3 $fݭ@slddlZddlZddlZddlZddlZddlmZddlmZ m Z m Z ddlZddlmZmZmZddlmZmZmZddlmZmZmZmZmZmZddlmZmZddlmZm Z m!Z!m"Z"ydd lm#Z#Wne$k rYnXdd lm%Z%m&Z&m'Z'm(Z(m)Z)dd lm*Z*dd lm+Z+e j,d e-ddede j,de-ddede j,de-ddede j,de-ddede j,de-ddede j,de-ddede.j/Z0e._0dde.j1j2DZ3e4e.ddZ5ej6dkrddlm7Z7m8Z8dd l9m9Z9m:Z:m;Z;mZ>ddl?Z?ddl@Z@ddlAZAeBZCejDr:d"gZEngZEe*ZFGd#d$d$eGZHdQd&d'ZId(d)ZJd*d+ZKed,d-ZLd.d/ZMGd0d1d1ed1d2ZNGd3d4d4eNe ZOGd5d6d6eZPeOjQfdddd7d8d9ZRe/feSd:eOjQdddddd;dd?d?ZWGd@dAdAe9ZXddd:eSe/ddBdBdf dCdDZYdEdFZZdGZ[dHZ\dIdJZ]dKdLZ^e/dfdMdNZ_dOdPZ`dS)RN) namedtuple)EnumIntEnumIntFlag)OPENSSL_VERSION_NUMBEROPENSSL_VERSION_INFOOPENSSL_VERSION) _SSLContext MemoryBIO SSLSession)SSLErrorSSLZeroReturnErrorSSLWantReadErrorSSLWantWriteErrorSSLSyscallError SSLEOFError)txt2objnid2obj) RAND_statusRAND_add RAND_bytesRAND_pseudo_bytes)RAND_egd)HAS_SNIHAS_ECDHHAS_NPNHAS_ALPN HAS_TLSv1_3)_DEFAULT_CIPHERS)_OPENSSL_API_VERSION _SSLMethodcCs|jdo|dkS)NZ PROTOCOL_PROTOCOL_SSLv23) startswith)namer$/usr/lib64/python3.6/ssl.py}sr&)sourceOptionscCs |jdS)NZOP_)r")r#r$r$r%r&sZAlertDescriptioncCs |jdS)NZALERT_DESCRIPTION_)r")r#r$r$r%r&sZSSLErrorNumbercCs |jdS)NZ SSL_ERROR_)r")r#r$r$r%r&s VerifyFlagscCs |jdS)NZVERIFY_)r")r#r$r$r%r&s VerifyModecCs |jdS)NZCERT_)r")r#r$r$r%r&scCsi|]\}}||qSr$r$).0r#valuer$r$r% sr-ZPROTOCOL_SSLv2win32)enum_certificates enum_crls)socketAF_INET SOCK_STREAMcreate_connection) SOL_SOCKETSO_TYPEz tls-uniquec@s eZdZdS)CertificateErrorN)__name__ __module__ __qualname__r$r$r$r%r7sr7c Csg}|s dS|jd^}}|jd}||kr|jdsx|jdr|jtj|n|jtj|j ddx|D]}|jtj|qWtj d d j |d tj }|j |S) NF.*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)splitcountr7reprlowerappendr"reescapereplacecompilejoin IGNORECASEmatch) ZdnhostnameZ max_wildcardsZpatsZleftmostZ remainderZ wildcardsZfragZpatr$r$r%_dnsname_matchs&   rKcCstj|j}||kS)N) ipaddress ip_addressrstrip)Zipnamehost_ipZipr$r$r%_ipaddress_matchsrPcCsP|s tdytj|}Wntk r2d}YnXg}|jdf}xb|D]Z\}}|dkr||dkrpt||rpdS|j|qJ|dkrJ|dk rt||rdS|j|qJW|sxF|jdfD]6}x0|D](\}}|dkrt||rdS|j|qWqWt|dkr td|d j t t |fn,t|dkrDtd ||d fntd dS) Nztempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDZsubjectAltNameZDNSz IP AddressZsubjectZ commonNamer;z&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rrz=no appropriate commonName or subjectAltName fields were found) ValueErrorrLrMgetrKrBrPlenr7rGmapr@)certrJrOZdnsnamesZsankeyr,subr$r$r%match_hostnames>    rXDefaultVerifyPathszQcafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capathcCsdtj}tjj|d|d}tjj|d|d}ttjj|rF|ndtjj|rX|ndf|S)Nrr;) _sslget_default_verify_pathsosenvironrRrYpathisfileisdir)partscafilecapathr$r$r%r]-s r]cs@eZdZfZfddZefddZefddZZS) _ASN1Objectcstj|ft|ddS)NF)r#)super__new___txt2obj)clsoid) __class__r$r%rh@sz_ASN1Object.__new__cstj|ft|S)N)rgrh_nid2obj)rjZnid)rlr$r%fromnidCsz_ASN1Object.fromnidcstj|ft|ddS)NT)r#)rgrhri)rjr#)rlr$r%fromnameIsz_ASN1Object.fromname) r8r9r: __slots__rh classmethodrnro __classcell__r$r$)rlr%rf;s rfznid shortname longname oidc@seZdZdZdZdS)Purposez1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2N)r8r9r: SERVER_AUTHZ CLIENT_AUTHr$r$r$r%rsPsrscseZdZd!Zd"ZefddZefddZd#d d Zd$ddZ ddZ ddZ ddZ e jfddZefddZejfddZefddZejfddZefddZejfd dZZS)% SSLContextprotocol __weakref__CAROOTcOstj||}|S)N)r rh)rjrvargskwargsselfr$r$r%rh^s zSSLContext.__new__cCs ||_dS)N)rv)r|rvr$r$r%__init__bszSSLContext.__init__FTNc Cst|||||||dS)N)sock server_sidedo_handshake_on_connectsuppress_ragged_eofsserver_hostname_context_session) SSLSocket)r|r~rrrrsessionr$r$r% wrap_socketes zSSLContext.wrap_socketcCs|j||||d}t||dS)N)rr)r)Z _wrap_bio SSLObject)r|ZincomingZoutgoingrrrsslobjr$r$r%wrap_bioos zSSLContext.wrap_biocCsdt}xN|D]F}t|d}t|dks2t|dkr:td|jt||j|q W|j|dS)Nasciirz(NPN protocols must be 1 to 255 in length) bytearraybytesrSr rBextendZ_set_npn_protocols)r| npn_protocolsprotosrvbr$r$r%set_npn_protocolsus  zSSLContext.set_npn_protocolscCsdt}xN|D]F}t|d}t|dks2t|dkr:td|jt||j|q W|j|dS)Nrrrz)ALPN protocols must be 1 to 255 in length)rrrSr rBrZ_set_alpn_protocols)r|Zalpn_protocolsrrvrr$r$r%set_alpn_protocolss  zSSLContext.set_alpn_protocolsc Cszt}y@x:t|D].\}}}|dkr|dks6|j|kr|j|qWWntk rdtjdYnX|rv|j|d|S)NZx509_asnTz-unable to enumerate Windows certificate store)cadata)rr/rkrPermissionErrorwarningswarnload_verify_locations)r| storenamepurposeZcertsrUencodingZtrustr$r$r%_load_windows_store_certss z$SSLContext._load_windows_store_certscCsDt|tst|tjdkr8x|jD]}|j||q$W|jdS)Nr.) isinstancerf TypeErrorsysplatform_windows_cert_storesrZset_default_verify_paths)r|rrr$r$r%load_default_certss    zSSLContext.load_default_certscs ttjS)N)r(rgoptions)r|)rlr$r%rszSSLContext.optionscstttjj||dS)N)rgrur__set__)r|r,)rlr$r%rscs ttjS)N)r)rg verify_flags)r|)rlr$r%rszSSLContext.verify_flagscstttjj||dS)N)rgrurr)r|r,)rlr$r%rsc s*tj}yt|Stk r$|SXdS)N)rg verify_moder*rQ)r|r,)rlr$r%rs zSSLContext.verify_modecstttjj||dS)N)rgrurr)r|r,)rlr$r%rs)rvrw)rxry)FTTNN)FNN)r8r9r:rpr PROTOCOL_TLSrhr}rrrrrrsrtrpropertyrsetterrrrrr$r$)rlr%ruWs(      ru)rdrercCsdt|tst|tt}|tjkr0t|_d|_ |s<|s<|rL|j |||n|jt kr`|j ||S)NT) rrfrrurrsrt CERT_REQUIREDrcheck_hostnamer CERT_NONEr)rrdrercontextr$r$r%create_default_contexts     rF) cert_reqsrrcertfilekeyfilerdrerc Cst|tst|t|} |s$d| _|dk r2|| _|rd?Z$d@dAZ%dBdCZ&dDdEZ'd`dFdGZ(dHdIZ)dJdKZ*dLdMZ+dNdOZ,dadQdRZ-dSdTZ.Z/S)brNFTrc6Cs:d|_|r||_n|r$| r$td|r6| r6td|rD| rD|}t||_||j_|rf|jj||rx|jj|||r|jj||r|jj|||_ ||_ ||_ ||_ ||_ ||_|jtttkrtd|r|rtd|dk rtd|jjr| rtd||_||_||_||_| |_|dk rftj||j|j|j|jd|j }|j!n,| dk rtj|| dntj|| | | d y |j"Wnt#k r}z|j$t$j%kr‚d }|j d k}|j&d y|j'd }Wn>t#k r(}z |j$t$j%t$j(fkrd }WYdd}~XnX|j&||rd}t)|j$|}||_*d|_+y |j,Wnt#k rxYnXz|Wdd}XWYdd}~XnXd}|j-|d |_.d|_||_/|r6yN|jj0|||}t1|||jd|_|r|j }|dkrtd|j2Wn$t#tfk r4|j,YnXdS)Nz5certfile must be specified for server-side operationszcertfile must be specifiedz!only stream sockets are supportedz4server_hostname can only be specified in client modez,session can only be specified in client modez'check_hostname requires server_hostname)familytypeprotofileno)r)rrrFrr;z5Closed before TLS handshake with data in recv buffer.T)rrgzHdo_handshake_on_connect should not be specified for non-blocking sockets)3rrrQrurrrrZ set_ciphersrrr ssl_versionca_certsciphersZ getsockoptr5r6r3rrrrrrrr1r}rrrr gettimeoutdetach getpeernameOSErrorerrnoZENOTCONNZ setblockingrecvZEINVALr reasonZlibraryclose settimeoutZ_closed _connected _wrap_socketrr)r|r~rrrrrrrrrrrrrrrrrZ sock_timeouteZ connectedZblockingZnotconn_pre_handshake_datarZ notconn_pre_handshake_data_errorrtimeoutr$r$r%r}s                      zSSLSocket.__init__cCs|jS)N)r)r|r$r$r%r0szSSLSocket.contextcCs||_||j_dS)N)rrr)r|rr$r$r%r4scCs|jdk r|jjSdS)N)rr)r|r$r$r%r9s zSSLSocket.sessioncCs||_|jdk r||j_dS)N)rrr)r|rr$r$r%r?s cCs|jdk r|jjSdS)N)rr)r|r$r$r%rEs zSSLSocket.session_reusedcCstd|jjdS)NzCan't dup() %s instances)rrlr8)r|r$r$r%dupKsz SSLSocket.dupcCsdS)Nr$)r|msgr$r$r% _checkClosedOszSSLSocket._checkClosedcCs|js|jdS)N)rr)r|r$r$r%_check_connectedSszSSLSocket._check_connectedcCst|j|jstdy|jj||Stk rn}z.|jdtkr\|jr\|dk rVdSdSnWYdd}~XnXdS)Nz'Read on closed or unwrapped SSL socket.rr)rrrQrr rzZ SSL_ERROR_EOFr)r|rSrxr$r$r%r[szSSLSocket.readcCs"|j|jstd|jj|S)Nz(Write on closed or unwrapped SSL socket.)rrrQr)r|rr$r$r%rmszSSLSocket.writecCs|j|j|jj|S)N)rrrr)r|rr$r$r%rvszSSLSocket.getpeercertcCs*|j|j stj rdS|jjSdS)N)rrr\rr)r|r$r$r%rszSSLSocket.selected_npn_protocolcCs*|j|j stj rdS|jjSdS)N)rrr\rr)r|r$r$r%rsz SSLSocket.selected_alpn_protocolcCs |j|jsdS|jjSdS)N)rrr)r|r$r$r%rszSSLSocket.ciphercCs|j|jsdS|jjS)N)rrr)r|r$r$r%rszSSLSocket.shared_cipherscCs |j|jsdS|jjSdS)N)rrr)r|r$r$r%rszSSLSocket.compressioncCsB|j|jr0|dkr$td|j|jj|Stj|||SdS)Nrz3non-zero flags not allowed in calls to send() on %s)rrrQrlrr1send)r|rflagsr$r$r%rs  zSSLSocket.sendcCsH|j|jrtd|jn&|dkr4tj|||Stj||||SdS)Nz%sendto not allowed on instances of %s)rrrQrlr1sendto)r|rZ flags_or_addraddrr$r$r%rs zSSLSocket.sendtocOstd|jdS)Nz&sendmsg not allowed on instances of %s)rrl)r|rzr{r$r$r%sendmsgszSSLSocket.sendmsgcCs|j|jr|dkr$td|jd}t|L}|jd6}t|}x&||krl|j||d}||7}qHWWdQRXWdQRXntj |||SdS)Nrz6non-zero flags not allowed in calls to sendall() on %sB) rrrQrl memoryviewcastrSrr1sendall)r|rrr?ZviewZ byte_viewZamountrr$r$r%rs  "zSSLSocket.sendallcs,|jdkrtj|||S|j|||SdS)N)rrgsendfileZ_sendfile_use_send)r|fileoffsetr?)rlr$r%rs zSSLSocket.sendfilecCs@|j|jr.|dkr$td|j|j|Stj|||SdS)Nrz3non-zero flags not allowed in calls to recv() on %s)rrrQrlrr1r)r|buflenrr$r$r%rs  zSSLSocket.recvcCsf|j|r|dkrt|}n |dkr*d}|jrR|dkrFtd|j|j||Stj||||SdS)Nirz8non-zero flags not allowed in calls to recv_into() on %s)rrSrrQrlrr1 recv_into)r|rnbytesrr$r$r%rs    zSSLSocket.recv_intocCs0|j|jrtd|jntj|||SdS)Nz'recvfrom not allowed on instances of %s)rrrQrlr1recvfrom)r|rrr$r$r%rs  zSSLSocket.recvfromcCs2|j|jrtd|jntj||||SdS)Nz,recvfrom_into not allowed on instances of %s)rrrQrlr1 recvfrom_into)r|rrrr$r$r%rs  zSSLSocket.recvfrom_intocOstd|jdS)Nz&recvmsg not allowed on instances of %s)rrl)r|rzr{r$r$r%recvmsgszSSLSocket.recvmsgcOstd|jdS)Nz+recvmsg_into not allowed on instances of %s)rrl)r|rzr{r$r$r% recvmsg_intoszSSLSocket.recvmsg_intocCs |j|jr|jjSdSdS)Nr)rrr)r|r$r$r%r s zSSLSocket.pendingcCs|jd|_tj||dS)N)rrr1r)r|Zhowr$r$r%rszSSLSocket.shutdowncCs.|jr|jj}d|_|Stdt|dS)NzNo SSL wrapper around )rrrQstr)r|sr$r$r%rs  zSSLSocket.unwrapcCs$|jr|jjStdt|dS)NzNo SSL wrapper around )rrrQr)r|r$r$r%rs z&SSLSocket.verify_client_post_handshakecCsd|_tj|dS)N)rr1 _real_close)r|r$r$r%r#szSSLSocket._real_closec CsF|j|j}z$|dkr(|r(|jd|jjWd|j|XdS)Ng)rrrrr)r|blockrr$r$r%r's  zSSLSocket.do_handshakec Cs|jrtd|jrtd|jj|d|j}t|||jd|_y>|rTt j ||}nd}t j |||s|d|_|j r||j |Sttfk rd|_YnXdS)Nz!can't connect in server-side modez/attempt to connect already-connected SSLSocket!F)rrT)rrQrrrrrrrr1 connect_exconnectrrr)r|rrrZrcr$r$r% _real_connect2s(  zSSLSocket._real_connectcCs|j|ddS)NF)r)r|rr$r$r%rKszSSLSocket.connectcCs |j|dS)NT)r)r|rr$r$r%rPszSSLSocket.connect_excCs.tj|\}}|jj||j|jdd}||fS)NT)rrr)r1acceptrrrr)r|Znewsockrr$r$r%rUs zSSLSocket.accept tls-uniquecCs|jdkrdS|jj|S)N)rr)r|rr$r$r%ras zSSLSocket.get_channel_bindingcCs|jdkrdS|jjS)N)rr)r|r$r$r%rjs zSSLSocket.version)N)rN)F)r)N)r)rN)rr)Nr)rr)Nr)F)r)0r8r9r:rrr2r3r}rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr$r$)rlr%rs^|             rTc Cst|||||||||| d S)N) r~rrrrrrrrr)r) r~rrrrrrrrrr$r$r%rts rc Csddlm}ddlm}d}d}y|j|ddjd}Wn$tk rbtd||fYn0X||dd|}||d|f|ddSdS)Nr)strptime)timegmJanFebMarAprMayJunJulAugSepOctNovDecz %d %H:%M:%S %Y GMTr[r;z*time data %r does not match format "%%b%s"rZ) r r r rrrrrrrrr)Ztimer Zcalendarr indextitlerQ)Z cert_timer r ZmonthsZ time_formatZ month_numberZttr$r$r%cert_time_to_secondss  rz-----BEGIN CERTIFICATE-----z-----END CERTIFICATE-----cCs2ttj|dd}tdtj|ddtdS)NASCIIstrict @)rbase64Zstandard_b64encode PEM_HEADERtextwrapZfill PEM_FOOTER)Zder_cert_bytesfr$r$r%DER_cert_to_PEM_certsr$cCs\|jtstdt|jjts0tdt|jtttt }tj|j ddS)Nz(Invalid PEM encoding; must start with %sz&Invalid PEM encoding; must end with %srr) r"r rQstripendswithr"rSrZ decodebytesencode)Zpem_cert_stringdr$r$r%PEM_cert_to_DER_certs r)c Csd|\}}|dk rt}nt}t|||d}t|&}|j|}|jd} WdQRXWdQRXt| S)N)rrdT)rr_create_stdlib_contextr4rrr$) rrrhostZportrrr~ZsslsockZdercertr$r$r%get_server_certificates  r,cCs tj|dS)Nz )_PROTOCOL_NAMESrR)Z protocol_coder$r$r%get_protocol_namesr.)r;)arLr!rCrr^ collectionsrenumrZ_EnumrZ_IntEnumrZ_IntFlagr\rrrr r r r r rrrrrrirrmrrrrr ImportErrorrrrrrrr_convertr8r rr! __members__itemsr-getattrZ_SSLv2_IF_EXISTSrr/r0r1r2r3r4r5r6rrrrZ socket_errorZHAS_TLS_UNIQUErZ_RESTRICTED_SERVER_CIPHERSrQr7rKrPrXrYr]rfrsrurtrrrZ_create_default_https_contextr*rrrrr r"r$r)r,r.r$r$r$r%]s        1 4g(O