o JAf @s ddlZddlZddlmZddlmZmZm Z ddl Z ddl m Z m Z mZddl mZmZmZddl mZmZmZmZmZmZmZddl mZmZddl mZmZmZm Z zdd l m!Z!Wn e"yhYnwdd l m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,dd l m-Z-m.Z.ej/d e0d de de j/de0dde dej/de0dde dej/de0dde de j/de0dde dej/de0dde de1j2Z3e1_3dde1j45DZ6e7e1ddZ8GdddeZ9Gdd d eZ:Gd!d"d"eZ;Gd#d$d$eZZ>m?Z?dd'l@m@Z@mAZAmBZBdd(l@mCZCmDZDmEZEddl@ZFddlGZGddlHZHddlIZIeJZKd)gZLeMe d*ZNe-ZOeZPd+d,ZQd-d.ZRd/d0ZSd1d2ZTed3d4ZUd5d6ZVGd7d8d8ed8d9ZWGd:d;d;eWeZXGdd?d@Z[dZe\dAeXjZddddddBdCdDZ]e[Z^e]Z_GdEdFdFZ`dGdHZaGdIdJdJe@ZbebeY_ce`eY_ddddAe\e2ddKdKdf dLdMZedNdOZfdPZgdQZhdRdSZidTdUZjekdeEfdVdWZldXdYZmdS)[N) namedtuple)EnumIntEnumIntFlag)OPENSSL_VERSION_NUMBEROPENSSL_VERSION_INFOOPENSSL_VERSION) _SSLContext MemoryBIO SSLSession)SSLErrorSSLZeroReturnErrorSSLWantReadErrorSSLWantWriteErrorSSLSyscallError SSLEOFErrorSSLCertVerificationError)txt2objnid2obj) RAND_statusRAND_add RAND_bytesRAND_pseudo_bytes)RAND_egd) HAS_SNIHAS_ECDHHAS_NPNHAS_ALPN HAS_SSLv2 HAS_SSLv3 HAS_TLSv1 HAS_TLSv1_1 HAS_TLSv1_2 HAS_TLSv1_3)_DEFAULT_CIPHERS_OPENSSL_API_VERSION _SSLMethodcCs|do|dkS)NZ PROTOCOL_PROTOCOL_SSLv23 startswithnamer,/usr/lib/python3.10/ssl.py}sr.)sourceOptionscC |dS)NZOP_r(r*r,r,r-r. ZAlertDescriptioncCr1)NZALERT_DESCRIPTION_r(r*r,r,r-r.r2ZSSLErrorNumbercCr1)NZ SSL_ERROR_r(r*r,r,r-r.r2 VerifyFlagscCr1)NZVERIFY_r(r*r,r,r-r.r2 VerifyModecCr1)NZCERT_r(r*r,r,r-r.r2cCsi|]\}}||qSr,r,).0r+valuer,r,r- sr7ZPROTOCOL_SSLv2c@s6eZdZejZejZejZ ej Z ej Z ejZejZdS) TLSVersionN)__name__ __module__ __qualname___sslZPROTO_MINIMUM_SUPPORTEDZMINIMUM_SUPPORTEDZ PROTO_SSLv3SSLv3Z PROTO_TLSv1ZTLSv1Z PROTO_TLSv1_1ZTLSv1_1Z PROTO_TLSv1_2ZTLSv1_2Z PROTO_TLSv1_3ZTLSv1_3ZPROTO_MAXIMUM_SUPPORTEDZMAXIMUM_SUPPORTEDr,r,r,r-r8s r8c@s&eZdZ dZdZdZdZdZdZdS)_TLSContentTypeN) r9r:r;CHANGE_CIPHER_SPECALERTZ HANDSHAKEZAPPLICATION_DATAHEADERZINNER_CONTENT_TYPEr,r,r,r-r>sr>c@seZdZ dZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#S)$ _TLSAlertTyper r?r@rA()*+,-./0123<FGPVZdmnopqrstxN)%r9r:r;Z CLOSE_NOTIFYZUNEXPECTED_MESSAGEZBAD_RECORD_MACZDECRYPTION_FAILEDZRECORD_OVERFLOWZDECOMPRESSION_FAILUREZHANDSHAKE_FAILUREZNO_CERTIFICATEZBAD_CERTIFICATEZUNSUPPORTED_CERTIFICATEZCERTIFICATE_REVOKEDZCERTIFICATE_EXPIREDZCERTIFICATE_UNKNOWNZILLEGAL_PARAMETERZ UNKNOWN_CAZ ACCESS_DENIEDZ DECODE_ERRORZ DECRYPT_ERRORZEXPORT_RESTRICTIONZPROTOCOL_VERSIONZINSUFFICIENT_SECURITYZINTERNAL_ERRORZINAPPROPRIATE_FALLBACKZ USER_CANCELEDZNO_RENEGOTIATIONZMISSING_EXTENSIONZUNSUPPORTED_EXTENSIONZCERTIFICATE_UNOBTAINABLEZUNRECOGNIZED_NAMEZBAD_CERTIFICATE_STATUS_RESPONSEZBAD_CERTIFICATE_HASH_VALUEZUNKNOWN_PSK_IDENTITYZCERTIFICATE_REQUIREDZNO_APPLICATION_PROTOCOLr,r,r,r-rHsHrHc@sfeZdZ dZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdS)_TLSMessageTyper r?r@rArBCrDN)r9r:r;Z HELLO_REQUESTZ CLIENT_HELLOZ SERVER_HELLOZHELLO_VERIFY_REQUESTZNEWSESSION_TICKETZEND_OF_EARLY_DATAZHELLO_RETRY_REQUESTZENCRYPTED_EXTENSIONSZ CERTIFICATEZSERVER_KEY_EXCHANGEZCERTIFICATE_REQUESTZ SERVER_DONEZCERTIFICATE_VERIFYZCLIENT_KEY_EXCHANGEFINISHEDZCERTIFICATE_URLZCERTIFICATE_STATUSZSUPPLEMENTAL_DATAZ KEY_UPDATEZ NEXT_PROTOZ MESSAGE_HASHrEr,r,r,r-rgs0rgwin32)enum_certificates enum_crls)socket SOCK_STREAMcreate_connection) SOL_SOCKETSO_TYPE_GLOBAL_DEFAULT_TIMEOUT tls-uniqueHOSTFLAG_NEVER_CHECK_SUBJECTcCs |sdS|d}|s||kS|dkrtd||d\}}}d|vr2td||s;td||dkrFtd||d\}}}|rR|sTdS||kS) NF*rhz1too many wildcards in certificate DNS name: {!r}..z9wildcard can only be present in the leftmost label: {!r}.z>sole wildcard without additional labels are not support: {!r}.z.shim_cb)Z sni_callbackcallable TypeError)rrrr,rr-set_servername_callback%s   z"SSLContext.set_servername_callbackcCs`t}|D]#}t|d}t|dkst|dkrtd|t|||q||dS)Nrrrz)ALPN protocols must be 1 to 255 in length)rrrr rrZ_set_alpn_protocols)rZalpn_protocolsrrrr,r,r-set_alpn_protocols2s  zSSLContext.set_alpn_protocolscCstt}zt|D]\}}}|dkr|dus|j|vr||qWnty/tdYnw|r8|j|d|S)NZx509_asnTz-unable to enumerate Windows certificate store)cadata)rrzrrPermissionErrorrrload_verify_locations)r storenamepurposeZcertsrencodingZtrustr,r,r-_load_windows_store_certs=s   z$SSLContext._load_windows_store_certscCs@t|ts t|tjdkr|jD]}|||q|dS)Nry)rrrsysplatform_windows_cert_storesrZset_default_verify_paths)rrrr,r,r-load_default_certsKs    zSSLContext.load_default_certsminimum_versionc ttjSr)r8rrrrr,r-rT zSSLContext.minimum_versioncs4|tjkr|jtjM_tttj||dSr) r8r=optionsr0Z OP_NO_SSLv3rrr__set__rr6rr,r-rXs crr)r8rmaximum_versionrrr,r-r^rzSSLContext.maximum_versionctttj||dSr)rrrrrrr,r-rbcrr)r0rrrrr,r-rfrzSSLContext.optionscrr)rrrrrrr,r-rjrrcCs|jtj@}|tjkSrZ _host_flagsr<r)rZncsr,r,r-hostname_checks_common_nameos  z&SSLContext.hostname_checks_common_namecCs.|r |jtjM_dS|jtjO_dSrr rr,r,r-r tscCsdSNTr,rr,r,r-r {cs tj}|dur |jSdSr)r _msg_callback user_function)rinnerrr,r-r s zSSLContext._msg_callbackcsbdurtttj|ddStdstdfdd}|_tttj||dS)N__call__z is not callable.cszt|}Wn tyYnwzt|}Wn tyYnw|tjkr(t}n |tjkr0t}nt}z||}Wn tyAYnw||||||Sr)r8rr>rGrFrHrg)conn directionversionZ content_typeZmsg_typedataZmsg_enumcallbackr,r-rs.        z'SSLContext._msg_callback..inner)rrr rhasattrrr)rrrrrr-r s  crr)r&rrrrr,r-rrzSSLContext.protocolcrr)r3r verify_flagsrrr,r-rrzSSLContext.verify_flagscrr)rrrrrrr,r-rrcs*tj}zt|WSty|YSwr)r verify_moder4rrrr,r-rs   zSSLContext.verify_modecrr)rrrrrrr,r-rrr)FTTNN)FNN)r9r:r;rrrrrrrrrrrrrrrr propertyrsetterrrr<r r rrrrr,r,rr-rsl            &%r)rrrcCs t|ts t||tjkrtt}t|_d|_ n|tj kr$tt }nt ||s.|s.|r6| |||n |jtkr@||t|drTtjd}|rTtjjsT||_|S)NTkeylog_filename SSLKEYLOGFILE)rrrrrrPROTOCOL_TLS_CLIENT CERT_REQUIREDrcheck_hostnamerPROTOCOL_TLS_SERVERrr CERT_NONErrrrrrflagsignore_environmentr)rrrrr keylogfiler,r,r-create_default_contexts&          r&F) cert_reqsr rcertfilekeyfilerrrc Cs t|ts t||tjkr|durt}n|tjkr"|dur!t}nt|t |} || _ |dur4|| _ |r9d| _ |rA|sAtd|sE|rK| |||sQ|sQ|rY| |||n | j tkrc| |t| drwtjd} | rwtjjsw| | _| S)NTcertfile must be specifiedrr)rrrrrrrr!rrr rload_cert_chainrr"rrrrrrr#r$r) rr'r rr(r)rrrrr%r,r,r-_create_unverified_context s>          r,c@seZdZ ddZe  d1ddZeddZejd dZed d Z e jd d Z ed dZ eddZ eddZ d2ddZ ddZd3ddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd4d+d,Zd-d.Zd/d0ZdS)5 SSLObjectcOt|jjd)NzU does not have a public constructor. Instances are returned by SSLContext.wrap_bio().rrr9rrrr,r,r-__init__X zSSLObject.__init__FNc Cs*||}|j||||||d}||_|S)N)rrownerr)rZ _wrap_bio_sslobj) rrrrrrrrrr,r,r-r^s zSSLObject._createcC |jjSrr4rrr,r,r-rjzSSLObject.contextcC ||j_dSrr6rctxr,r,r-rorcCr5rr4rrr,r,r-rsr7zSSLObject.sessioncCr8rr;rrr,r,r-rxrcCr5rr4session_reusedrr,r,r-r>|r7zSSLObject.session_reusedcCr5r)r4rrr,r,r-rr7zSSLObject.server_sidecCr5r)r4rrr,r,r-rszSSLObject.server_hostnamecCs, |dur|j||}|S|j|}|Sr)r4read)rrbuffervr,r,r-r@s  zSSLObject.readcC |j|Sr)r4writerrr,r,r-rDs zSSLObject.writecCrCr)r4 getpeercertrZ binary_formr,r,r-rFs zSSLObject.getpeercertcCs tjdtdddSNrrir)rrrrr,r,r-selected_npn_protocols  zSSLObject.selected_npn_protocolcC |jSr)r4selected_alpn_protocolrr,r,r-rK z SSLObject.selected_alpn_protocolcCrJr)r4cipherrr,r,r-rM zSSLObject.ciphercCrJr)r4shared_ciphersrr,r,r-rOrLzSSLObject.shared_cipherscCrJr)r4 compressionrr,r,r-rPrNzSSLObject.compressioncCrJr)r4pendingrr,r,r-rQ zSSLObject.pendingcCs |jdSr)r4 do_handshakerr,r,r-rSszSSLObject.do_handshakecCrJr)r4shutdownrr,r,r-unwraprRzSSLObject.unwraprcCrCr)r4get_channel_bindingrZcb_typer,r,r-rVs zSSLObject.get_channel_bindingcCrJrr4rrr,r,r-rrNzSSLObject.versioncCs |jSr)r4verify_client_post_handshakerr,r,r-rYs z&SSLObject.verify_client_post_handshake)FNNNr?NFr)r9r:r;r1rrrrrrr>rrr@rDrFrIrKrMrOrPrQrSrUrVrrYr,r,r,r-r-IsF              r-cCs tt|jj|_|Sr)getattrr-r9__doc__)funcr,r,r- _sslcopydocsr`cseZdZ ddZe   dWfdd Zeedd Zej d d Zeed d Z e j d d Z eeddZ ddZ dXddZ ddZdYddZddZedZddZeddZedd Zed!d"Zed#d$Zed%d&Zd[fd(d) ZdXfd*d+ Zd,d-Zd[fd.d/ Zd\fd0d1 Zd]fd2d3 Zd^fd4d5 Zd]fd6d7 Zd^fd8d9 Zd:d;Z dd?Z"fd@dAZ#edBdCZ$edDdEZ%fdFdGZ&edZdHdIZ'fdJdKZ(dLdMZ)dNdOZ*fdPdQZ+ed_dSdTZ,edUdVZ-Z.S)` SSLSocketcOr.)NzX does not have a public constructor. Instances are returned by SSLContext.wrap_socket().r/r0r,r,r-r1r2zSSLSocket.__init__FTNc s|tttkr td|r|rtd|durtd|jr%|s%tdt|j|j |j | d}|j |fi|} t t| jd i|| |||| _|| _d| _d| _|| _||| _|| _|| _z| Wnty} z| jtjkrd} WYd} ~ nd} ~ wwd} | | _ | rz&| jj!| || j| | jd| _|r| } | d krtd | "W| SW| Sttfy| #w| S) Nz!only stream sockets are supportedz4server_hostname can only be specified in client modez,session can only be specified in client modez'check_hostname requires server_hostname)familytypeprotofilenoFTr3rzHdo_handshake_on_connect should not be specified for non-blocking socketsr,)$ getsockoptrrr}NotImplementedErrorrr dictrbrcrdrerrrar1 settimeout gettimeoutdetach_context_session_closedr4rrrrr getpeernamererrnoZENOTCONN _connected _wrap_socketrSclose) rrrrrrrrrreZ connectedtimeoutrr,r-rsl       zSSLSocket._createcCs|jSr)rnrr,r,r-r5szSSLSocket.contextcCs||_||j_dSr)rnr4rr9r,r,r-r:s cC|jdur |jjSdSrr;rr,r,r-r? zSSLSocket.sessioncCs ||_|jdur||j_dSdSr)ror4rr<r,r,r-rEs  cCrxrr=rr,r,r-r>KryzSSLSocket.session_reusedcCstd|jj)NzCan't dup() %s instances)rirr9rr,r,r-dupQsz SSLSocket.dupcCsdSrr,)rmsgr,r,r- _checkClosedUr zSSLSocket._checkClosedcCs|js |dSdSr)rsrqrr,r,r-_check_connectedYs zSSLSocket._check_connectedr?c Cs ||jdurtdz|dur|j||WS|j|WStyJ}z|jdtkrE|jrE|dur>WYd}~dSWYd}~dSd}~ww)Nz'Read on closed or unwrapped SSL socket.r)r|r4rr@r rZ SSL_ERROR_EOFr)rrrAxr,r,r-r@as  zSSLSocket.readcCs( ||jdurtd|j|S)Nz(Write on closed or unwrapped SSL socket.)r|r4rrDrEr,r,r-rDvs   zSSLSocket.writecCs|||j|Sr)r|r}r4rFrGr,r,r-rFs zSSLSocket.getpeercertcCs|tjdtdddSrH)r|rrrrr,r,r-rIszSSLSocket.selected_npn_protocolcCs&||jdus tjsdS|jSr)r|r4r<rrKrr,r,r-rKs z SSLSocket.selected_alpn_protocolcC ||jdur dS|jSr)r|r4rMrr,r,r-rM  zSSLSocket.ciphercCrr)r|r4rOrr,r,r-rOrzSSLSocket.shared_cipherscCrr)r|r4rPrr,r,r-rPrzSSLSocket.compressionrcsB||jdur|dkrtd|j|j|St||S)Nrz3non-zero flags not allowed in calls to send() on %s)r|r4rrrDrsend)rrr#rr,r-rs  zSSLSocket.sendcsF||jdurtd|j|durt||St|||S)Nz%sendto not allowed on instances of %s)r|r4rrrsendto)rrZ flags_or_addrrrr,r-rs zSSLSocket.sendtocOtd|j)Nz&sendmsg not allowed on instances of %srirr0r,r,r-sendmsgszSSLSocket.sendmsgc s||jdurc|dkrtd|jd}t|?}|d!}t|}||kr:|||d}||7}||ks)Wdn1sDwYWddSWddS1s\wYdSt ||S)Nrz6non-zero flags not allowed in calls to sendall() on %sB) r|r4rr memoryviewcastrrrsendall)rrr#rview byte_viewamountrBrr,r-rs$ PzSSLSocket.sendallcs* |jdur ||||St|||Sr)r4_sendfile_use_sendrsendfile)rfileoffsetrrr,r-rs zSSLSocket.sendfilecs@||jdur|dkrtd|j||St||S)Nrz3non-zero flags not allowed in calls to recv() on %s)r|r4rrr@rrecvrbuflenr#rr,r-rs  zSSLSocket.recvcsf||r|durt|}n|durd}|jdur+|dkr%td|j|||St|||S)Nr?rz8non-zero flags not allowed in calls to recv_into() on %s)r|rr4rrr@r recv_intorrAnbytesr#rr,r-rs    zSSLSocket.recv_intocs.||jdurtd|jt||S)Nz'recvfrom not allowed on instances of %s)r|r4rrrrecvfromrrr,r-rs  zSSLSocket.recvfromcs0||jdurtd|jt|||S)Nz,recvfrom_into not allowed on instances of %s)r|r4rrr recvfrom_intorrr,r-rs  zSSLSocket.recvfrom_intocOr)Nz&recvmsg not allowed on instances of %srr0r,r,r-recvmsgzSSLSocket.recvmsgcOr)Nz+recvmsg_into not allowed on instances of %srr0r,r,r- recvmsg_intorzSSLSocket.recvmsg_intocCs ||jdur|jSdSNr)r|r4rQrr,r,r-rQs  zSSLSocket.pendingcs|d|_t|dSr)r|r4rrT)rhowrr,r-rTszSSLSocket.shutdowncCs*|jr |j}d|_|Stdt|NzNo SSL wrapper around )r4rTrr)rsr,r,r-rU#s  zSSLSocket.unwrapcCs |jr|jStdt|r)r4rYrrrr,r,r-rY,s z&SSLSocket.verify_client_post_handshakecsd|_tdSr)r4r _real_closerrr,r-r3szSSLSocket._real_closec CsN||}z|dkr|r|d|jW||dS||w)Nrg)r}rlrkr4rS)rblockrwr,r,r-rS7s   zSSLSocket.do_handshakec s|jrtd|js|jdurtd|jj|d|j||jd|_z |r+t |}nd}t ||s?d|_|j r?| |WSt tfyNd|_w)Nz!can't connect in server-side modez/attempt to connect already-connected SSLSocket!FrfT)rrrsr4rrtrror connect_exconnectrrSr)rrrrcrr,r- _real_connectBs, zSSLSocket._real_connectcCs ||ddS)NFrrrr,r,r-r\szSSLSocket.connectcCs ||dSr rrr,r,r-ras zSSLSocket.connect_excs0 t\}}|jj||j|jdd}||fS)NT)rrr)racceptrrrr)rZnewsockrrr,r-rfszSSLSocket.acceptrcCs0|jdur |j|S|tvrtd|dS)Nz({0} channel binding type not implemented)r4rVCHANNEL_BINDING_TYPESrrrWr,r,r-rVrs  zSSLSocket.get_channel_bindingcCs|jdur |jSdSrrXrr,r,r-r}s  zSSLSocket.version)FTTNNNrrZr[)r)rN)r?rrr\)/r9r:r;r1rrrr`rrrr>rzr|r}r@rDrFrIrKrMrOrPrrrrrrrrrrrrQrTrUrYrrSrrrrrVrrr,r,rr-ras>                           raTc Cs|tjdtdd|r|std|r|stdt|} || _|r&| ||r.| ||| r5| | | j ||||dS)Nz=ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()rirz5certfile must be specified for server-side operationsr*)rrrr) rrrrrrrr+Z set_ciphersr) rr)r(rr' ssl_versionca_certsrrZciphersrr,r,r-rs,   rcCs ddlm}ddlm}d}d}z||ddd}Wnty/td||fw||dd|}||d|f|d d S) Nr)strptime)timegm) ZJanZFebZMarZAprZMayZJunZJulZAugZSepZOctZNovZDecz %d %H:%M:%S %Y GMTrjrhz*time data %r does not match format "%%b%s"rirm)timerZcalendarrindextitler)Z cert_timerrZmonthsZ time_formatZ month_numberttr,r,r-cert_time_to_secondss  rz-----BEGIN CERTIFICATE-----z-----END CERTIFICATE-----csT tt|ddtg}|fddtdtdD7}|tdd|S)NASCIIstrictcsg|] }||dqS)@r,)r5ifr,r- sz(DER_cert_to_PEM_cert..rr ) rbase64Zstandard_b64encode PEM_HEADERrangerr PEM_FOOTERr)Zder_cert_bytesssr,rr-DER_cert_to_PEM_certs " rcCs^ |ts tdt|tstdt|tttt }t| ddS)Nz(Invalid PEM encoding; must start with %sz&Invalid PEM encoding; must end with %srr) r)rrstripendswithrrrZ decodebytesr)Zpem_cert_stringdr,r,r-PEM_cert_to_DER_certs rc Cs |\}}|dur t}nt}t|||d}t||d1}|j||d } | d} Wdn1s3wYWdt| SWdt| S1sOwYt| S)N)r'r)rw)rT)rr"_create_stdlib_contextr~rrFr) rrrrwhostportr'rrZsslsockZdercertr,r,r-get_server_certificates(   rcCs t|dS)Nz )_PROTOCOL_NAMESr)Z protocol_coder,r,r-get_protocol_names rr)nrr collectionsrenumrZ_Enumr_IntEnumrZ_IntFlagr<rrrr r r r r rrrrrrrrrrrrrr ImportErrorrrrrrrr r!r"r#r$r% _convert_r9r&rr' __members__itemsrr]Z_SSLv2_IF_EXISTSr8r>rHrgrrzr{r|r}r~rrrrrrrrrZ socket_errorrrZHAS_NEVER_CHECK_COMMON_NAMEZ_RESTRICTED_SERVER_CIPHERSrrrrrrrrrrrr&r"r,Z_create_default_https_contextrr-r`rarrrrrrrrrrrr,r,r,r-sZ $ 0   )  1# > & 7