Spade
Mini Shell
3
k��hݭ�@spdZddlZddlZddlZddlZddlZddlmZddlm Z
m
Z
m
ZddlZddlmZmZmZddlmZmZmZddlmZmZmZmZmZmZddlm
Z
m
Z dd lm
Z m!Z!m"Z"m#Z#ydd
lm$Z$Wne%k
r�YnXdd
lm&Z&m'Z'm(Z(m)Z)m*Z*dd
lm+Z+dd
lm,Z,e
j-de.dd�ed�ej-de.dd�ed�e
j-de.dd�ed�e
j-de.dd�ed�ej-de.dd�ed�e
j-de.dd�ed�e/j0Z1e/_1d
d
�e/j2j3�D�Z4e5e/d
d�Z6ej7d k�r�dd
lm8Z8m9Z9dd!l:m:Z:m;Z;m<Z<m=Z=dd"l:m>Z>m?Z?ddl@Z@ddlAZAddlBZBeCZDejE�r>d#gZFngZFe+ZGGd$d%�d%eH�ZIdRd'd(�ZJd)d*�ZKd+d,�ZLed-d.�ZMd/d0�ZNGd1d2�d2ed2d3��ZOGd4d5�d5eOe
�ZPGd6d7�d7e�ZQePjRfdddd8�d9d:�ZSe0feTd;ePjRdddddd<�d=d>�ZUeSZVeUZWGd?d@�d@�ZXGdAdB�dBe:�ZYddd;eTe0ddCdCdf dDdE�ZZdFdG�Z[dHZ\dIZ]dJdK�Z^dLdM�Z_e0dfdNdO�Z`dPdQ�ZadS)Sa�
This module provides some more Pythonic support for SSL.
Object types:
SSLSocket -- subtype of socket.socket which does SSL over the socket
Exceptions:
SSLError -- exception raised for I/O errors
Functions:
cert_time_to_seconds -- convert time string used for certificate
notBefore and notAfter functions to integer
seconds past the Epoch (the time values
returned from time.time())
fetch_server_certificate (HOST, PORT) -- fetch the certificate provided
by the server running on HOST at port PORT. No
validation of the certificate is performed.
Integer constants:
SSL_ERROR_ZERO_RETURN
SSL_ERROR_WANT_READ
SSL_ERROR_WANT_WRITE
SSL_ERROR_WANT_X509_LOOKUP
SSL_ERROR_SYSCALL
SSL_ERROR_SSL
SSL_ERROR_WANT_CONNECT
SSL_ERROR_EOF
SSL_ERROR_INVALID_ERROR_CODE
The following group define certificate requirements that one side is
allowing/requiring from the other side:
CERT_NONE - no certificates from the other side are required (or will
be looked at if provided)
CERT_OPTIONAL - certificates are not required, but if provided will be
validated, and if validation fails, the connection will
also fail
CERT_REQUIRED - certificates are required, and will be validated, and
if validation fails, the connection will also fail
The following constants identify various SSL protocol variants:
PROTOCOL_SSLv2
PROTOCOL_SSLv3
PROTOCOL_SSLv23
PROTOCOL_TLS
PROTOCOL_TLS_CLIENT
PROTOCOL_TLS_SERVER
PROTOCOL_TLSv1
PROTOCOL_TLSv1_1
PROTOCOL_TLSv1_2
The following constants identify various SSL alert message descriptions as
per
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
ALERT_DESCRIPTION_CLOSE_NOTIFY
ALERT_DESCRIPTION_UNEXPECTED_MESSAGE
ALERT_DESCRIPTION_BAD_RECORD_MAC
ALERT_DESCRIPTION_RECORD_OVERFLOW
ALERT_DESCRIPTION_DECOMPRESSION_FAILURE
ALERT_DESCRIPTION_HANDSHAKE_FAILURE
ALERT_DESCRIPTION_BAD_CERTIFICATE
ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE
ALERT_DESCRIPTION_CERTIFICATE_REVOKED
ALERT_DESCRIPTION_CERTIFICATE_EXPIRED
ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN
ALERT_DESCRIPTION_ILLEGAL_PARAMETER
ALERT_DESCRIPTION_UNKNOWN_CA
ALERT_DESCRIPTION_ACCESS_DENIED
ALERT_DESCRIPTION_DECODE_ERROR
ALERT_DESCRIPTION_DECRYPT_ERROR
ALERT_DESCRIPTION_PROTOCOL_VERSION
ALERT_DESCRIPTION_INSUFFICIENT_SECURITY
ALERT_DESCRIPTION_INTERNAL_ERROR
ALERT_DESCRIPTION_USER_CANCELLED
ALERT_DESCRIPTION_NO_RENEGOTIATION
ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION
ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE
ALERT_DESCRIPTION_UNRECOGNIZED_NAME
ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE
ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE
ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY
�N)�
namedtuple)�Enum�IntEnum�IntFlag)�OPENSSL_VERSION_NUMBER�OPENSSL_VERSION_INFO�OPENSSL_VERSION)�
_SSLContext� MemoryBIO�
SSLSession)�SSLError�SSLZeroReturnError�SSLWantReadError�SSLWantWriteError�SSLSyscallError�
SSLEOFError)�txt2obj�nid2obj)�
RAND_status�RAND_add�
RAND_bytes�RAND_pseudo_bytes)�RAND_egd)�HAS_SNI�HAS_ECDH�HAS_NPN�HAS_ALPN�
HAS_TLSv1_3)�_DEFAULT_CIPHERS)�_OPENSSL_API_VERSION�
_SSLMethodcCs|jd�o|dkS)NZ PROTOCOL_�PROTOCOL_SSLv23)�
startswith)�name�r$�/usr/lib64/python3.6/ssl.py�<lambda>}sr&)�source�OptionscCs
|jd�S)NZOP_)r")r#r$r$r%r&�sZAlertDescriptioncCs
|jd�S)NZALERT_DESCRIPTION_)r")r#r$r$r%r&�sZSSLErrorNumbercCs
|jd�S)NZ
SSL_ERROR_)r")r#r$r$r%r&�s�
VerifyFlagscCs
|jd�S)NZVERIFY_)r")r#r$r$r%r&�s�
VerifyModecCs
|jd�S)NZCERT_)r")r#r$r$r%r&�scCsi|]\}}||�qSr$r$)�.0r#�valuer$r$r%�
<dictcomp>�sr-ZPROTOCOL_SSLv2�win32)�enum_certificates� enum_crls)�socket�AF_INET�
SOCK_STREAM�create_connection)�
SOL_SOCKET�SO_TYPEz
tls-uniquec@s
eZdZdS)�CertificateErrorN)�__name__�
__module__�
__qualname__r$r$r$r%r7�sr7�c Cs�g}|s
dS|jd�^}}|jd�}||kr<tdt|���|sP|j�|j�kS|dkrd|jd�n>|jd�sx|jd�r�|jtj|��n|jtj|�j dd��x
|D]}|jtj|��q�Wtj
d d
j
|�d
tj
�}|j
|�S)
zhMatching according to RFC 6125,
section 6.4.3
http://tools.ietf.org/html/rfc6125#section-6.4.3
F�.�*z,too many wildcards in certificate DNS name:
z[^.]+zxn--z\*z[^.]*z\Az\.z\Z)�split�countr7�repr�lower�appendr"�re�escape�replace�compile�join�
IGNORECASE�match) Zdn�hostnameZ
max_wildcardsZpatsZleftmostZ remainderZ wildcardsZfragZpatr$r$r%�_dnsname_match�s&
rKcCstj|j��}||kS)z�Exact matching of IP addresses.
RFC 6125 explicitly doesn't define an algorithm for this
(section 1.7.2 - "Out of Scope").
)� ipaddress�
ip_address�rstrip)Zipname�host_ipZipr$r$r%�_ipaddress_match�srPcCsP|s
td��ytj|�}Wntk
r2d}YnXg}|jdf�}xb|D]Z\}}|dkr||dkrpt||�rpdS|j|�qJ|dkrJ|dk r�t||�r�dS|j|�qJW|s�xF|jdf�D]6}x0|D](\}}|dkr�t||�r�dS|j|�q�Wq�Wt|�dk�r
td |d
j t
t
|��f��n,t|�dk�rDtd
||d
f��ntd
��dS)a)Verify
that *cert* (in decoded format as returned by
SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
rules are followed, but IP addresses are not accepted for *hostname*.
CertificateError is raised on failure. On success, the function
returns nothing.
ztempty or no certificate, match_hostname needs a SSL socket or SSL
context with either CERT_OPTIONAL or CERT_REQUIREDNZsubjectAltNameZDNSz
IP AddressZsubjectZ
commonNamer;z&hostname %r doesn't match either of %sz, z
hostname
%r doesn't match %rrz=no appropriate commonName or subjectAltName
fields were found)
�
ValueErrorrLrM�getrKrBrP�lenr7rG�mapr@)�certrJrOZdnsnamesZsan�keyr,�subr$r$r%�match_hostname�s>
rX�DefaultVerifyPathszQcafile capath openssl_cafile_env
openssl_cafile openssl_capath_env
openssl_capathcCsdtj�}tjj|d|d�}tjj|d|d�}ttjj|�rF|ndtjj|�rX|ndf|��S)z/Return
paths to default cafile and capath.
rr;��N) �_ssl�get_default_verify_paths�os�environrRrY�path�isfile�isdir)�parts�cafile�capathr$r$r%r]-s
r]csDeZdZdZfZ�fdd�Ze�fdd��Ze�fdd��Z�Z S)�
_ASN1Objectz#ASN.1
object identifier lookup
cst�j|ft|dd���S)NF)r#)�super�__new__�_txt2obj)�cls�oid)� __class__r$r%rh@sz_ASN1Object.__new__cst�j|ft|���S)z3Create
_ASN1Object from OpenSSL numeric ID
)rgrh�_nid2obj)rjZnid)rlr$r%�fromnidCsz_ASN1Object.fromnidcst�j|ft|dd���S)z=Create
_ASN1Object from short name, long name or OID
T)r#)rgrhri)rjr#)rlr$r%�fromnameIsz_ASN1Object.fromname)
r8r9r:�__doc__� __slots__rh�
classmethodrnro�
__classcell__r$r$)rlr%rf;s
rfznid shortname longname
oidc@seZdZdZdZdZdS)�PurposezDSSLContext purpose flags with
X509v3 Extended Key Usage objects
z1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2N)r8r9r:rp�
SERVER_AUTHZ
CLIENT_AUTHr$r$r$r%rtPsrtcs�eZdZdZd"Zd#Zefdd�Zefdd �Zd$d
d�Z d%dd�Z
dd�Z
dd�Z
dd�Z
ejfdd�Ze�fdd��Zej�fdd��Ze�fd
d
��Zej�fd
d
��Ze�fd d
��Zej�fd!d ��Z�ZS)&�
SSLContextz|An SSLContext holds various SSL-related configuration options
and
data, such as certificates and possibly a private
key.�protocol�
__weakref__�CA�ROOTcOstj||�}|S)N)r rh)rjrw�args�kwargs�selfr$r$r%rh^s
zSSLContext.__new__cCs
||_dS)N)rw)r}rwr$r$r%�__init__bszSSLContext.__init__FTNc Cst|||||||d�S)N)�sock�
server_side�do_handshake_on_connect�suppress_ragged_eofs�server_hostname�_context�_session)� SSLSocket)r}rr�r�r�r��sessionr$r$r%�
wrap_socketes
zSSLContext.wrap_socketcCs
|j||||d�}t||d�S)N)r�r�)r�)Z _wrap_bio� SSLObject)r}ZincomingZoutgoingr�r�r��sslobjr$r$r%�wrap_bioos
zSSLContext.wrap_biocCsdt�}xN|D]F}t|d�}t|�dks2t|�dkr:td��|jt|��|j|�q
W|j|�dS)N�asciir�z(NPN
protocols must be 1 to 255 in
length)� bytearray�bytesrSr
rB�extendZ_set_npn_protocols)r}�
npn_protocols�protosrw�br$r$r%�set_npn_protocolsus
z
SSLContext.set_npn_protocolscCsdt�}xN|D]F}t|d�}t|�dks2t|�dkr:td��|jt|��|j|�q
W|j|�dS)Nr�rr�z)ALPN
protocols must be 1 to 255 in
length)r�r�rSr
rBr�Z_set_alpn_protocols)r}Zalpn_protocolsr�rwr�r$r$r%�set_alpn_protocols�s
z
SSLContext.set_alpn_protocolsc
Cszt�}y@x:t|�D].\}}}|dkr|dks6|j|kr|j|�qWWn
tk
rdtjd�YnX|rv|j|d�|S)NZx509_asnTz-unable to enumerate
Windows certificate
store)�cadata)r�r/rkr��PermissionError�warnings�warn�load_verify_locations)r}� storename�purposeZcertsrU�encodingZtrustr$r$r%�_load_windows_store_certs�s
z$SSLContext._load_windows_store_certscCsDt|t�st|��tjdkr8x|jD]}|j||�q$W|j�dS)Nr.)�
isinstancerf� TypeError�sys�platform�_windows_cert_storesr�Zset_default_verify_paths)r}r�r�r$r$r%�load_default_certs�s
z
SSLContext.load_default_certscs
tt�j�S)N)r(rg�options)r})rlr$r%r��szSSLContext.optionscsttt�jj||�dS)N)rgrvr��__set__)r}r,)rlr$r%r��scs
tt�j�S)N)r)rg�
verify_flags)r})rlr$r%r��szSSLContext.verify_flagscsttt�jj||�dS)N)rgrvr�r�)r}r,)rlr$r%r��sc
s*t�j}yt|�Stk
r$|SXdS)N)rg�
verify_moder*rQ)r}r,)rlr$r%r��s
zSSLContext.verify_modecsttt�jj||�dS)N)rgrvr�r�)r}r,)rlr$r%r��s)rwrx)ryrz)FTTNN)FNN)r8r9r:rprqr��
PROTOCOL_TLSrhr~r�r�r�r�r�rtrur��propertyr��setterr�r�rsr$r$)rlr%rvWs*
rv)rdrer�cCsdt|t�st|��tt�}|tjkr0t|_d|_ |s<|s<|rL|j
|||�n|jt
kr`|j
|�|S)z�Create a SSLContext object with
default settings.
NOTE: The protocol and settings may change anytime without prior
deprecation. The values represent a fair balance between maximum
compatibility and security.
T)
r�rfr�rvr�rtru�
CERT_REQUIREDr��check_hostnamer�� CERT_NONEr�)r�rdrer��contextr$r$r%�create_default_context�s
r�F)� cert_reqsr�r��certfile�keyfilerdrer�c
Cs�t|t�st|��t|�} |s$d| _|dk r2|| _|r<d| _|rN|
rNtd��|sV|rb| j||�|sn|sn|r~| j|||�n| jt kr�| j
|�| S)a/Create a SSLContext object for Python stdlib modules
All Python stdlib modules shall use this function to create SSLContext
objects in order to keep common settings in one place. The
configuration
is less restrict than create_default_context()'s to increase
backward
compatibility.
FNTzcertfile must be
specified)
r�rfr�rvr�r�rQ�load_cert_chainr�r�r�)
rwr�r�r�r�r�rdrer�r�r$r$r%�_create_unverified_context�s$
r�c@s�eZdZdZd0dd�Zedd��Zejdd��Zedd ��Zejd
d ��Zed
d
��Z ed
d��Z
edd��Z
d1dd�Z
dd�Z
d2dd�Zdd�Zdd
�Zd
d
�Zd d
�Zd!d"�Zd#d$�Zd%d&�Zd'd(�Zd3d*d+�Zd,d-�Zd.d/�ZdS)4r�aThis
class implements an interface on top of a low-level SSL object as
implemented by OpenSSL. This object captures the state of an SSL
connection
but does not provide any network IO itself. IO needs to be performed
through separate "BIO" objects which are OpenSSL's IO
abstraction layer.
This class does not have a public constructor. Instances are returned
by
``SSLContext.wrap_bio``. This class is typically used by framework
authors
that want to implement asynchronous IO for SSL through memory buffers.
When compared to ``SSLSocket``, this object lacks the following
features:
* Any form of network IO, including methods such as ``recv`` and
``send``.
* The ``do_handshake_on_connect`` and ``suppress_ragged_eofs``
machinery.
NcCs&||_|p
||j_|dk r"||j_dS)N)�_sslobj�ownerr�)r}r�r�r�r$r$r%r~
s
zSSLObject.__init__cCs|jjS)z(The
SSLContext that is currently in
use.)r�r�)r}r$r$r%r�%szSSLObject.contextcCs
||j_dS)N)r�r�)r}�ctxr$r$r%r�*scCs|jjS)z!The
SSLSession for client
socket.)r�r�)r}r$r$r%r�.szSSLObject.sessioncCs
||j_dS)N)r�r�)r}r�r$r$r%r�3scCs|jjS)z.Was
the client session reused during
handshake)r��session_reused)r}r$r$r%r�7szSSLObject.session_reusedcCs|jjS)z%Whether
this is a server-side
socket.)r�r�)r}r$r$r%r�<szSSLObject.server_sidecCs|jjS)z]The
currently set server hostname (for SNI), or ``None`` if no
server hostame is
set.)r�r�)r}r$r$r%r�AszSSLObject.server_hostname�cCs(|dk r|jj||�}n
|jj|�}|S)z�Read
up to 'len' bytes from the SSL object and return them.
If 'buffer' is provided, read into this buffer and return
the number of
bytes read.
N)r��read)r}rS�buffer�vr$r$r%r�Gs
zSSLObject.readcCs
|jj|�S)z�Write
'data' to the SSL object and return the number of bytes
written.
The 'data' argument must support the buffer interface.
)r��write)r}�datar$r$r%r�SszSSLObject.writeFcCs
|jj|�S)z�Returns
a formatted version of the data in the certificate provided
by the other end of the SSL channel.
Return None if no certificate was provided, {} if a certificate was
provided, but not validated.
)r�Zpeer_certificate)r}�
binary_formr$r$r%�
getpeercert[szSSLObject.getpeercertcCstjr|jj�SdS)z�Return
the currently selected NPN protocol as a string, or ``None``
if a next protocol was not negotiated or if NPN is not supported by
one
of the
peers.N)r\rr��selected_npn_protocol)r}r$r$r%r�dsz SSLObject.selected_npn_protocolcCstjr|jj�SdS)z�Return
the currently selected ALPN protocol as a string, or ``None``
if a next protocol was not negotiated or if ALPN is not supported
by one
of the
peers.N)r\r
r��selected_alpn_protocol)r}r$r$r%r�ksz
SSLObject.selected_alpn_protocolcCs
|jj�S)z_Return the currently selected cipher as a 3-tuple ``(name,
ssl_version,
secret_bits)``.)r��cipher)r}r$r$r%r�rszSSLObject.ciphercCs
|jj�S)z�Return a list of ciphers shared by the client during the
handshake or
None if this is not a valid server connection.
)r��shared_ciphers)r}r$r$r%r�wszSSLObject.shared_cipherscCs
|jj�S)z�Return the current compression algorithm in use, or ``None``
if
compression was not negotiated or not supported by one of the
peers.)r��
compression)r}r$r$r%r�}szSSLObject.compressioncCs
|jj�S)z8Return the number of bytes that can be read
immediately.)r��pending)r}r$r$r%r��szSSLObject.pendingcCs4|jj�|jjr0|js
td��t|j�|j�dS)z
Start the SSL/TLS
handshake.z-check_hostname needs server_hostname
argumentN)r��
do_handshaker�r�r�rQrXr�)r}r$r$r%r��s
zSSLObject.do_handshakecCs
|jj�S)z!Start the SSL shutdown
handshake.)r��shutdown)r}r$r$r%�unwrap�szSSLObject.unwrap�
tls-uniquecCs0|tkrtd��|dkr&tdj|���|jj�S)z�Get
channel binding data for current connection. Raise ValueError
if the requested `cb_type` is not supported. Return bytes of the
data
or None if the data is not available (e.g. before the handshake).z
Unsupported channel binding typez
tls-uniquez({0} channel binding type not
implemented)�CHANNEL_BINDING_TYPESrQ�NotImplementedError�formatr�Z
tls_unique_cb)r}�cb_typer$r$r%�get_channel_binding�sz
SSLObject.get_channel_bindingcCs
|jj�S)zZReturn a string identifying the protocol version used by the
current SSL channel.
)r��version)r}r$r$r%r��szSSLObject.versioncCs
|jj�S)N)r��
verify_client_post_handshake)r}r$r$r%r��sz&SSLObject.verify_client_post_handshake)NN)r�N)F)r�)r8r9r:rpr~r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r$r$r$r%r�s.
r�cs�eZdZdZddddeeddeeddddddddfdd�Ze dd ��Z
e
j
d
d ��Z
e d
d
��Z
e
j
d
d
��Z
e dd��Z
dd�ZdVdd�Zdd�ZdWdd�Zdd�ZdXdd
�Zd
d
�Zd d
�Zd!d"�Zd#d$�Zd%d&�ZdYd'd(�ZdZd)d*�Zd+d,�Zd[d-d.�Z
d\�fd/d0� Z
d]d1d2�Z
d^d3d4�Z d_d5d6�Z
d`d7d8�Z!d9d:�Z"d;d<�Z#d=d>�Z$d?d@�Z%dAdB�Z&dCdD�Z'dEdF�Z(dadGdH�Z)dIdJ�Z*dKdL�Z+dMdN�Z,dOdP�Z-dbdRdS�Z.dTdU�Z/�Z0S)cr�z�This
class implements a subtype of socket.socket that wraps
the underlying OS socket in an SSL context when necessary, and
provides read and write methods over that
channel.NFTrc
6Cs:d|_|r||_n�|r$|
r$td��|r6|
r6td��|rD|
rD|}t|�|_||j_|rf|jj|�|rx|jj||�|r�|jj|�|r�|jj|�||_ ||_
||_
||_
||_
||_|jtt�tkr�td��|r�|r�td��|dk r�td��|jj�r|
�rtd��||_||_||_||_|
|_|dk �rftj||j
|j
|j
|j �d�|j
�}|j!�n,|
dk �r�tj||
d�ntj|| |
|
d �y
|j"�Wn�t#k
�r�}z�|j$t$j%k�rd
}|j �d
k}|j&d
�y|j'd
�}Wn>t#k
�r(}z
|j$t$j%t$j(fk�r�d
}WYdd}~XnX|j&|�|�r�d}t)|j$|�}||_*d|_+y
|j,�Wnt#k
�rxYnXz|�Wdd}XWYdd}~XnXd}|j-|�d
|_.d|_||_/|�r6yN|jj0|||�}t1|||jd�|_|�r|j
�}|dk�rtd��|j2�Wn$t#tfk
�r4|j,��YnXdS)Nz5certfile must be specified for server-side
operationszcertfile must be specifiedz!only stream sockets are
supportedz4server_hostname can only be specified in client modez,session
can only be specified in client modez'check_hostname requires
server_hostname)�family�type�proto�fileno)r�)r�r�r�Frr;�z5Closed
before TLS handshake with data in recv
buffer.T)r�r�gzHdo_handshake_on_connect should not be specified for
non-blocking
sockets)3r�r�rQrvr�r�r�r�Z
set_ciphersr�r�r��
ssl_version�ca_certs�ciphersZ
getsockoptr5r6r3r�r�r�r�r�r�r�r1r~r�r�r�r��
gettimeout�detach�
getpeername�OSError�errnoZENOTCONNZ
setblocking�recvZEINVALr
�reasonZlibrary�close�
settimeoutZ_closed�
_connected�
_wrap_socketr�r�)
r}rr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�Z
sock_timeout�eZ connectedZblockingZnotconn_pre_handshake_datar�Z
notconn_pre_handshake_data_errorr��timeoutr$r$r%r~�s�
zSSLSocket.__init__cCs|jS)N)r�)r}r$r$r%r�0szSSLSocket.contextcCs||_||j_dS)N)r�r�r�)r}r�r$r$r%r�4scCs|jdk r|jjSdS)z!The
SSLSession for client socket.N)r�r�)r}r$r$r%r�9s
zSSLSocket.sessioncCs
||_|jdk r||j_dS)N)r�r�r�)r}r�r$r$r%r�?s
cCs|jdk r|jjSdS)z.Was the client session reused during
handshakeN)r�r�)r}r$r$r%r�Es
zSSLSocket.session_reusedcCstd|jj��dS)NzCan't dup()
%s
instances)r�rlr8)r}r$r$r%�dupKsz
SSLSocket.dupcCsdS)Nr$)r}�msgr$r$r%�
_checkClosedOszSSLSocket._checkClosedcCs|js|j�dS)N)r�r�)r}r$r$r%�_check_connectedSszSSLSocket._check_connected�cCst|j�|jstd��y|jj||�Stk
rn}z.|jdtkr\|jr\|dk rVdSdSn�WYdd}~XnXdS)zORead up
to LEN bytes and return them.
Return zero-length string on EOF.z'Read on closed or unwrapped
SSL
socket.rNr�)r�r�rQr�r
r{Z
SSL_ERROR_EOFr�)r}rSr��xr$r$r%r�[szSSLSocket.readcCs"|j�|jstd��|jj|�S)zhWrite
DATA to the underlying SSL channel. Returns
number of bytes of DATA actually transmitted.z(Write on closed or
unwrapped SSL
socket.)r�r�rQr�)r}r�r$r$r%r�mszSSLSocket.writecCs
|j�|j�|jj|�S)z�Returns
a formatted version of the data in the
certificate provided by the other end of the SSL channel.
Return None if no certificate was provided, {} if a
certificate was provided, but not
validated.)r�r�r�r�)r}r�r$r$r%r�vszSSLSocket.getpeercertcCs*|j�|j
stj
r
dS|jj�SdS)N)r�r�r\rr�)r}r$r$r%r��sz SSLSocket.selected_npn_protocolcCs*|j�|j
stj
r
dS|jj�SdS)N)r�r�r\r
r�)r}r$r$r%r��sz
SSLSocket.selected_alpn_protocolcCs
|j�|jsdS|jj�SdS)N)r�r�r�)r}r$r$r%r��szSSLSocket.ciphercCs
|j�|jsdS|jj�S)N)r�r�r�)r}r$r$r%r��szSSLSocket.shared_cipherscCs
|j�|jsdS|jj�SdS)N)r�r�r�)r}r$r$r%r��szSSLSocket.compressioncCsB|j�|jr0|dkr$td|j��|jj|�Stj|||�SdS)Nrz3non-zero
flags not allowed in calls to send() on
%s)r�r�rQrlr�r1�send)r}r��flagsr$r$r%r��s
zSSLSocket.sendcCsH|j�|jr
td|j��n&|dkr4tj|||�Stj||||�SdS)Nz%sendto
not allowed on instances of
%s)r�r�rQrlr1�sendto)r}r�Z
flags_or_addr�addrr$r$r%r��s
zSSLSocket.sendtocOstd|j��dS)Nz&sendmsg
not allowed on instances of
%s)r�rl)r}r{r|r$r$r%�sendmsg�szSSLSocket.sendmsgcCs�|j�|jr�|dkr$td|j��d}t|��L}|jd��6}t|�}x&||krl|j||d��}||7}qHWWdQRXWdQRXntj |||�SdS)Nrz6non-zero
flags not allowed in calls to sendall() on %s�B)
r�r�rQrl�
memoryview�castrSr�r1�sendall)r}r�r�r?ZviewZ byte_viewZamountr�r$r$r%r��s
"zSSLSocket.sendallcs,|jdkrt�j|||�S|j|||�SdS)z�Send
a file, possibly by using os.sendfile() if this is a
clear-text socket. Return the total number of bytes sent.
N)r�rg�sendfileZ_sendfile_use_send)r}�file�offsetr?)rlr$r%r��s
zSSLSocket.sendfilecCs@|j�|jr.|dkr$td|j��|j|�Stj|||�SdS)Nrz3non-zero
flags not allowed in calls to recv() on
%s)r�r�rQrlr�r1r�)r}�buflenr�r$r$r%r��s
zSSLSocket.recvcCsf|j�|r
|dkr
t|�}n
|dkr*d}|jrR|dkrFtd|j��|j||�Stj||||�SdS)Nirz8non-zero
flags not allowed in calls to recv_into() on
%s)r�rSr�rQrlr�r1� recv_into)r}r��nbytesr�r$r$r%r��s
zSSLSocket.recv_intocCs0|j�|jr
td|j��ntj|||�SdS)Nz'recvfrom
not allowed on instances of
%s)r�r�rQrlr1�recvfrom)r}r�r�r$r$r%r��s
zSSLSocket.recvfromcCs2|j�|jr
td|j��ntj||||�SdS)Nz,recvfrom_into
not allowed on instances of
%s)r�r�rQrlr1�
recvfrom_into)r}r�r�r�r$r$r%r��s
zSSLSocket.recvfrom_intocOstd|j��dS)Nz&recvmsg
not allowed on instances of
%s)r�rl)r}r{r|r$r$r%�recvmsgszSSLSocket.recvmsgcOstd|j��dS)Nz+recvmsg_into
not allowed on instances of
%s)r�rl)r}r{r|r$r$r%�
recvmsg_intoszSSLSocket.recvmsg_intocCs
|j�|jr|jj�SdSdS)Nr)r�r�r�)r}r$r$r%r� s
zSSLSocket.pendingcCs
|j�d|_tj||�dS)N)r�r�r1r�)r}Zhowr$r$r%r�szSSLSocket.shutdowncCs.|jr|jj�}d|_|Stdt|���dS)NzNo
SSL wrapper around )r�r�rQ�str)r}�sr$r$r%r�s
zSSLSocket.unwrapcCs$|jr|jj�Stdt|���dS)NzNo SSL
wrapper around )r�r�rQr)r}r$r$r%r�
s
z&SSLSocket.verify_client_post_handshakecCsd|_tj|�dS)N)r�r1�
_real_close)r}r$r$r%r#szSSLSocket._real_closec
CsF|j�|j�}z$|dkr(|r(|jd�|jj�Wd|j|�XdS)z
Perform
a TLS/SSL
handshake.gN)r�r�r�r�r�)r}�blockr�r$r$r%r�'s
zSSLSocket.do_handshakec
Cs�|jrtd��|jr
td��|jj|d|j�}t|||jd�|_y>|rTt j
||�}nd}t j
||�|s|d|_|j
r||j
�|Sttfk
r�d|_�YnXdS)Nz!can't connect in server-side modez/attempt to
connect already-connected
SSLSocket!F)r�r�T)r�rQr�r�r�r�r�r�r�r1�
connect_ex�connectr�r�r�)r}r�rr�Zrcr$r$r%�
_real_connect2s(
zSSLSocket._real_connectcCs|j|d�dS)zQConnects
to remote ADDR, and then wraps the connection in
an SSL
channel.FN)r)r}r�r$r$r%rKszSSLSocket.connectcCs
|j|d�S)zQConnects
to remote ADDR, and then wraps the connection in
an SSL
channel.T)r)r}r�r$r$r%rPszSSLSocket.connect_excCs.tj|�\}}|jj||j|jdd�}||fS)z�Accepts
a new connection from a remote client, and returns
a tuple containing that new connection wrapped with a server-side
SSL channel, and the address of the remote
client.T)r�r�r�)r1�acceptr�r�r�r�)r}Znewsockr�r$r$r%rUs
zSSLSocket.accept�
tls-uniquecCs|jdkrdS|jj|�S)z�Get channel binding data for
current connection. Raise ValueError
if the requested `cb_type` is not supported. Return bytes of the
data
or None if the data is not available (e.g. before the handshake).
N)r�r�)r}r�r$r$r%r�as
z
SSLSocket.get_channel_bindingcCs|jdkrdS|jj�S)z�
Return a string identifying the protocol version used by the
current SSL channel, or None if there is no established channel.
N)r�r�)r}r$r$r%r�js
zSSLSocket.version)N)r�N)F)r)N)r)rN)r�r)Nr)r�r)Nr)F)r )1r8r9r:rpr�r�r2r3r~r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rr�r�r�r�rr�rrrrr�r�rsr$r$)rlr%r��s`|
r�Tc
Cs
t|||||||||| d�
S)N)
rr�r�r�r�r�r�r�r�r�)r�)
rr�r�r�r�r�r�r�r�r�r$r$r%r�ts
r�c
Cs�ddlm}ddlm}d}d}y
|j|dd�j��d}Wn$tk
rbtd||f��Yn0X||dd�|�}||d|f|dd��SdS)a�Return
the time in seconds since the Epoch, given the timestring
representing the "notBefore" or "notAfter" date
from a certificate
in ``"%b %d %H:%M:%S %Y %Z"`` strptime format (C locale).
"notBefore" or "notAfter" dates must use UTC (RFC
5280).
Month is one of: Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
UTC should be specified as GMT (see ASN1_TIME_print())
r)�strptime)�timegm�Jan�Feb�Mar�Apr�May�Jun�Jul�Aug�Sep�Oct�Nov�Decz
%d %H:%M:%S %Y GMTNr[r;z*time data %r does not match format
"%%b%s"rZ�)
r
r
rrrrrrrrrr)Ztimer
Zcalendarr
�index�titlerQ)Z cert_timer
r
ZmonthsZ
time_formatZ
month_numberZttr$r$r%�cert_time_to_seconds�s
rz-----BEGIN CERTIFICATE-----z-----END
CERTIFICATE-----cCs2ttj|�dd�}tdtj|d�dtdS)z[Takes
a certificate in binary DER format and returns the
PEM version of it as a string.�ASCII�strict�
�@)r�base64Zstandard_b64encode�
PEM_HEADER�textwrapZfill�
PEM_FOOTER)Zder_cert_bytes�fr$r$r%�DER_cert_to_PEM_cert�sr%cCs\|jt�stdt��|j�jt�s0tdt��|j�tt�tt�
�}tj|j dd��S)zhTakes
a certificate in ASCII PEM format and returns the
DER-encoded version of it as a byte sequencez(Invalid PEM encoding;
must start with %sz&Invalid PEM encoding; must end with %sr
r
)
r"r!rQ�strip�endswithr#rSr
Z
decodebytes�encode)Zpem_cert_string�dr$r$r%�PEM_cert_to_DER_cert�s
r*c
Csd|\}}|dk rt}nt}t|||d�}t|��&}|j|��}|jd�} WdQRXWdQRXt| �S)z�Retrieve
the certificate from the server at the specified address,
and return it as a PEM-encoded string.
If 'ca_certs' is specified, validate the server cert against
it.
If 'ssl_version' is specified, use it in the connection
attempt.N)r�rdT)r�r��_create_stdlib_contextr4r�r�r%)
r�r�r��hostZportr�r�rZsslsockZdercertr$r$r%�get_server_certificate�s
r-cCs
tj|d�S)Nz <unknown>)�_PROTOCOL_NAMESrR)Z
protocol_coder$r$r%�get_protocol_name�sr/)r;)brprLr"rCr�r^�
collectionsr�enumrZ_EnumrZ_IntEnumrZ_IntFlagr\rrrr r
r
r
r
rrrrrrirrmrrrrr�
ImportErrorrrrr
r
r
r �_convertr8r
r�r!�
__members__�itemsr.�getattrZ_SSLv2_IF_EXISTSr�r/r0r1r2r3r4r5r6r
r�r�r�Z
socket_errorZHAS_TLS_UNIQUEr�Z_RESTRICTED_SERVER_CIPHERSrQr7rKrPrXrYr]rfrtrvrur�r�r�Z
_create_default_https_contextr+r�r�r�rr!r#r%r*r-r/r$r$r$r%�<module>[s�
1
4g
(O