3 2a@sdddlZddlZddlZddlZddlZddlmZddlmZ m Z m Z ddlZddlmZmZmZddlmZmZmZddlmZmZmZmZmZmZddlmZmZddlmZm Z m!Z!m"Z"ydd lm#Z#Wne$k rYnXdd lm%Z%m&Z&m'Z'm(Z(m)Z)dd lm*Z*e j+d e,d dede j+de,ddede j+de,ddede j+de,ddede j+de,ddede j+de,ddede-j.Z/e-_/dde-j0j1DZ2e3e-ddZ4ej5dkrddlm6Z6m7Z7ddl8m8Z8m9Z9m:Z:m;Z;dd l8mZ>ddl?Z?ddl@Z@eAZBejCr.d!gZDngZDd"ZEd#ZFGd$d%d%eGZHdRd'd(ZId)d*ZJd+d,ZKed-d.ZLd/d0ZMGd1d2d2ed2d3ZNGd4d5d5eNe ZOGd6d7d7eZPeOjQfdddd8d9d:ZRe.fdd;eOjQdddddd<d=d>ZSeRZTeSZUGd?d@d@ZVGdAdBdBe8ZWddd;eXe.ddCdCdf dDdEZYdFdGZZdHZ[dIZ\dJdKZ]dLdMZ^e.dfdNdOZ_dPdQZ`dS)SN) namedtuple)EnumIntEnumIntFlag)OPENSSL_VERSION_NUMBEROPENSSL_VERSION_INFOOPENSSL_VERSION) _SSLContext MemoryBIO SSLSession)SSLErrorSSLZeroReturnErrorSSLWantReadErrorSSLWantWriteErrorSSLSyscallError SSLEOFError)txt2objnid2obj) RAND_statusRAND_add RAND_bytesRAND_pseudo_bytes)RAND_egd)HAS_SNIHAS_ECDHHAS_NPNHAS_ALPN HAS_TLSv1_3)_OPENSSL_API_VERSION _SSLMethodcCs|jdo|dkS)NZ PROTOCOL_PROTOCOL_SSLv23) startswith)namer#(/opt/alt/python36/lib64/python3.6/ssl.py|sr%)sourceOptionscCs |jdS)NZOP_)r!)r"r#r#r$r%sZAlertDescriptioncCs |jdS)NZALERT_DESCRIPTION_)r!)r"r#r#r$r%sZSSLErrorNumbercCs |jdS)NZ SSL_ERROR_)r!)r"r#r#r$r%s VerifyFlagscCs |jdS)NZVERIFY_)r!)r"r#r#r$r%s VerifyModecCs |jdS)NZCERT_)r!)r"r#r#r$r%scCsi|]\}}||qSr#r#).0r"valuer#r#r$ sr,ZPROTOCOL_SSLv2win32)enum_certificates enum_crls)socketAF_INET SOCK_STREAMcreate_connection) SOL_SOCKETSO_TYPEz tls-uniquezTLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!3DESzTLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DESc@s eZdZdS)CertificateErrorN)__name__ __module__ __qualname__r#r#r#r$r6sr6c Csg}|s dS|jd^}}|jd}||kr|jdsx|jdr|jtj|n|jtj|j ddx|D]}|jtj|qWtj d d j |d tj }|j |S) NF.*z,too many wildcards in certificate DNS name: z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)splitcountr6reprlowerappendr!reescapereplacecompilejoin IGNORECASEmatch) ZdnhostnameZ max_wildcardsZpatsZleftmostZ remainderZ wildcardsZfragZpatr#r#r$_dnsname_matchs&   rJcCstj|j}||kS)N) ipaddress ip_addressrstrip)Zipnamehost_ipZipr#r#r$_ipaddress_matchsrOcCsP|s tdytj|}Wntk r2d}YnXg}|jdf}xb|D]Z\}}|dkr||dkrpt||rpdS|j|qJ|dkrJ|dk rt||rdS|j|qJW|sxF|jdfD]6}x0|D](\}}|dkrt||rdS|j|qWqWt|dkr td|d j t t |fn,t|dkrDtd ||d fntd dS) Nztempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDZsubjectAltNameZDNSz IP AddressZsubjectZ commonNamer:z&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rrz=no appropriate commonName or subjectAltName fields were found) ValueErrorrKrLgetrJrArOlenr6rFmapr?)certrIrNZdnsnamesZsankeyr+subr#r#r$match_hostnames>    rWDefaultVerifyPathszQcafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capathcCsdtj}tjj|d|d}tjj|d|d}ttjj|rF|ndtjj|rX|ndf|S)Nrr:) _sslget_default_verify_pathsosenvironrQrXpathisfileisdir)partscafilecapathr#r#r$r\Us r\cs@eZdZfZfddZefddZefddZZS) _ASN1Objectcstj|ft|ddS)NF)r")super__new___txt2obj)clsoid) __class__r#r$rghsz_ASN1Object.__new__cstj|ft|S)N)rfrg_nid2obj)riZnid)rkr#r$fromnidksz_ASN1Object.fromnidcstj|ft|ddS)NT)r")rfrgrh)rir")rkr#r$fromnameqsz_ASN1Object.fromname) r7r8r9 __slots__rg classmethodrmrn __classcell__r#r#)rkr$recs reznid shortname longname oidc@seZdZdZdZdS)Purposez1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2N)r7r8r9 SERVER_AUTH CLIENT_AUTHr#r#r#r$rrxsrrcseZdZd!Zd"ZefddZefddZd#d d Zd$ddZ ddZ ddZ ddZ e jfddZefddZejfddZefddZejfddZefddZejfd dZZS)% SSLContextprotocol __weakref__CAROOTcOs"tj||}|tkr|jt|S)N)r rg_SSLv2_IF_EXISTS set_ciphers_DEFAULT_CIPHERS)rirvargskwargsselfr#r#r$rgs  zSSLContext.__new__cCs ||_dS)N)rv)rrvr#r#r$__init__szSSLContext.__init__FTNc Cst|||||||dS)N)sock server_sidedo_handshake_on_connectsuppress_ragged_eofsserver_hostname_context_session) SSLSocket)rrrrrrsessionr#r#r$ wrap_sockets zSSLContext.wrap_socketcCs|j||||d}t||dS)N)rr)r)Z _wrap_bio SSLObject)rZincomingZoutgoingrrrsslobjr#r#r$wrap_bios zSSLContext.wrap_biocCsdt}xN|D]F}t|d}t|dks2t|dkr:td|jt||j|q W|j|dS)Nasciirz(NPN protocols must be 1 to 255 in length) bytearraybytesrRr rAextendZ_set_npn_protocols)r npn_protocolsprotosrvbr#r#r$set_npn_protocolss  zSSLContext.set_npn_protocolscCsdt}xN|D]F}t|d}t|dks2t|dkr:td|jt||j|q W|j|dS)Nrrrz)ALPN protocols must be 1 to 255 in length)rrrRr rArZ_set_alpn_protocols)rZalpn_protocolsrrvrr#r#r$set_alpn_protocolss  zSSLContext.set_alpn_protocolsc Cszt}y@x:t|D].\}}}|dkr|dks6|j|kr|j|qWWntk rdtjdYnX|rv|j|d|S)NZx509_asnTz-unable to enumerate Windows certificate store)cadata)rr.rjrPermissionErrorwarningswarnload_verify_locations)r storenamepurposeZcertsrTencodingZtrustr#r#r$_load_windows_store_certss z$SSLContext._load_windows_store_certscCsDt|tst|tjdkr8x|jD]}|j||q$W|jdS)Nr-) isinstancere TypeErrorsysplatform_windows_cert_storesrZset_default_verify_paths)rrrr#r#r$load_default_certss    zSSLContext.load_default_certscs ttjS)N)r'rfoptions)r)rkr#r$rszSSLContext.optionscstttjj||dS)N)rfrur__set__)rr+)rkr#r$rscs ttjS)N)r(rf verify_flags)r)rkr#r$rszSSLContext.verify_flagscstttjj||dS)N)rfrurr)rr+)rkr#r$rsc s*tj}yt|Stk r$|SXdS)N)rf verify_moder)rP)rr+)rkr#r$rs zSSLContext.verify_modecstttjj||dS)N)rfrurr)rr+)rkr#r$rs)rvrw)rxry)FTTNN)FNN)r7r8r9ror PROTOCOL_TLSrgrrrrrrrrrsrpropertyrsetterrrrqr#r#)rkr$rus(      ru)rcrdrcCszt|tst|tt}|tjkr2t|_d|_ n|tj krF|j t |sR|sR|rb|j |||n|jtkrv|j||S)NT)rrerrurrrrs CERT_REQUIREDrcheck_hostnamertr{_RESTRICTED_SERVER_CIPHERSr CERT_NONEr)rrcrdrcontextr#r#r$create_default_contexts       rF) cert_reqsrrcertfilekeyfilercrdrc Cst|tst|t|} |dk r(|| _|| _|r@| r@td|sH|rT| j|||s`|s`|rp| j|||n| jt kr| j || S)Nzcertfile must be specified) rrerrurrrPload_cert_chainrrr) rvrrrrrrcrdrrr#r#r$_create_unverified_contexts      rc@seZdZd/ddZeddZejddZeddZejd dZed d Zed d Z eddZ d0ddZ ddZ d1ddZ ddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd2d)d*Zd+d,Zd-d.ZdS)3rNcCs&||_|p ||j_|dk r"||j_dS)N)_sslobjownerr)rrrrr#r#r$rGs zSSLObject.__init__cCs|jjS)N)rr)rr#r#r$rNszSSLObject.contextcCs ||j_dS)N)rr)rctxr#r#r$rSscCs|jjS)N)rr)rr#r#r$rWszSSLObject.sessioncCs ||j_dS)N)rr)rrr#r#r$r\scCs|jjS)N)rsession_reused)rr#r#r$r`szSSLObject.session_reusedcCs|jjS)N)rr)rr#r#r$reszSSLObject.server_sidecCs|jjS)N)rr)rr#r#r$rjszSSLObject.server_hostnamecCs(|dk r|jj||}n |jj|}|S)N)rread)rrRbuffervr#r#r$rps zSSLObject.readcCs |jj|S)N)rwrite)rdatar#r#r$r|szSSLObject.writeFcCs |jj|S)N)rZpeer_certificate)r binary_formr#r#r$ getpeercertszSSLObject.getpeercertcCstjr|jjSdS)N)r[rrselected_npn_protocol)rr#r#r$rszSSLObject.selected_npn_protocolcCstjr|jjSdS)N)r[rrselected_alpn_protocol)rr#r#r$rsz SSLObject.selected_alpn_protocolcCs |jjS)N)rcipher)rr#r#r$rszSSLObject.ciphercCs |jjS)N)rshared_ciphers)rr#r#r$rszSSLObject.shared_cipherscCs |jjS)N)r compression)rr#r#r$rszSSLObject.compressioncCs |jjS)N)rpending)rr#r#r$rszSSLObject.pendingcCs4|jj|jjr0|js tdt|j|jdS)Nz-check_hostname needs server_hostname argument)r do_handshakerrrrPrWr)rr#r#r$rs  zSSLObject.do_handshakecCs |jjS)N)rshutdown)rr#r#r$unwrapszSSLObject.unwrap tls-uniquecCs0|tkrtd|dkr&tdj||jjS)Nz Unsupported channel binding typez tls-uniquez({0} channel binding type not implemented)CHANNEL_BINDING_TYPESrPNotImplementedErrorformatrZ tls_unique_cb)rcb_typer#r#r$get_channel_bindingszSSLObject.get_channel_bindingcCs |jjS)N)rversion)rr#r#r$rszSSLObject.versioncCs |jjS)N)rverify_client_post_handshake)rr#r#r$rsz&SSLObject.verify_client_post_handshake)NN)rN)F)r)r7r8r9rrrrrrrrrrrrrrrrrrrrrrr#r#r#r$r7s,          rcseZdZddddeeddeeddddddddfddZeddZ e j d dZ ed d Z e j d d Z ed dZ ddZ dUddZddZdVddZddZdWddZddZddZd d!Zd"d#Zd$d%ZdXd&d'ZdYd(d)Zd*d+ZdZd,d-Zd[fd.d/ Zd\d0d1Zd]d2d3Zd^d4d5Zd_d6d7Z d8d9Z!d:d;Z"dd?Z$d@dAZ%dBdCZ&dDdEZ'd`dFdGZ(dHdIZ)dJdKZ*dLdMZ+dNdOZ,dadQdRZ-dSdTZ.Z/S)brNFTrcCsj|r ||_n|r| rtd|r0| r0td|r>| r>|}t||_||j_|r`|jj||rr|jj|||r|jj||r|jj|||_||_ ||_ ||_ ||_ ||_ |jtttkrtd|r|rtd|dk rtd|jjo| rtd||_||_||_||_| |_|dk rdtj||j|j|j|jd|j|j |j!n,| dk r~tj|| dntj|| | | d y |j"Wn8t#k r}z|j$t$j%krd }WYdd}~XnXd }d |_&d|_'||_(|rfyN|jj)|||}t*|||jd |_'|r>|j }|d kr6td|j+Wn$t#tfk rd|j,YnXdS)Nz5certfile must be specified for server-side operationszcertfile must be specifiedz!only stream sockets are supportedz4server_hostname can only be specified in client modez,session can only be specified in client modez'check_hostname requires server_hostname)familytypeprotofileno)r)rrrFT)rrgzHdo_handshake_on_connect should not be specified for non-blocking sockets)-rrPrurrrrr{rrr ssl_versionca_certsciphersZ getsockoptr4r5r2rrrrrrrr0rrrrr settimeout gettimeoutdetach getpeernameOSErrorerrnoZENOTCONNZ_closedr _connected _wrap_socketrrclose)rrrrrrrrrrrrrrrrrrreZ connectedrtimeoutr#r#r$rs                 zSSLSocket.__init__cCs|jS)N)r)rr#r#r$r7szSSLSocket.contextcCs||_||j_dS)N)rrr)rrr#r#r$r;scCs|jdk r|jjSdS)N)rr)rr#r#r$r@s zSSLSocket.sessioncCs||_|jdk r||j_dS)N)rrr)rrr#r#r$rFs cCs|jdk r|jjSdS)N)rr)rr#r#r$rLs zSSLSocket.session_reusedcCstd|jjdS)NzCan't dup() %s instances)rrkr7)rr#r#r$dupRsz SSLSocket.dupcCsdS)Nr#)rmsgr#r#r$ _checkClosedVszSSLSocket._checkClosedcCs|js|jdS)N)rr)rr#r#r$_check_connectedZszSSLSocket._check_connectedcCst|j|jstdy|jj||Stk rn}z.|jdtkr\|jr\|dk rVdSdSnWYdd}~XnXdS)Nz'Read on closed or unwrapped SSL socket.r)rrrPrr r}Z SSL_ERROR_EOFr)rrRrxr#r#r$rbszSSLSocket.readcCs"|j|jstd|jj|S)Nz(Write on closed or unwrapped SSL socket.)rrrPr)rrr#r#r$rtszSSLSocket.writecCs|j|j|jj|S)N)rrrr)rrr#r#r$r}szSSLSocket.getpeercertcCs*|j|j stj rdS|jjSdS)N)rrr[rr)rr#r#r$rszSSLSocket.selected_npn_protocolcCs*|j|j stj rdS|jjSdS)N)rrr[rr)rr#r#r$rsz SSLSocket.selected_alpn_protocolcCs |j|jsdS|jjSdS)N)rrr)rr#r#r$rszSSLSocket.ciphercCs|j|jsdS|jjS)N)rrr)rr#r#r$rszSSLSocket.shared_cipherscCs |j|jsdS|jjSdS)N)rrr)rr#r#r$rszSSLSocket.compressioncCsB|j|jr0|dkr$td|j|jj|Stj|||SdS)Nrz3non-zero flags not allowed in calls to send() on %s)rrrPrkrr0send)rrflagsr#r#r$rs  zSSLSocket.sendcCsH|j|jrtd|jn&|dkr4tj|||Stj||||SdS)Nz%sendto not allowed on instances of %s)rrrPrkr0sendto)rrZ flags_or_addraddrr#r#r$rs zSSLSocket.sendtocOstd|jdS)Nz&sendmsg not allowed on instances of %s)rrk)rr}r~r#r#r$sendmsgszSSLSocket.sendmsgcCs|j|jr|dkr$td|jd}t|L}|jd6}t|}x&||krl|j||d}||7}qHWWdQRXWdQRXntj |||SdS)Nrz6non-zero flags not allowed in calls to sendall() on %sB) rrrPrk memoryviewcastrRrr0sendall)rrrr>ZviewZ byte_viewamountrr#r#r$rs  "zSSLSocket.sendallcs,|jdkrtj|||S|j|||SdS)N)rrfsendfileZ_sendfile_use_send)rfileoffsetr>)rkr#r$rs zSSLSocket.sendfilecCs@|j|jr.|dkr$td|j|j|Stj|||SdS)Nrz3non-zero flags not allowed in calls to recv() on %s)rrrPrkrr0recv)rbuflenrr#r#r$rs  zSSLSocket.recvcCsf|j|r|dkrt|}n |dkr*d}|jrR|dkrFtd|j|j||Stj||||SdS)Nirz8non-zero flags not allowed in calls to recv_into() on %s)rrRrrPrkrr0 recv_into)rrnbytesrr#r#r$rs    zSSLSocket.recv_intocCs0|j|jrtd|jntj|||SdS)Nz'recvfrom not allowed on instances of %s)rrrPrkr0recvfrom)rrrr#r#r$rs  zSSLSocket.recvfromcCs2|j|jrtd|jntj||||SdS)Nz,recvfrom_into not allowed on instances of %s)rrrPrkr0 recvfrom_into)rrrrr#r#r$rs  zSSLSocket.recvfrom_intocOstd|jdS)Nz&recvmsg not allowed on instances of %s)rrk)rr}r~r#r#r$recvmsgszSSLSocket.recvmsgcOstd|jdS)Nz+recvmsg_into not allowed on instances of %s)rrk)rr}r~r#r#r$ recvmsg_into szSSLSocket.recvmsg_intocCs |j|jr|jjSdSdS)Nr)rrr)rr#r#r$rs zSSLSocket.pendingcCs|jd|_tj||dS)N)rrr0r)rZhowr#r#r$rszSSLSocket.shutdowncCs.|jr|jj}d|_|Stdt|dS)NzNo SSL wrapper around )rrrPstr)rsr#r#r$rs  zSSLSocket.unwrapcCs$|jr|jjStdt|dS)NzNo SSL wrapper around )rrrPr)rr#r#r$r$s z&SSLSocket.verify_client_post_handshakecCsd|_tj|dS)N)rr0 _real_close)rr#r#r$r*szSSLSocket._real_closec CsF|j|j}z$|dkr(|r(|jd|jjWd|j|XdS)Ng)rrrrr)rblockrr#r#r$r.s  zSSLSocket.do_handshakec Cs|jrtd|jrtd|jj|d|j}t|||jd|_y>|rTt j ||}nd}t j |||s|d|_|j r||j |Sttfk rd|_YnXdS)Nz!can't connect in server-side modez/attempt to connect already-connected SSLSocket!F)rrT)rrPrrrrrrrr0 connect_exconnectrrr)rrrrZrcr#r#r$ _real_connect9s(  zSSLSocket._real_connectcCs|j|ddS)NF)r )rrr#r#r$r RszSSLSocket.connectcCs |j|dS)NT)r )rrr#r#r$rWszSSLSocket.connect_excCs.tj|\}}|jj||j|jdd}||fS)NT)rrr)r0acceptrrrr)rZnewsockrr#r#r$r \s zSSLSocket.accept tls-uniquecCs|jdkrdS|jj|S)N)rr)rrr#r#r$rhs zSSLSocket.get_channel_bindingcCs|jdkrdS|jjS)N)rr)rr#r#r$rqs zSSLSocket.version)N)rN)F)r)N)r)rN)rr)Nr)rr)Nr)F)r )0r7r8r9rrr1r2rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r rr rrrqr#r#)rkr$rs^Z             rTc Cst|||||||||| d S)N) rrrrrrrrrr)r) rrrrrrrrrrr#r#r$r{s rc Csddlm}ddlm}d}d}y|j|ddjd}Wn$tk rbtd||fYn0X||dd|}||d|f|ddSdS)Nr)strptime)timegmJanFebMarAprMayJunJulAugSepOctNovDecz %d %H:%M:%S %Y GMTrZr:z*time data %r does not match format "%%b%s"rY) rrrrrrrrrrrr)Ztimer ZcalendarrindextitlerP)Z cert_timer rZmonthsZ time_formatZ month_numberttr#r#r$cert_time_to_secondss  rz-----BEGIN CERTIFICATE-----z-----END CERTIFICATE-----cCs2ttj|dd}tdtj|ddtdS)NASCIIstrict @)rbase64Zstandard_b64encode PEM_HEADERtextwrapfill PEM_FOOTER)Zder_cert_bytesfr#r#r$DER_cert_to_PEM_certsr*cCs\|jtstdt|jjts0tdt|jtttt }tj|j ddS)Nz(Invalid PEM encoding; must start with %sz&Invalid PEM encoding; must end with %sr r!) r!r%rPstripendswithr(rRr$Z decodebytesencode)Zpem_cert_stringdr#r#r$PEM_cert_to_DER_certs r/c Csd|\}}|dk rt}nt}t|||d}t|&}|j|}|jd} WdQRXWdQRXt| S)N)rrcT)rr_create_stdlib_contextr3rrr*) rrrhostZportrrrZsslsockZdercertr#r#r$get_server_certificates  r2cCs tj|dS)Nz )_PROTOCOL_NAMESrQ)Z protocol_coder#r#r$get_protocol_namesr4)r:)arKr&rBrr] collectionsrenumrZ_EnumrZ_IntEnumrZ_IntFlagr[rrrr r r r r rrrrrrhrrlrrrrr ImportErrorrrrrrr_convertr7rrr __members__itemsr3getattrrzrr.r/r0r1r2r3r4r5r$rrrZ socket_errorZHAS_TLS_UNIQUErr|rrPr6rJrOrWrXr\rerrrursrrZ_create_default_https_contextr0rrrrrr%r(r*r/r2r4r#r#r#r$]s       1 4i%-