChain(TLS):
+    pass
+
+# verify by a pinned hash
+class TLSVerifyHash(TLSNoVerify):
+    def __init__(self, sum: str):
+        self.sum = sum.lower()
+class TLSVerifySHA512(TLSVerifyHash):
+    pass
 
 def tls_context(verify: bool=True) -> ssl.SSLContext:
-    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
-    context.options |= ssl.OP_NO_SSLv2
-    context.options |= ssl.OP_NO_SSLv3
-    context.options |= ssl.OP_NO_TLSv1
-    context.load_default_certs()
-
-    if verify:
-        context.verify_mode = ssl.CERT_REQUIRED
-
-    return context
+    ctx = ssl.create_default_context()
+    if not verify:
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+    return ctx

ircrobots/server.py

@@ -124,9 +124,8 @@ class Server(IServer):
         reader, writer = await transport.connect(
             params.host,
             params.port,
-            tls       =params.tls,
-            tls_verify=params.tls_verify,
-            bindhost  =params.bindhost)
+            tls      =params.tls,
+            bindhost =params.bindhost)
 
         self._reader = reader
         self._writer = writer
@@ -181,9 +180,9 @@ class Server(IServer):
                     self._pending_who[0] == chan):
                 self._pending_who.popleft()
                 await self._next_who()
-
-        elif (line.command in {ERR_NICKNAMEINUSE, ERR_ERRONEUSNICKNAME} and
-                not self.registered):
+        elif (line.command in {
+		ERR_NICKNAMEINUSE, ERR_ERRONEUSNICKNAME, ERR_UNAVAILRESOURCE
+	} and not self.registered):
             if self._alt_nicks:
                 nick = self._alt_nicks.pop(0)
                 await self.send(build("NICK", [nick]))
@@ -288,9 +287,10 @@ class Server(IServer):
 
             if not self._process_queue:
                 async with self._read_lwork:
-                    read_aw  = self._read_line(PING_TIMEOUT)
+                    read_aw = asyncio.create_task(self._read_line(PING_TIMEOUT))
+                    wait_aw = asyncio.create_task(self._wait_for.wait())
                     dones, notdones = await asyncio.wait(
-                        [read_aw, self._wait_for.wait()],
+                        [read_aw, wait_aw],
                         return_when=asyncio.FIRST_COMPLETED
                     )
                     self._wait_for.clear()

ircrobots/transport.py

@@ -1,10 +1,12 @@
+from hashlib       import sha512
 from ssl           import SSLContext
 from typing        import Optional, Tuple
 from asyncio       import StreamReader, StreamWriter
 from async_stagger import open_connection
 
 from .interface import ITCPTransport, ITCPReader, ITCPWriter
-from .security  import tls_context
+from .security  import (tls_context, TLS, TLSNoVerify, TLSVerifyHash,
+    TLSVerifySHA512)
 
 class TCPReader(ITCPReader):
     def __init__(self, reader: StreamReader):
@@ -32,16 +34,18 @@ class TCPWriter(ITCPWriter):
 
 class TCPTransport(ITCPTransport):
     async def connect(self,
-            hostname:   str,
-            port:       int,
-            tls:        bool,
-            tls_verify: bool=True,
-            bindhost:   Optional[str]=None
+            hostname: str,
+            port:     int,
+            tls:      Optional[TLS],
+            bindhost: Optional[str]=None
             ) -> Tuple[ITCPReader, ITCPWriter]:
 
         cur_ssl: Optional[SSLContext] = None
-        if tls:
-            cur_ssl = tls_context(tls_verify)
+        if tls is not None:
+            cur_ssl = tls_context(not isinstance(tls, TLSNoVerify))
+            if tls.client_keypair is not None:
+                (client_cert, client_key) = tls.client_keypair
+                cur_ssl.load_cert_chain(client_cert, keyfile=client_key)
 
         local_addr: Optional[Tuple[str, int]] = None
         if not bindhost is None:
@@ -55,5 +59,20 @@ class TCPTransport(ITCPTransport):
             server_hostname=server_hostname,
             ssl            =cur_ssl,
             local_addr     =local_addr)
+
+        if isinstance(tls, TLSVerifyHash):
+            cert: bytes = writer.transport.get_extra_info(
+                "ssl_object"
+            ).getpeercert(True)
+            if isinstance(tls, TLSVerifySHA512):
+                sum = sha512(cert).hexdigest()
+            else:
+                raise ValueError(f"unknown hash pinning {type(tls)}")
+
+            if not sum == tls.sum:
+                raise ValueError(
+                    f"pinned hash for {hostname} does not match ({sum})"
+                )
+
         return (TCPReader(reader), TCPWriter(writer))
 

requirements.txt

@@ -1,6 +1,6 @@
 anyio            ~=2.0.2
 asyncio-rlock    ~=0.1.0
 asyncio-throttle ~=1.0.1
-ircstates        ~=0.11.11
+ircstates        ~=0.12.1
 async_stagger    ~=0.3.0
-async_timeout    ~=3.0.1
+async_timeout    ~=4.0.2