a ze2 @sddlZddlZddlmZddlmZmZm Z ddl Z ddl m Z m Z mZddl mZmZmZddl mZmZmZmZmZmZmZddl mZmZddl mZmZmZm Z zdd l m!Z!Wne"yYn0dd l m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,dd l m-Z-m.Z.ej/d e0d de de j/de0dde dej/de0dde dej/de0dde de j/de0dde dej/de0dde de1j2Z3e1_3dde1j45DZ6e7e1ddZ8GdddeZ9Gdd d eZ:Gd!d"d"eZ;Gd#d$d$eZZ>m?Z?dd'l@m@Z@mAZAmBZBdd(l@mCZCmDZDddl@ZEddlFZFddlGZGddlHZHeIZJd)gZKeLe d*ZMe-ZNeZOd+d,ZPd-d.ZQd/d0ZRd1d2ZSed3d4ZTd5d6ZUGd7d8d8ed8d9ZVGd:d;d;eVeZWGdd?d@ZZe2fe[dAeWjYddddddBdCdDZ\eZZ]e\Z^GdEdFdFZ_dGdHZ`GdIdJdJe@ZaeaeX_be_eX_cdddAe[e2ddKdKdf dLdMZddNdOZedPZfdQZgdRdSZhdTdUZie2dfdVdWZjdXdYZkdS)ZN) namedtuple)EnumIntEnumIntFlag)OPENSSL_VERSION_NUMBEROPENSSL_VERSION_INFOOPENSSL_VERSION) _SSLContext MemoryBIO SSLSession)SSLErrorSSLZeroReturnErrorSSLWantReadErrorSSLWantWriteErrorSSLSyscallError SSLEOFErrorSSLCertVerificationError)txt2objnid2obj) RAND_statusRAND_add RAND_bytesRAND_pseudo_bytes)RAND_egd) HAS_SNIHAS_ECDHHAS_NPNHAS_ALPN HAS_SSLv2 HAS_SSLv3 HAS_TLSv1 HAS_TLSv1_1 HAS_TLSv1_2 HAS_TLSv1_3)_DEFAULT_CIPHERS_OPENSSL_API_VERSION _SSLMethodcCs|do|dkS)NZ PROTOCOL_PROTOCOL_SSLv23 startswithnamer,/usr/lib/python3.9/ssl.py}r.)sourceOptionscCs |dS)NZOP_r(r*r,r,r-r.r/ZAlertDescriptioncCs |dS)NZALERT_DESCRIPTION_r(r*r,r,r-r.r/ZSSLErrorNumbercCs |dS)NZ SSL_ERROR_r(r*r,r,r-r.r/ VerifyFlagscCs |dS)NZVERIFY_r(r*r,r,r-r.r/ VerifyModecCs |dS)NZCERT_r(r*r,r,r-r.r/cCsi|]\}}||qSr,r,).0r+valuer,r,r- r/r6ZPROTOCOL_SSLv2c@s6eZdZejZejZejZ ej Z ej Z ejZejZdS) TLSVersionN)__name__ __module__ __qualname___sslZPROTO_MINIMUM_SUPPORTEDZMINIMUM_SUPPORTEDZ PROTO_SSLv3SSLv3Z PROTO_TLSv1ZTLSv1Z PROTO_TLSv1_1ZTLSv1_1Z PROTO_TLSv1_2ZTLSv1_2Z PROTO_TLSv1_3ZTLSv1_3ZPROTO_MAXIMUM_SUPPORTEDZMAXIMUM_SUPPORTEDr,r,r,r-r7sr7c@s$eZdZdZdZdZdZdZdZdS)_TLSContentTypeN) r8r9r:CHANGE_CIPHER_SPECALERTZ HANDSHAKEZAPPLICATION_DATAHEADERZINNER_CONTENT_TYPEr,r,r,r-r=s r=c@seZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#S)$ _TLSAlertTyper r>r?r@()*+,-./0123<FGPVZdmnopqrstxN)%r8r9r:Z CLOSE_NOTIFYZUNEXPECTED_MESSAGEZBAD_RECORD_MACZDECRYPTION_FAILEDZRECORD_OVERFLOWZDECOMPRESSION_FAILUREZHANDSHAKE_FAILUREZNO_CERTIFICATEZBAD_CERTIFICATEZUNSUPPORTED_CERTIFICATEZCERTIFICATE_REVOKEDZCERTIFICATE_EXPIREDZCERTIFICATE_UNKNOWNZILLEGAL_PARAMETERZ UNKNOWN_CAZ ACCESS_DENIEDZ DECODE_ERRORZ DECRYPT_ERRORZEXPORT_RESTRICTIONZPROTOCOL_VERSIONZINSUFFICIENT_SECURITYZINTERNAL_ERRORZINAPPROPRIATE_FALLBACKZ USER_CANCELEDZNO_RENEGOTIATIONZMISSING_EXTENSIONZUNSUPPORTED_EXTENSIONZCERTIFICATE_UNOBTAINABLEZUNRECOGNIZED_NAMEZBAD_CERTIFICATE_STATUS_RESPONSEZBAD_CERTIFICATE_HASH_VALUEZUNKNOWN_PSK_IDENTITYZCERTIFICATE_REQUIREDZNO_APPLICATION_PROTOCOLr,r,r,r-rGsDrGc@sdeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdS)_TLSMessageTyper r>r?r@rACrCN)r8r9r:Z HELLO_REQUESTZ CLIENT_HELLOZ SERVER_HELLOZHELLO_VERIFY_REQUESTZNEWSESSION_TICKETZEND_OF_EARLY_DATAZHELLO_RETRY_REQUESTZENCRYPTED_EXTENSIONSZ CERTIFICATEZSERVER_KEY_EXCHANGEZCERTIFICATE_REQUESTZ SERVER_DONEZCERTIFICATE_VERIFYZCLIENT_KEY_EXCHANGEFINISHEDZCERTIFICATE_URLZCERTIFICATE_STATUSZSUPPLEMENTAL_DATAZ KEY_UPDATEZ NEXT_PROTOZ MESSAGE_HASHrDr,r,r,r-rfs,rfwin32)enum_certificates enum_crls)socket SOCK_STREAMcreate_connection) SOL_SOCKETSO_TYPE tls-uniqueHOSTFLAG_NEVER_CHECK_SUBJECTcCs|sdS|d}|s&||kS|dkrsole wildcard without additional labels are not support: {!r}.z.shim_cb)Z sni_callbackcallable TypeError)rrrr,rr-set_servername_callbacks z"SSLContext.set_servername_callbackcCs`t}|D]F}t|d}t|dks0t|dkr8td|t|||q ||dS)Nrrrz)ALPN protocols must be 1 to 255 in length)rrrr rrZ_set_alpn_protocols)rZalpn_protocolsrrrr,r,r-set_alpn_protocols!s  zSSLContext.set_alpn_protocolscCstt}zYn0|tjkrPt}n|tjkr`t}nt}z ||}WntyYn0||||||Sr)r7rr=rFrErGrf)conn directionversionZ content_typeZmsg_typedataZmsg_enumcallbackr,r-rs(        z'SSLContext._msg_callback..inner)rrrrhasattrrr)rrrrrr-rs  cs ttjSr)r&rrrrr,r-rszSSLContext.protocolcs ttjSr)r2r verify_flagsrrr,r-rszSSLContext.verify_flagscstttj||dSr)rrrrrrr,r-rscs.tj}z t|WSty(|YS0dSr)r verify_moder3rrrr,r-r s   zSSLContext.verify_modecstttj||dSr)rrr rrrr,r-r s)FTTNN)FNN) r8r9r:rrr PROTOCOL_TLSrrrrrrrrrrrrr propertyrsetterrrr;rrrrr rr,r,rr-rsh           &%r)rrrcCst|tst|tt}|tjkr0t|_d|_ |s<|s<|rL| |||n|jt kr`| |t |drtjd}|rtjjs||_|S)NTkeylog_filename SSLKEYLOGFILE)rrrrr rr CERT_REQUIREDr check_hostnamer CERT_NONErrrrrrflagsignore_environmentr )rrrrr keylogfiler,r,r-create_default_contexts        rF) cert_reqsrrcertfilekeyfilerrrc Cst|tst|t|} |s$d| _|dur2|| _|rd?Z"fd@dAZ#edBdCZ$edDdEZ%fdFdGZ&edcdHdIZ'fdJdKZ(dLdMZ)dNdOZ*fdPdQZ+edddSdTZ,edUdVZ-Z.S)e SSLSocketcOst|jjddS)NzX does not have a public constructor. Instances are returned by SSLContext.wrap_socket().rrr,r,r-rs zSSLSocket.__init__FTNc sf|tttkrtd|r8|r(td|dur8td|jrJ|sJtdt|j|j |j | d}|j |fi|} t t| jfi||} ||| _|| _d| _d| _|| _||| _|| _|| _z | Wnty} z| jtjkrd} | } | dz| !d}Wn@tyb} z&| jtjtj"fvrJd}WYd} ~ n d} ~ 00| | |rd }t#| j|}||_$d|_%z | &WntyYn0z |Wd}nd}0WYd} ~ nd} ~ 00d } | '| | | _(| rbzH| jj)| || j| | jd | _|r<| }|d kr4td | *Wn"ttfy`| &Yn0| S)Nz!only stream sockets are supportedz4server_hostname can only be specified in client modez,session can only be specified in client modez'check_hostname requires server_hostname)familytypeprotofilenoFrgr/z5Closed before TLS handshake with data in recv buffer.Tr rzHdo_handshake_on_connect should not be specified for non-blocking sockets)+ getsockoptr~rr|NotImplementedErrorrrdictrCrDrErFrrrBr gettimeoutdetach_context_session_closedr!rrrrr getpeernamererrnoZENOTCONN getblocking setblockingrecvEINVALr reasonZlibraryclose settimeout _connected _wrap_socketr7)rrrrrrrrrrZ sock_timeouteZ connectedblockingZnotconn_pre_handshake_datarWZ notconn_pre_handshake_data_errortimeoutrr,r-rs         "   zSSLSocket._createcCs|jSr)rNrr,r,r-r8szSSLSocket.contextcCs||_||j_dSr)rNr!rr#r,r,r-r=scCs|jdur|jjSdSrr%rr,r,r-rBs zSSLSocket.sessioncCs||_|jdur||j_dSr)rOr!rr&r,r,r-rHs cCs|jdur|jjSdSrr'rr,r,r-r(Ns zSSLSocket.session_reusedcCstd|jjdS)NzCan't dup() %s instances)rJrr8rr,r,r-dupTsz SSLSocket.dupcCsdSrr,)rmsgr,r,r- _checkClosedXszSSLSocket._checkClosedcCs|js|dSr)rZrQrr,r,r-_check_connected\szSSLSocket._check_connectedr)c Cs||jdurtdz*|dur4|j||WS|j|WSWn`ty}zH|jdtkr|jr|dur~WYd}~dSWYd}~dSnWYd}~n d}~00dS)Nz'Read on closed or unwrapped SSL socket.rr/)rar!rr*r rZ SSL_ERROR_EOFr)rrr+xr,r,r-r*ds zSSLSocket.readcCs&||jdurtd|j|S)Nz(Write on closed or unwrapped SSL socket.)rar!rr-r.r,r,r-r-ys zSSLSocket.writecCs|||j|Sr)rarbr!r/r0r,r,r-r/szSSLSocket.getpeercertcCs*||jdustjsdS|jSdSr)rar!r;rr1rr,r,r-r1szSSLSocket.selected_npn_protocolcCs*||jdustjsdS|jSdSr)rar!r;rr2rr,r,r-r2sz SSLSocket.selected_alpn_protocolcCs$||jdurdS|jSdSr)rar!r3rr,r,r-r3s zSSLSocket.ciphercCs$||jdurdS|jSdSr)rar!r4rr,r,r-r4s zSSLSocket.shared_cipherscCs$||jdurdS|jSdSr)rar!r5rr,r,r-r5s zSSLSocket.compressionrcsF||jdur4|dkr(td|j|j|St||SdS)Nrz3non-zero flags not allowed in calls to send() on %s)rar!rrr-rsend)rrrrr,r-rds  zSSLSocket.sendcsL||jdur"td|jn&|dur8t||St|||SdS)Nz%sendto not allowed on instances of %s)rar!rrrsendto)rrZ flags_or_addrrrr,r-res zSSLSocket.sendtocOstd|jdS)Nz&sendmsg not allowed on instances of %srJrrr,r,r-sendmsgszSSLSocket.sendmsgc s||jdur|dkr(td|jd}t|f}|d<}t|}||krn|||d}||7}qJWdn1s0YWdq1s0Ynt ||SdS)Nrz6non-zero flags not allowed in calls to sendall() on %sB) rar!rr memoryviewcastrrdrsendall)rrrrview byte_viewamountr,rr,r-rks HzSSLSocket.sendallcs,|jdur||||St|||SdSr)r!_sendfile_use_sendrsendfile)rfileoffsetrrr,r-rps zSSLSocket.sendfilecsD||jdur2|dkr(td|j||St||SdS)Nrz3non-zero flags not allowed in calls to recv() on %s)rar!rrr*rrUrbuflenrrr,r-rUs  zSSLSocket.recvcsj||r|durt|}n |dur*d}|jdurV|dkrJtd|j|||St|||SdS)Nr)rz8non-zero flags not allowed in calls to recv_into() on %s)rarr!rrr*r recv_intorr+nbytesrrr,r-rus    zSSLSocket.recv_intocs4||jdur"td|jnt||SdS)Nz'recvfrom not allowed on instances of %s)rar!rrrrecvfromrsrr,r-rxs  zSSLSocket.recvfromcs6||jdur"td|jnt|||SdS)Nz,recvfrom_into not allowed on instances of %s)rar!rrr recvfrom_intorvrr,r-rys  zSSLSocket.recvfrom_intocOstd|jdS)Nz&recvmsg not allowed on instances of %srfrr,r,r-recvmsgszSSLSocket.recvmsgcOstd|jdS)Nz+recvmsg_into not allowed on instances of %srfrr,r,r- recvmsg_intoszSSLSocket.recvmsg_intocCs$||jdur|jSdSdS)Nr)rar!r6rr,r,r-r6s  zSSLSocket.pendingcs|d|_t|dSr)rar!rr8)rhowrr,r-r8szSSLSocket.shutdowncCs.|jr|j}d|_|Stdt|dSNzNo SSL wrapper around )r!r8rr)rsr,r,r-r9$s  zSSLSocket.unwrapcCs$|jr|jStdt|dSr})r!r=rrrr,r,r-r=-s z&SSLSocket.verify_client_post_handshakecsd|_tdSr)r!r _real_closerrr,r-r4szSSLSocket._real_closec CsP||}z.|dkr(|r(|d|jW||n ||0dS)NrH)rbrLrYr!r7)rblockr^r,r,r-r78s   zSSLSocket.do_handshakec s|jrtd|js|jdur&td|jj|d|j||jd|_z@|rVt |}nd}t ||s~d|_|j r~| |WSt tfyd|_Yn0dS)Nz!can't connect in server-side modez/attempt to connect already-connected SSLSocket!FrGT)rrrZr!rr[rrOr connect_exconnectrr7r)rrrrcrr,r- _real_connectCs* zSSLSocket._real_connectcCs||ddS)NFrrrr,r,r-r]szSSLSocket.connectcCs ||dSrrrr,r,r-rbszSSLSocket.connect_excs.t\}}|jj||j|jdd}||fS)NT)rrr)racceptrrrr)rZnewsockrrr,r-rgszSSLSocket.acceptrcCs4|jdur|j|S|tvr,td|dSdS)Nz({0} channel binding type not implemented)r!r:CHANNEL_BINDING_TYPESrrr;r,r,r-r:ss  zSSLSocket.get_channel_bindingcCs|jdur|jSdSdSrr<rr,r,r-r~s  zSSLSocket.version)FTTNNN)N)r)N)F)r)N)r)rN)r)r)Nr)r)r)Nr)F)r)/r8r9r:rrrr rArr rr(r_rarbr*r-r/r1r2r3r4r5rdrergrkrprUrurxryrzr{r6r8r9r=rr7rrrrr:rrr,r,rr-rBs_                          rBTc Csl|r|std|r |s tdt|} || _|r<| ||rL| ||| rZ| | | j||||dS)Nz5certfile must be specified for server-side operationsr)rrrr)rrr rrZ set_ciphersr) rrrrr ssl_versionca_certsrrZciphersrr,r,r-rs"   rcCsddlm}ddlm}d}d}z||ddd}Wn"ty`td||fYn00||dd|}||d|f|d d SdS) Nr)strptime)timegm) ZJanZFebZMarZAprZMayZJunZJulZAugZSepZOctZNovZDecz %d %H:%M:%S %Y GMTrirgz*time data %r does not match format "%%b%s"rhrl)timerZcalendarrindextitler)Z cert_timerrZmonthsZ time_formatZ month_numberttr,r,r-cert_time_to_secondss    rz-----BEGIN CERTIFICATE-----z-----END CERTIFICATE-----csRtt|ddtg}|fddtdtdD7}|tdd|S)NASCIIstrictcsg|]}||dqS)@r,)r4ifr,r- r/z(DER_cert_to_PEM_cert..rr ) rbase64Zstandard_b64encode PEM_HEADERrangerr PEM_FOOTERr)Zder_cert_bytesssr,rr-DER_cert_to_PEM_certs "rcCs\|tstdt|ts0tdt|tttt }t| ddS)Nz(Invalid PEM encoding; must start with %sz&Invalid PEM encoding; must end with %srr) r)rrstripendswithrrrZ decodebytesr)Zpem_cert_stringdr,r,r-PEM_cert_to_DER_certs rc Cs|\}}|durt}nt}t|||d}t|D}||}|d} Wdn1s\0YWdn1sz0Yt| S)N)rrT)rr_create_stdlib_contextr}rr/r) rrrhostportrrrZsslsockZdercertr,r,r-get_server_certificates  FrcCs t|dS)Nz )_PROTOCOL_NAMESr)Z protocol_coder,r,r-get_protocol_namesr)lrr collectionsrenumrZ_Enumr_IntEnumrZ_IntFlagr;rrrr r r r r rrrrrrrrrrrrrr ImportErrorrrrrrrr r!r"r#r$r% _convert_r8r&r r' __members__itemsrr>Z_SSLv2_IF_EXISTSr7r=rGrfrryrzr{r|r}r~rrrrRrrZ socket_errorrrZHAS_NEVER_CHECK_COMMON_NAMEZ_RESTRICTED_SERVER_CIPHERSrrrrrrrrrrrrrrZ_create_default_https_contextrrrArBrrrrrrrrrrr,r,r,r-^s $ 0   )  1# 9z # />