]p#@sddlZddlZddlZddlZddlZddlmZddlmZ m Z ddl Z ddl m Z mZmZddl mZmZddl mZmZmZmZmZmZddl mZmZmZddl mZmZdd l mZm Z m!Z!m"Z"ydd l m#Z#Wne$k rJYnXd d Z%e%d e%de%de%dddl m&Z&m'Z'm(Z(m)Z)ddl m*Z*e j+de,ddde e-j.Z/e-_/dde-j0j1DZ2y e3Z4Wne5k r dZ4YnXej6dkrFddl m7Z7m8Z8ddl9m9Z9m:Z:m;Z;m<Z<ddl9m=Z=m>Z>ddl?Z?ddl@Z@ddlAZAeBZCe jDrdgZEngZEdZFdZGGd d!d!eHZId"d#d$ZJd%d&ZKd'd(ZLed)d*ZMd+d,ZNGd-d.d.ed.d/ZOGd0d1d1eOe ZPGd2d3d3eZQePjRd4dd5dd6dd7d8ZSe.d9dd:d;d<ePjRd=dd>dd4dd5dd6dd?d@ZTeSZUeTZVGdAdBdBZWGdCdDdDe9ZXddd;ee.ddEdEddFdG ZYdHdIZZdJZ[dKZ\dLdMZ]dNdOZ^e.ddPdQZ_dRdSZ`dS)TN) namedtuple)EnumIntEnum)OPENSSL_VERSION_NUMBEROPENSSL_VERSION_INFOOPENSSL_VERSION) _SSLContext MemoryBIO)SSLErrorSSLZeroReturnErrorSSLWantReadErrorSSLWantWriteErrorSSLSyscallError SSLEOFError) CERT_NONE CERT_OPTIONAL CERT_REQUIRED)txt2objnid2obj) RAND_statusRAND_add RAND_bytesRAND_pseudo_bytes)RAND_egdcCs@x9ttD]+}|j|r tt|t|sr,sourcecCsi|]\}}||qSr!r!).0r+valuer!r!r" s r0win32)enum_certificates enum_crls)socketAF_INET SOCK_STREAMcreate_connection) SOL_SOCKETSO_TYPEz tls-uniquezECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DESzECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DESc@seZdZdS)CertificateErrorN)__name__ __module__ __qualname__r!r!r!r"r:s r:c CsAg}|sdS|jd^}}|jd}||krVtdt||sr|j|jkS|dkr|jdnY|jds|jdr|jtj|n"|jtj|j ddx$|D]}|jtj|qWtj d d j |d tj }|j |S) NF.*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)splitcountr:reprlowerappendrreescapereplacecompilejoin IGNORECASEmatch) ZdnhostnameZ max_wildcardsZpatsZleftmostZ remainderZ wildcardsZfragpatr!r!r"_dnsname_matchs&  " &rOcCstj|j}||kS)N) ipaddress ip_addressrstrip)Zipnamehost_ipZipr!r!r"_ipaddress_matchsrTcCs|stdytj|}Wntk r?d}YnXg}|jdf}x|D]\}}|dkr|dkrt||rdS|j|q_|dkr_|dk rt||rdS|j|q_W|sHx]|jdfD]I}x@|D]8\}}|dkrt||r3dS|j|qWqWt|dkrtd|d j t t |fn;t|dkrtd ||d fn td dS) Nztempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDZsubjectAltNameZDNSz IP AddressZsubjectZ commonNamer>z&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rrz=no appropriate commonName or subjectAltName fields were found) ValueErrorrPrQgetrOrErTlenr:rJmaprC)certrMrSZdnsnamesZsankeyr/subr!r!r"match_hostnames>      %r\DefaultVerifyPathszQcafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capathcCstj}tjj|d|d}tjj|d|d}ttjj|ra|ndtjj|r||nd|S)Nrr>) rget_default_verify_pathsosenvironrVr]pathisfileisdir)partscafilecapathr!r!r"r`?s  r`csXeZdZfZfddZefddZefddZS) _ASN1Objectcstj|t|ddS)Nr+F)super__new___txt2obj)clsoid) __class__r!r"rkRsz_ASN1Object.__new__cstj|t|S)N)rjrk_nid2obj)rmZnid)ror!r"fromnidUsz_ASN1Object.fromnidcstj|t|ddS)Nr+T)rjrkrl)rmr+)ror!r"fromname[sz_ASN1Object.fromname)r;r<r= __slots__rk classmethodrqrrr!r!)ror"riMs riznid shortname longname oidc@seZdZdZdZdS)Purposez1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2N)r;r<r= SERVER_AUTH CLIENT_AUTHr!r!r!r"rubs ruc@seZdZdZdZeddZeddZd d d d d d Zd d ddZ ddZ ddZ ddZ e jddZd S) SSLContextprotocol __weakref__CAROOTcOs/tj||}|tkr+|jt|S)N)rrk_SSLv2_IF_EXISTS set_ciphers_DEFAULT_CIPHERS)rmryargskwargsselfr!r!r"rkps  zSSLContext.__new__cCs ||_dS)N)ry)rryr!r!r"__init__vszSSLContext.__init__FTNc Cs+td|d|d|d|d|d|S)Nsock server_sidedo_handshake_on_connectsuppress_ragged_eofsserver_hostname_context) SSLSocket)rrrrrrr!r!r" wrap_socketys zSSLContext.wrap_socketcCs(|j||d|d|}t|S)Nrr)Z _wrap_bio SSLObject)rZincomingZoutgoingrrsslobjr!r!r"wrap_bios zSSLContext.wrap_biocCst}xm|D]e}t|d}t|dksIt|dkrUtd|jt||j|qW|j|dS)Nasciirz(NPN protocols must be 1 to 255 in length) bytearraybytesrWr rEextendZ_set_npn_protocols)r npn_protocolsprotosrybr!r!r"set_npn_protocolss  $ zSSLContext.set_npn_protocolscCst}xm|D]e}t|d}t|dksIt|dkrUtd|jt||j|qW|j|dS)Nrrrz)ALPN protocols must be 1 to 255 in length)rrrWr rErZ_set_alpn_protocols)rZalpn_protocolsrryrr!r!r"set_alpn_protocolss  $ zSSLContext.set_alpn_protocolsc Cst}yXxQt|D]C\}}}|dkr|dksO|j|kr|j|qWWntk rtjdYnX|r|jd||S)NZx509_asnTz-unable to enumerate Windows certificate storecadata)rr2rnrPermissionErrorwarningswarnload_verify_locations)r storenamepurposeZcertsrYencodingZtrustr!r!r"_load_windows_store_certss   z$SSLContext._load_windows_store_certscCs\t|tst|tjdkrNx!|jD]}|j||q4W|jdS)Nr1) isinstanceri TypeErrorsysplatform_windows_cert_storesrZset_default_verify_paths)rrrr!r!r"load_default_certss  zSSLContext.load_default_certs)ryrz)r{r|)r;r<r=rsr PROTOCOL_TLSrkrrrrrrrurvrr!r!r!r"rxis  rxrgrhrcCs9t|tst|tt}|jtO_|jtO_|jtt ddO_|t j krt |_ d|_nm|t jkr|jtt ddO_|jtt ddO_|jtt ddO_|jt|s|s|r|j|||n|j tkr5|j||S)NZOP_NO_COMPRESSIONrTZOP_CIPHER_SERVER_PREFERENCEZOP_SINGLE_DH_USEZOP_SINGLE_ECDH_USE)rrirrxroptions OP_NO_SSLv2 OP_NO_SSLv3rrrurvr verify_modecheck_hostnamerwr~_RESTRICTED_SERVER_CIPHERSrrr)rrgrhrcontextr!r!r"create_default_contexts&      r cert_reqsrFrcertfilekeyfilec Cst|tst|t|} | jtO_| jtO_|dk rZ|| _|| _|r|| r|t d|s|r| j |||s|s|r| j |||n| jt kr| j || S)Nzcertfile must be specified)rrirrxrrrrrrUload_cert_chainrrr) ryrrrrrrgrhrrr!r!r"_create_unverified_contexts"          rc@seZdZdddZeddZejddZeddZed d Zd dd d Z ddZ dddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$d%Zd&d'ZdS)(rNcCs||_|p||j_dS)N)_sslobjowner)rrrr!r!r"r's zSSLObject.__init__cCs |jjS)N)rr)rr!r!r"r,szSSLObject.contextcCs||j_dS)N)rr)rctxr!r!r"r1scCs |jjS)N)rr)rr!r!r"r5szSSLObject.server_sidecCs |jjS)N)rr)rr!r!r"r:szSSLObject.server_hostnameicCs:|dk r$|jj||}n|jj|}|S)N)rread)rrWbuffervr!r!r"r@s zSSLObject.readcCs|jj|S)N)rwrite)rdatar!r!r"rLszSSLObject.writeFcCs|jj|S)N)rZpeer_certificate)r binary_formr!r!r" getpeercertTszSSLObject.getpeercertcCstjr|jjSdS)N)rr&rselected_npn_protocol)rr!r!r"r]s zSSLObject.selected_npn_protocolcCstjr|jjSdS)N)rr'rselected_alpn_protocol)rr!r!r"rds z SSLObject.selected_alpn_protocolcCs |jjS)N)rcipher)rr!r!r"rkszSSLObject.ciphercCs |jjS)N)rshared_ciphers)rr!r!r"rpszSSLObject.shared_cipherscCs |jjS)N)r compression)rr!r!r"rvszSSLObject.compressioncCs |jjS)N)rpending)rr!r!r"r{szSSLObject.pendingcCsH|jj|jjrD|js.tdt|j|jdS)Nz-check_hostname needs server_hostname argument)r do_handshakerrrrUr\r)rr!r!r"rs     zSSLObject.do_handshakecCs |jjS)N)rshutdown)rr!r!r"unwrapszSSLObject.unwrapz tls-uniquecCsF|tkrtd|dkr9tdj||jjS)Nz Unsupported channel binding typez tls-uniquez({0} channel binding type not implemented)CHANNEL_BINDING_TYPESrUNotImplementedErrorformatrZ tls_unique_cb)rcb_typer!r!r"get_channel_bindings    zSSLObject.get_channel_bindingcCs |jjS)N)rversion)rr!r!r"rszSSLObject.version)r;r<r=rpropertyrsetterrrrrrrrrrrrrrrrr!r!r!r"rs$          rcsAeZdZddddeeddeedddddddddZeddZ e j d dZ d d Z dd d Z ddZ ddddZddZdddZddZddZddZddZdd Zdd!d"Zdd#d$Zd%d&Zdd'd(Zddfd)d*Zddd+d,Zddd-d.Zddd/d0Zddd1d2Zd3d4Zd5d6Z d7d8Z!d9d:Z"d;d<Z#d=d>Z$dd?d@Z%dAdBZ&dCdDZ'dEdFZ(dGdHZ)dIdJdKZ*dLdMZ+S)NrNFTrcCs,|r||_n|r+| r+td|rD| rDtd|rW| rW|}t||_||j_|r|jj||r|jj|||r|jj||r|jj|||_||_ ||_ ||_ ||_ ||_ |jtttkr'td|r?|r?td|jjr^| r^td||_||_||_| |_|dk rtj|d|jd|jd|jd |j|j|j|j nA| dk rtj|d | ntj|d| d| d| y|j!Wn@t"k rs}z |j#t#j$kr[d }WYdd}~XnXd }d |_%d|_&||_'|r(ye|jj(|||}t)|d ||_&|r|j}|d krtd|j*Wn%t"tfk r'|j+YnXdS)Nz5certfile must be specified for server-side operationszcertfile must be specifiedz!only stream sockets are supportedz4server_hostname can only be specified in client modez'check_hostname requires server_hostnamefamilytypeprotofilenoFTrgzHdo_handshake_on_connect should not be specified for non-blocking sockets),rrUrxrrrrr~rrr ssl_versionca_certsciphers getsockoptr8r9r6rrrrrrr4rrrrr settimeout gettimeoutdetach getpeernameOSErrorerrnoZENOTCONN_closedr _connected _wrap_socketrrclose)rrrrrrrrrrrrrrrrrreZ connectedrtimeoutr!r!r"rs                                      zSSLSocket.__init__cCs|jS)N)r)rr!r!r"rszSSLSocket.contextcCs||_||j_dS)N)rrr)rrr!r!r"rs cCstd|jjdS)NzCan't dup() %s instances)NotImplementedror;)rr!r!r"dupsz SSLSocket.dupcCsdS)Nr!)rmsgr!r!r" _checkClosed szSSLSocket._checkClosedcCs|js|jdS)N)rr)rr!r!r"_check_connecteds zSSLSocket._check_connectedicCs|j|jstdy|jj||SWn[tk r}z;|jdtkr~|jr~|dk rwdSdSnWYdd}~XnXdS)Nz'Read on closed or unwrapped SSL socket.r)rrrUrr rZ SSL_ERROR_EOFr)rrWrxr!r!r"rs    zSSLSocket.readcCs/|j|jstd|jj|S)Nz(Write on closed or unwrapped SSL socket.)rrrUr)rrr!r!r"r)s   zSSLSocket.writecCs$|j|j|jj|S)N)rrrr)rrr!r!r"r2s  zSSLSocket.getpeercertcCs3|j|j stj r"dS|jjSdS)N)rrrr&r)rr!r!r"r<s zSSLSocket.selected_npn_protocolcCs3|j|j stj r"dS|jjSdS)N)rrrr'r)rr!r!r"rCs z SSLSocket.selected_alpn_protocolcCs(|j|jsdS|jjSdS)N)rrr)rr!r!r"rJs  zSSLSocket.ciphercCs$|j|jsdS|jjS)N)rrr)rr!r!r"rQs  zSSLSocket.shared_cipherscCs(|j|jsdS|jjSdS)N)rrr)rr!r!r"rWs  zSSLSocket.compressioncCsY|j|jrB|dkr2td|j|jj|Stj|||SdS)Nrz3non-zero flags not allowed in calls to send() on %s)rrrUrorr4send)rrflagsr!r!r"r^s    zSSLSocket.sendcCsb|j|jr)td|jn5|dkrHtj|||Stj||||SdS)Nz%sendto not allowed on instances of %s)rrrUror4sendto)rrZ flags_or_addraddrr!r!r"ris   zSSLSocket.sendtocOstd|jdS)Nz&sendmsg not allowed on instances of %s)rro)rrrr!r!r"sendmsgsszSSLSocket.sendmsgcCs|j|jr~|dkr2td|jt|}d}x3||kry|j||d}||7}qGW|Stj|||SdS)Nrz6non-zero flags not allowed in calls to sendall() on %s)rrrUrorWrr4sendall)rrramountrBrr!r!r"rys     zSSLSocket.sendallcs<|jdkr%tj|||S|j|||SdS)N)rrjsendfile_sendfile_use_send)rfileoffsetrB)ror!r"rszSSLSocket.sendfilecCsV|j|jr?|dkr2td|j|j|Stj|||SdS)Nrz3non-zero flags not allowed in calls to recv() on %s)rrrUrorr4recv)rbuflenrr!r!r"rs     zSSLSocket.recvcCs|j|r+|dkr+t|}n|dkr=d}|jru|dkretd|j|j||Stj||||SdS)Nirz8non-zero flags not allowed in calls to recv_into() on %s)rrWrrUrorr4 recv_into)rrnbytesrr!r!r"rs     zSSLSocket.recv_intocCs@|j|jr)td|jntj|||SdS)Nz'recvfrom not allowed on instances of %s)rrrUror4recvfrom)rrrr!r!r"rs   zSSLSocket.recvfromcCsC|j|jr)td|jntj||||SdS)Nz,recvfrom_into not allowed on instances of %s)rrrUror4 recvfrom_into)rrrrr!r!r"rs   zSSLSocket.recvfrom_intocOstd|jdS)Nz&recvmsg not allowed on instances of %s)rro)rrrr!r!r"recvmsgszSSLSocket.recvmsgcOstd|jdS)Nz+recvmsg_into not allowed on instances of %s)rro)rrrr!r!r" recvmsg_intoszSSLSocket.recvmsg_intocCs(|j|jr |jjSdSdS)Nr)rrr)rr!r!r"rs   zSSLSocket.pendingcCs'|jd|_tj||dS)N)rrr4r)rhowr!r!r"rs  zSSLSocket.shutdowncCs?|jr%|jj}d|_|Stdt|dS)NzNo SSL wrapper around )rrrUstr)rsr!r!r"rs   zSSLSocket.unwrapcCsd|_tj|dS)N)rr4 _real_close)rr!r!r"rs zSSLSocket._real_closec Cs[|j|j}z0|dkr8|r8|jd|jjWd|j|XdS)Ng)rrrrr)rblockrr!r!r"rs   zSSLSocket.do_handshakec Cs|jrtd|jr*td|jj|d|j}t|d||_y[|rxtj ||}nd}tj |||sd|_|j r|j |SWn$t tfk rd|_YnXdS)Nz!can't connect in server-side modez/attempt to connect already-connected SSLSocket!FrT)rrUrrrrrrr4 connect_exconnectrrr)rrrrrcr!r!r" _real_connects&        zSSLSocket._real_connectcCs|j|ddS)NF)r)rrr!r!r"rszSSLSocket.connectcCs|j|dS)NT)r)rrr!r!r"rszSSLSocket.connect_excCsItj|\}}|jj|d|jd|jdd}||fS)NrrrT)r4acceptrrrr)rZnewsockrr!r!r"r s    zSSLSocket.acceptz tls-uniquecCs#|jdkrdS|jj|S)N)rr)rrr!r!r"rszSSLSocket.get_channel_bindingcCs |jdkrdS|jjS)N)rr)rr!r!r"rszSSLSocket.version),r;r<r=rrr5r6rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr!r!)ror"rsV    T                       rTc CsCtd|d|d|d|d|d|d|d|d |d | S) Nrrrrrrrrrr)r) rrrrrrrrrrr!r!r"r)s   rc Csddlm}ddlm}d}d}y'|j|ddjd}Wn(tk r}td||fYn<X||dd|}||d|f|ddSdS)Nr)strptime)timegmJanFebMarAprMayJunJulAugSepOctNovDecz %d %H:%M:%S %Y GMTr_r>z*time data %r does not match format "%%b%s"r^) r r r rrrrrrrrr)timer Zcalendarr indextitlerU)Z cert_timer r ZmonthsZ time_formatZ month_numberttr!r!r"cert_time_to_seconds9s ' rz-----BEGIN CERTIFICATE-----z-----END CERTIFICATE-----cCs?ttj|dd}tdtj|ddtdS)NASCIIstrict @)rbase64Zstandard_b64encode PEM_HEADERtextwrapfill PEM_FOOTER)Zder_cert_bytesfr!r!r"DER_cert_to_PEM_certZsr'cCs|jtstdt|jjtsDtdt|jtttt }tj|j ddS)Nz(Invalid PEM encoding; must start with %sz&Invalid PEM encoding; must end with %srr) rr"rUstripendswithr%rWr!Z decodebytesencode)Zpem_cert_stringdr!r!r"PEM_cert_to_DER_certcs  #r,c Cs|\}}|dk r!t}nt}t|d|d|}t|/}|j|}|jd} WdQRXWdQRXt| S)NrrgT)rr_create_stdlib_contextr7rrr') rrrhostportrrrZsslsockZdercertr!r!r"get_server_certificateps     r0cCstj|dS)Nz )_PROTOCOL_NAMESrV)Z protocol_coder!r!r"get_protocol_namesr2)arPr#rFrra collectionsrenumrZ_Enumr_IntEnumrrrrrr r r r r rrrrrrrlrrprrrrr ImportErrorr#r$r%r&r'r(_convertr;r)rr* __members__itemsr1ZPROTOCOL_SSLv2r} NameErrorrr2r3r4r5r6r7r8r9r!rrrZ socket_errorZHAS_TLS_UNIQUErrrrUr:rOrTr\r]r`rirurxrvrrZ_create_default_https_contextr-rrrrr"r%r'r,r0r2r!r!r!r"[s      ."      "    "     1 4  M/  '