o ?c C @sddlmZddlZddlZddlZddlZddlmZmZddl m Z m Z m Z ddl mZmZmZmZddlmZdd lmZmZdZdZd Zd Zd Zd gZe e e d Zd dZeedeZ zddl!Z!ddl!m"Z"m#Z#Wn e$yvYnwzddl!mZWn e$yYnwzddl%mZWn e$yYnwz ddl!m&Z&e&Z'Wn!e$yz ddl!m'Z&e&Z'Wn e$ydZ'Z&YnwYnwzddl!m(Z(Wn e$ye&Z(Ynwz ddl!m)Z)m*Z*m+Z+Wne$yd\Z*Z+dZ)Ynwzddl!m,Z,Wn e$y dZ,Ynwd-gdZ.zddl!mZWne$y-Gddde/ZYnwd d!Z0d"d#Z1d$d%Z2 d0d&d'Z3            d1d(d)Z4d*d+Z5d,d-Z6d2d.d/Z7dS)3)absolute_importN)hexlify unhexlify)md5sha1sha256)InsecurePlatformWarningProxySchemeUnsupportedSNIMissingWarningSSLError)six)BRACELESS_IPV6_ADDRZ_REIPV4_REFzhttp/1.1) (@cCsDtt|t|}tt|t|D] \}}|||AO}q|dkS)z Compare two digests of equal length in constant time. The digests must be of type str/bytes. Returns True if the digests match, and False otherwise. r)abslenzip bytearray)abresultleftrightrl/private/var/folders/cw/wlscbxl13mj6wd668h7l9g9sllkg5j/T/pip-target-b31awkwq/lib/python/urllib3/util/ssl_.py_const_compare_digest_backportsrcompare_digest) CERT_REQUIRED wrap_socket)HAS_SNI) SSLTransport) PROTOCOL_TLS)PROTOCOL_SSLv23)PROTOCOL_TLS_CLIENT)OP_NO_COMPRESSION OP_NO_SSLv2 OP_NO_SSLv3)iii) OP_NO_TICKETi@:)z ECDHE+AESGCMzECDHE+CHACHA20z DHE+AESGCMz DHE+CHACHA20z ECDH+AESGCMz DH+AESGCMzECDH+AESzDH+AESz RSA+AESGCMzRSA+AESz!aNULLz!eNULLz!MD5z!DSS) SSLContextc@s8eZdZddZddZd ddZdd Zdd d ZdS)r-cCs6||_d|_tj|_d|_d|_d|_d|_d|_ dS)NFr) protocolcheck_hostnamessl CERT_NONE verify_modeca_certsoptionscertfilekeyfileciphers)selfZprotocol_versionrrr__init__s zSSLContext.__init__cCs||_||_dSN)r5r6)r8r5r6rrrload_cert_chains zSSLContext.load_cert_chainNcCs*||_|dur td|durtddS)Nz-CA directories not supported in older Pythonsz&CA data not supported in older Pythons)r3r )r8cafilecapathcadatarrrload_verify_locationss z SSLContext.load_verify_locationscCs ||_dSr:r7)r8Z cipher_suiterrr set_cipherss zSSLContext.set_ciphersFcCs>tdt|j|j|j|j|j|d}t|fd|j i|S)Na2A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings)r6r5r3 cert_reqs ssl_version server_sider7) warningswarnr r6r5r3r2r.r"r7)r8socketserver_hostnamerDkwargsrrrr"s zSSLContext.wrap_socket)NNN)NF)__name__ __module__ __qualname__r9r;r?rAr"rrrrr-s   r-cCsn|dd}t|}t|}|std|t|}|| }t ||s5td|t |dS)z Checks if given fingerprint matches the supplied certificate. :param cert: Certificate as bytes object. :param fingerprint: Fingerprint as string of hexdigits, can be interspersed by colons. r,z"Fingerprint of invalid length: {0}z6Fingerprints did not match. Expected "{0}", got "{1}".N) replacelowerr HASHFUNC_MAPgetr formatrencodedigest_const_compare_digestr)cert fingerprint digest_lengthhashfuncfingerprint_bytes cert_digestrrrassert_fingerprints     r\cC@|durtSt|trtt|d}|durttd|}|S|S)a Resolves the argument to a numeric constant, which can be passed to the wrap_socket function/method from the ssl module. Defaults to :data:`ssl.CERT_REQUIRED`. If given a string it is assumed to be the name of the constant in the :mod:`ssl` module or its abbreviation. (So you can specify `REQUIRED` instead of `CERT_REQUIRED`. If it's neither `None` nor a string we assume it is already the numeric constant which can directly be passed to wrap_socket. NCERT_)r! isinstancestrgetattrr0 candidateresrrrresolve_cert_reqss   recCr])z like resolve_cert_reqs N PROTOCOL_)r%r_r`rar0rbrrrresolve_ssl_versions  rgcs|r|tkrt}t||pt|durtjn|}|dur2d}|tO}|tO}|t O}|t O}j |O_ |tjksCt j dkrNtdddurNd_fdd}|tjkr`|_|n||_tdrvtjd }|rv|_S) aAll arguments have the same meaning as ``ssl_wrap_socket``. By default, this function does a lot of the same work that ``ssl.create_default_context`` does on Python 3.4+. It: - Disables SSLv2, SSLv3, and compression - Sets a restricted set of server ciphers If you wish to enable SSLv3, you can do:: from urllib3.util import ssl_ context = ssl_.create_urllib3_context() context.options &= ~ssl_.OP_NO_SSLv3 You can do the same to enable compression (substituting ``COMPRESSION`` for ``SSLv3`` in the last line above). :param ssl_version: The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. :param cert_reqs: Whether to require the certificate verification. This defaults to ``ssl.CERT_REQUIRED``. :param options: Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``, ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``, and ``ssl.OP_NO_TICKET``. :param ciphers: Which cipher suites to allow the server to select. :returns: Constructed SSLContext object with specified options :rtype: SSLContext Nr)post_handshake_authTcstdddur d_dSdS)Nr/F)rar/rcontextrrdisable_check_hostnameEs z6create_urllib3_context..disable_check_hostnamekeylog_filename SSLKEYLOGFILE)r%r'r-rADEFAULT_CIPHERSr0r!r)r*r(r+r4sys version_inforarkr2hasattrosenvironrQro)rCrBr4r7rn sslkeylogfilerrlrcreate_urllib3_contexts: %    rxc  CsB|} | dur t|||d} |s| s| r/z | || | Wnttfy.}zt|d}~ww|durs              3 k f