B u9a @sddlZddlZddlmZddlmZmZm Z ddl Z ddl m Z m Z mZddl mZmZmZddl mZmZmZmZmZmZmZddl mZmZddl mZmZmZm Z ydd l m!Z!Wne"k rYnXdd l m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,dd l m-Z-m.Z.ej/d e0d de de j/de0dde dej/de0dde dej/de0dde de j/de0dde dej/de0dde de1j2Z3e1_3dde1j45DZ6e7e1ddZ8GdddeZ9ej:dkrdd l m;Z;mZ>m?Z?m@Z@dd"l=mAZAmBZBddl=ZCddlDZDddlEZEddlFZFeGZHd#gZIeJe d$ZKe-ZLeZMd%d&ZNd'd(ZOd)d*ZPd+d,ZQed-d.ZRd/d0ZSGd1d2d2ed2d3ZTGd4d5d5eTeZUGd6d7d7eZVeUjWfdddd8d9d:ZXe2feYd;eUjWdddddd<d=d>ZZeXZ[eZZ\Gd?d@d@Z]dAdBZ^GdCdDdDe=Z_e_eV_`e]eV_addd;eYe2ddEdEdf dFdGZbdHdIZcdJZddKZedLdMZfdNdOZge2dfdPdQZhdRdSZidS)TN) namedtuple)EnumIntEnumIntFlag)OPENSSL_VERSION_NUMBEROPENSSL_VERSION_INFOOPENSSL_VERSION) _SSLContext MemoryBIO SSLSession)SSLErrorSSLZeroReturnErrorSSLWantReadErrorSSLWantWriteErrorSSLSyscallError SSLEOFErrorSSLCertVerificationError)txt2objnid2obj) RAND_statusRAND_add RAND_bytesRAND_pseudo_bytes)RAND_egd) HAS_SNIHAS_ECDHHAS_NPNHAS_ALPN HAS_SSLv2 HAS_SSLv3 HAS_TLSv1 HAS_TLSv1_1 HAS_TLSv1_2 HAS_TLSv1_3)_DEFAULT_CIPHERS_OPENSSL_API_VERSION _SSLMethodcCs|do|dkS)NZ PROTOCOL_PROTOCOL_SSLv23) startswith)namer*/usr/lib/python3.7/ssl.py|r,)sourceOptionscCs |dS)NZOP_)r()r)r*r*r+r,r-ZAlertDescriptioncCs |dS)NZALERT_DESCRIPTION_)r()r)r*r*r+r,r-ZSSLErrorNumbercCs |dS)NZ SSL_ERROR_)r()r)r*r*r+r,r- VerifyFlagscCs |dS)NZVERIFY_)r()r)r*r*r+r,r- VerifyModecCs |dS)NZCERT_)r()r)r*r*r+r,r-cCsi|]\}}||qSr*r*).0r)valuer*r*r+ sr4ZPROTOCOL_SSLv2c@s6eZdZejZejZejZ ej Z ej Z ejZejZdS) TLSVersionN)__name__ __module__ __qualname___sslZPROTO_MINIMUM_SUPPORTEDZMINIMUM_SUPPORTEDZ PROTO_SSLv3SSLv3Z PROTO_TLSv1ZTLSv1Z PROTO_TLSv1_1ZTLSv1_1Z PROTO_TLSv1_2ZTLSv1_2Z PROTO_TLSv1_3ZTLSv1_3ZPROTO_MAXIMUM_SUPPORTEDZMAXIMUM_SUPPORTEDr*r*r*r+r5sr5win32)enum_certificates enum_crls)socketAF_INET SOCK_STREAMcreate_connection) SOL_SOCKETSO_TYPEz tls-uniqueHOSTFLAG_NEVER_CHECK_SUBJECTcCs|sdS|d}|s&||kS|dkrsole wildcard without additional labels are not support: {!r}.z      rbDefaultVerifyPathszQcafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capathcCsdt}tj|d|d}tj|d|d}ttj|rF|ndtj|rX|ndf|S)NrrF) r9get_default_verify_pathsosenvironrYrcpathisfileisdir)partscafilecapathr*r*r+rf\s rfcs@eZdZdZfddZefddZefddZZS) _ASN1Objectr*cstj|ft|ddS)NF)r))super__new___txt2obj)clsoid) __class__r*r+rqosz_ASN1Object.__new__cstj|ft|S)N)rprq_nid2obj)rsZnid)rur*r+fromnidrsz_ASN1Object.fromnidcstj|ft|ddS)NT)r))rprqrr)rsr))rur*r+fromnamexsz_ASN1Object.fromname) r6r7r8 __slots__rq classmethodrwrx __classcell__r*r*)rur+rojs roznid shortname longname oidc@seZdZdZdZdS)Purposez1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2N)r6r7r8 SERVER_AUTHZ CLIENT_AUTHr*r*r*r+r|sr|csjeZdZdZdZdZefddZddZd.d d Z d/d d Z d dZ ddZ ddZ ddZejfddZeedrefddZejfddZefddZejfddZefddZejfd dZeed!red"d#Zejd$d#Zn ed%d#Zefd&d'Zefd(d)Zejfd*d)Zefd+d,Zejfd-d,ZZS)0 SSLContext)ZCAZROOTNcOst||}|S)N)r rq)rsprotocolargskwargsselfr*r*r+rqs zSSLContext.__new__cCs4|dkr dSt|tr&|ddS|dSdS)NZidnaascii) isinstancestrencodedecode)rrMr*r*r+_encode_hostnames  zSSLContext._encode_hostnameFTc Cs|jj|||||||dS)N)sock server_sidedo_handshake_on_connectsuppress_ragged_eofsserver_hostnamecontextsession)sslsocket_class_create)rrrrrrrr*r*r+ wrap_socketszSSLContext.wrap_socketcCs|jj|||||||dS)N)rrrr)sslobject_classrr)rincomingoutgoingrrrr*r*r+wrap_bioszSSLContext.wrap_biocCsdt}xN|D]F}t|d}t|dks2t|dkr:td|t|||q W||dS)Nrrz(NPN protocols must be 1 to 255 in length) bytearraybytesr[r rZextendZ_set_npn_protocols)rZ npn_protocolsprotosrbr*r*r+set_npn_protocolss  zSSLContext.set_npn_protocolscs8dkrd_n$ts tdfdd}|_dS)Nznot a callable objectcs|}|||S)N)r)sslobjZ servernameZsslctx)rserver_name_callbackr*r+shim_cbs z3SSLContext.set_servername_callback..shim_cb)Z sni_callbackcallable TypeError)rrrr*)rrr+set_servername_callbacks z"SSLContext.set_servername_callbackcCsdt}xN|D]F}t|d}t|dks2t|dkr:td|t|||q W||dS)Nrrrz)ALPN protocols must be 1 to 255 in length)rrr[r rZrZ_set_alpn_protocols)rZalpn_protocolsrrrr*r*r+set_alpn_protocolss  zSSLContext.set_alpn_protocolscCszt}y@x:t|D].\}}}|dkr|dks6|j|kr||qWWntk rdtdYnX|rv|j|d|S)NZx509_asnTz-unable to enumerate Windows certificate store)cadata)rr<rtrPermissionErrorwarningswarnload_verify_locations)r storenamepurposeZcertsr_encodingZtrustr*r*r+_load_windows_store_certss z$SSLContext._load_windows_store_certscCsDt|tst|tjdkr8x|jD]}|||q$W|dS)Nr;)rrorsysplatform_windows_cert_storesrZset_default_verify_paths)rrrr*r*r+load_default_certss    zSSLContext.load_default_certsminimum_versioncs ttjS)N)r5rpr)r)rur*r+rszSSLContext.minimum_versioncs4|tjkr|jtjM_tttj||dS)N) r5r:optionsr/Z OP_NO_SSLv3rpr~r__set__)rr3)rur*r+rs cs ttjS)N)r5rpmaximum_version)r)rur*r+rszSSLContext.maximum_versioncstttj||dS)N)rpr~rr)rr3)rur*r+rscs ttjS)N)r/rpr)r)rur*r+rszSSLContext.optionscstttj||dS)N)rpr~rr)rr3)rur*r+rsrDcCs|jtj@}|tjkS)N) _host_flagsr9rD)rZncsr*r*r+hostname_checks_common_name s z&SSLContext.hostname_checks_common_namecCs,|r|jtjM_n|jtjO_dS)N)rr9rD)rr3r*r*r+rscCsdS)NTr*)rr*r*r+rscs ttjS)N)r&rpr)r)rur*r+rszSSLContext.protocolcs ttjS)N)r0rp verify_flags)r)rur*r+rszSSLContext.verify_flagscstttj||dS)N)rpr~rr)rr3)rur*r+r!scs*tj}yt|Stk r$|SXdS)N)rp verify_moder1rR)rr3)rur*r+r%s zSSLContext.verify_modecstttj||dS)N)rpr~rr)rr3)rur*r+r-s)FTTNN)FNN)r6r7r8rrr PROTOCOL_TLSrqrrrrrrrr|r}rhasattrr propertyrsetterrrr9rrrrr{r*r*)rur+r~s@          r~)rmrnrcCsdt|tst|tt}|tjkr0t|_d|_ |s<|s<|rL| |||n|jt kr`| ||S)NT) rrorr~rr|r} CERT_REQUIREDrcheck_hostnamer CERT_NONEr)rrmrnrrr*r*r+create_default_context2s     rF) cert_reqsrrcertfilekeyfilermrnrc Cst|tst|t|} |s$d| _|dk r2|| _|rd?Z"fd@dAZ#edBdCZ$edDdEZ%fdFdGZ&edcdHdIZ'fdJdKZ(dLdMZ)dNdOZ*fdPdQZ+edddSdTZ,edUdVZ-Z.S)e SSLSocketcOst|jjddS)NzX does not have a public constructor. Instances are returned by SSLContext.wrap_socket().)rrur6)rrrr*r*r+r&szSSLSocket.__init__FTNc s|tttkrtd|r8|r(td|dk r8td|jrJ|sJtdt|j|j |j | d}|j |f|} t t| jf|| |||| _|| _d| _d| _|| _||| _|| _|| _y | Wn6tk r} z| jtjkrd} Wdd} ~ XYnXd} | | _ | ryH| jj!| || j| | jd| _|rj| } | d krbtd | "Wn$ttfk r| #YnX| S) Nz!only stream sockets are supportedz4server_hostname can only be specified in client modez,session can only be specified in client modez'check_hostname requires server_hostname)familytypeprotofilenoFT)rrgzHdo_handshake_on_connect should not be specified for non-blocking sockets)$Z getsockoptrBrCr@NotImplementedErrorrRrdictrrrrrqrprr settimeout gettimeoutdetach_context_sessionZ_closedrrrrrr getpeernamerQerrnoZENOTCONN _connected _wrap_socketrclose) rsrrrrrrrrreZ connectedtimeout)rur*r+r-s\        zSSLSocket._createcCs|jS)N)r)rr*r*r+rlszSSLSocket.contextcCs||_||j_dS)N)rrr)rrr*r*r+rqscCs|jdk r|jjSdS)N)rr)rr*r*r+rvs zSSLSocket.sessioncCs||_|jdk r||j_dS)N)rrr)rrr*r*r+r|s cCs|jdk r|jjSdS)N)rr)rr*r*r+rs zSSLSocket.session_reusedcCstd|jjdS)NzCan't dup() %s instances)rrur6)rr*r*r+dupsz SSLSocket.dupcCsdS)Nr*)rmsgr*r*r+ _checkClosedszSSLSocket._checkClosedcCs|js|dS)N)rr)rr*r*r+_check_connectedszSSLSocket._check_connectedc Cs||jdkrtdy&|dk r2|j||S|j|SWnJtk r}z,|jdtkrx|jrx|dk rrdSdSnWdd}~XYnXdS)Nz'Read on closed or unwrapped SSL socket.rr-)rrrRrr rZ SSL_ERROR_EOFr)rr[rxr*r*r+rs zSSLSocket.readcCs&||jdkrtd|j|S)Nz(Write on closed or unwrapped SSL socket.)rrrRr)rrr*r*r+rs zSSLSocket.writecCs|||j|S)N)rrrr)rrr*r*r+rszSSLSocket.getpeercertcCs*||jdkstjsdS|jSdS)N)rrr9rr)rr*r*r+rszSSLSocket.selected_npn_protocolcCs*||jdkstjsdS|jSdS)N)rrr9rr)rr*r*r+rsz SSLSocket.selected_alpn_protocolcCs$||jdkrdS|jSdS)N)rrr)rr*r*r+rs zSSLSocket.ciphercCs$||jdkrdS|jSdS)N)rrr)rr*r*r+rs zSSLSocket.shared_cipherscCs$||jdkrdS|jSdS)N)rrr)rr*r*r+rs zSSLSocket.compressionrcsF||jdk r4|dkr(td|j|j|St||SdS)Nrz3non-zero flags not allowed in calls to send() on %s)rrrRrurrpsend)rrflags)rur*r+rs   zSSLSocket.sendcsL||jdk r"td|jn&|dkr8t||St|||SdS)Nz%sendto not allowed on instances of %s)rrrRrurpsendto)rrZ flags_or_addrrT)rur*r+rs  zSSLSocket.sendtocOstd|jdS)Nz&sendmsg not allowed on instances of %s)rru)rrrr*r*r+sendmsgszSSLSocket.sendmsgc s||jdk r|dkr(td|jd}t|L}|d6}t|}x&||krp|||d}||7}qLWWdQRXWdQRXnt ||SdS)Nrz6non-zero flags not allowed in calls to sendall() on %sB) rrrRru memoryviewcastr[rrpsendall)rrrrHZviewZ byte_viewamountr)rur*r+rs   "zSSLSocket.sendallcs,|jdk r||||St|||SdS)N)rZ_sendfile_use_sendrpsendfile)rfileoffsetrH)rur*r+r s zSSLSocket.sendfilecsD||jdk r2|dkr(td|j||St||SdS)Nrz3non-zero flags not allowed in calls to recv() on %s)rrrRrurrprecv)rbuflenr)rur*r+r s   zSSLSocket.recvcsj||r|dkrt|}n |dkr*d}|jdk rV|dkrJtd|j|||St|||SdS)Nirz8non-zero flags not allowed in calls to recv_into() on %s)rr[rrRrurrp recv_into)rrnbytesr)rur*r+r$s     zSSLSocket.recv_intocs4||jdk r"td|jnt||SdS)Nz'recvfrom not allowed on instances of %s)rrrRrurprecvfrom)rr r)rur*r+r3s   zSSLSocket.recvfromcs6||jdk r"td|jnt|||SdS)Nz,recvfrom_into not allowed on instances of %s)rrrRrurp recvfrom_into)rrrr)rur*r+r;s   zSSLSocket.recvfrom_intocOstd|jdS)Nz&recvmsg not allowed on instances of %s)rru)rrrr*r*r+recvmsgCszSSLSocket.recvmsgcOstd|jdS)Nz+recvmsg_into not allowed on instances of %s)rru)rrrr*r*r+ recvmsg_intoGszSSLSocket.recvmsg_intocCs$||jdk r|jSdSdS)Nr)rrr)rr*r*r+rKs  zSSLSocket.pendingcs|d|_t|dS)N)rrrpr)rZhow)rur*r+rSszSSLSocket.shutdowncCs.|jr|j}d|_|Stdt|dS)NzNo SSL wrapper around )rrrRr)rsr*r*r+rXs  zSSLSocket.unwrapcCs$|jr|jStdt|dS)NzNo SSL wrapper around )rrrRr)rr*r*r+ras z&SSLSocket.verify_client_post_handshakecsd|_tdS)N)rrp _real_close)r)rur*r+rhszSSLSocket._real_closec CsF||}z$|dkr(|r(|d|jWd||XdS)Ng)rrrrr)rblockrr*r*r+rls  zSSLSocket.do_handshakec s|jrtd|js|jdk r&td|jj|d|j||jd|_y>|rVt |}nd}t ||s~d|_|j r~| |St tfk rd|_YnXdS)Nz!can't connect in server-side modez/attempt to connect already-connected SSLSocket!F)rrT)rrRrrrrrrrp connect_exconnectrrrQ)rrTrZrc)rur*r+ _real_connectws( zSSLSocket._real_connectcCs||ddS)NF)r)rrTr*r*r+rszSSLSocket.connectcCs ||dS)NT)r)rrTr*r*r+rszSSLSocket.connect_excs.t\}}|jj||j|jdd}||fS)NT)rrr)rpacceptrrrr)rZnewsockrT)rur*r+rs zSSLSocket.accept tls-uniquecCs4|jdk r|j|S|tkr,td|dSdS)Nz({0} channel binding type not implemented)rrCHANNEL_BINDING_TYPESrRrK)rrr*r*r+rs    zSSLSocket.get_channel_bindingcCs|jdk r|jSdSdS)N)rr)rr*r*r+rs  zSSLSocket.version)FTTNNN)N)rN)F)r)N)r)rN)rr)Nr)rr)Nr)F)r)/r6r7r8rrzrrrrrrrrrrrrrrrrrrrrrrr r rrrrrrrrrrrrrrrrrr{r*r*)rur+r!sd<                    rTc Csl|r|std|r |s tdt|} || _|r<| ||rL| ||| rZ| | | j||||dS)Nz5certfile must be specified for server-side operationszcertfile must be specified)rrrr)rRr~rrrZ set_ciphersr) rrrrr ssl_versionca_certsrrZciphersrr*r*r+rs    rcCsddlm}ddlm}d}d}y||ddd}Wn$tk rbtd||fYn0X||dd|}||d|f|d d SdS) Nr)strptime)timegm) ZJanZFebZMarZAprZMayZJunZJulZAugZSepZOctZNovZDecz %d %H:%M:%S %Y GMTrerFz*time data %r does not match format "%%b%s"rd)ZtimerZcalendarr indextitlerR)Z cert_timerr ZmonthsZ time_formatZ month_numberttr*r*r+cert_time_to_secondss  r%z-----BEGIN CERTIFICATE-----z-----END CERTIFICATE-----csRtt|ddtg}|fddtdtdD7}|tdd|S)NASCIIstrictcsg|]}||dqS)@r*)r2i)fr*r+ sz(DER_cert_to_PEM_cert..rr( ) rbase64Zstandard_b64encode PEM_HEADERranger[rZ PEM_FOOTERr\)Zder_cert_bytesssr*)r*r+DER_cert_to_PEM_certs "r2cCs\|tstdt|ts0tdt|tttt }t| ddS)Nz(Invalid PEM encoding; must start with %sz&Invalid PEM encoding; must end with %sr&r') r(r.rRstripendswithr0r[r-Z decodebytesr)Zpem_cert_stringdr*r*r+PEM_cert_to_DER_certs r6c Csd|\}}|dk rt}nt}t|||d}t|&}||}|d} WdQRXWdQRXt| S)N)rrmT)rr_create_stdlib_contextrArrr2) rTrrZhostZportrrrZsslsockZdercertr*r*r+get_server_certificates  r8cCs t|dS)Nz )_PROTOCOL_NAMESrY)Z protocol_coder*r*r+get_protocol_name&sr:)jrrg collectionsrenumrZ_EnumrZ_IntEnumrZ_IntFlagr9rrrr r r r r rrrrrrrrrrvrrrrr ImportErrorrrrrrrr r!r"r#r$r%_convertr6r&rr' __members__itemsr9rZ_SSLv2_IF_EXISTSr5rr<r=r>r?r@rArBrCrPr-rrrQZ socket_errorrrZHAS_NEVER_CHECK_COMMON_NAMEZ_RESTRICTED_SERVER_CIPHERSrJrOrUrXrbrcrfror|r~r}rrrZ_create_default_https_contextr7rrrrrrr%r.r0r2r6r8r:r*r*r*r+]s $0    1# 9-(