a *NaA@stdZddlmZddlZddlmZddlmZ ddl m Z zddl m Z Wn"eynGdd d eZ Yn0dd lmZdd lmZdd lmZzdd lmZWn"eydZddlmZYn0ddlZddlZddlZddlmZddlmZddl m!Z!ddgZ"dZ#ej$ej%j&e!ej%j&ej'ej%j(iZ)e*edrXe*ej%drXej%j+e)ej,<e*edre*ej%drej%j-e)ej.<e*edre*ej%drej%j/e)ej0<ej1ej%j2ej3ej%j4ej5ej%j4ej%j6iZ7e8dde79DZ:dZ;ej#ZZ?e@eAZBddZCd dZDd!d"ZEd#d$ZFd%d&ZGGd'd(d(eHZIerNd0d*d+ZJneZJeJeI_JGd,d-d-eHZKd.d/ZLdS)1a TLS with SNI_-support for Python 2. Follow these instructions if you would like to verify TLS certificates in Python 2. Note, the default libraries do *not* do certificate checking; you need to do additional work to validate certificates yourself. This needs the following packages installed: * `pyOpenSSL`_ (tested with 16.0.0) * `cryptography`_ (minimum 1.3.4, from pyopenssl) * `idna`_ (minimum 2.0, from cryptography) However, pyopenssl depends on cryptography, which depends on idna, so while we use all three directly here we end up having relatively few packages required. You can install them with the following command: .. code-block:: bash $ python -m pip install pyopenssl cryptography idna To activate certificate checking, call :func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code before you begin making HTTP requests. This can be done in a ``sitecustomize`` module, or at any other time before your application begins using ``urllib3``, like this: .. code-block:: python try: import urllib3.contrib.pyopenssl urllib3.contrib.pyopenssl.inject_into_urllib3() except ImportError: pass Now you can use :mod:`urllib3` as you normally would, and it will support SNI when the required modules are installed. Activating this module also has the positive side effect of disabling SSL/TLS compression in Python 2 (see `CRIME attack`_). .. _sni: https://en.wikipedia.org/wiki/Server_Name_Indication .. _crime attack: https://en.wikipedia.org/wiki/CRIME_(security_exploit) .. _pyopenssl: https://www.pyopenssl.org .. _cryptography: https://cryptography.io .. _idna: https://github.com/kjd/idna )absolute_importN)x509)backend) _Certificate)UnsupportedExtensionc@s eZdZdS)rN)__name__ __module__ __qualname__r r t/private/var/folders/js/6pj4vh5d4zd0k6bxv74qrbhr0000gr/T/pip-target-22xwyzbs/lib/python/urllib3/contrib/pyopenssl.pyr;sr)BytesIO)error)timeout) _fileobject)backport_makefile)util)six)PROTOCOL_TLS_CLIENTinject_into_urllib3extract_from_urllib3TPROTOCOL_SSLv3 SSLv3_METHODPROTOCOL_TLSv1_1TLSv1_1_METHODPROTOCOL_TLSv1_2TLSv1_2_METHODccs|]\}}||fVqdSNr ).0kvr r r mr!i@cCs4ttt_ttj_tt_ttj_dt_dtj_dS)z7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.TN)_validate_dependencies_metPyOpenSSLContextr SSLContextssl_HAS_SNI IS_PYOPENSSLr r r r ryscCs.tt_ttj_tt_ttj_dt_dtj_dS)z4Undo monkey-patching by :func:`inject_into_urllib3`.FN)orig_util_SSLContextrr%r&orig_util_HAS_SNIr'r(r r r r rs cCsRddlm}t|dddur$tdddlm}|}t|dddurNtddS) z{ Verifies that PyOpenSSL's package-level dependencies have been met. Throws `ImportError` if they are not met. r) Extensionsget_extension_for_classNzX'cryptography' module missing required functionality. Try upgrading to v1.3.4 or newer.)X509_x509zS'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.)Zcryptography.x509.extensionsr+getattr ImportErrorZOpenSSL.cryptor-)r+r-rr r r r#s  r#cCs@dd}d|vr|S||}|dur(dStjdkr<|d}|S)a% Converts a dNSName SubjectAlternativeName field to the form used by the standard library on the given Python version. Cryptography produces a dNSName as a unicode string that was idna-decoded from ASCII bytes. We need to idna-encode that string to get it back, and then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8). If the name cannot be idna-encoded then we return None signalling that the name given should be skipped. cSspddl}zJdD]8}||r|t|d}|d||WSq||WS|jjyjYdS0dS)z Borrowed wholesale from the Python Cryptography Project. It turns out that we can't just safely call `idna.encode`: it can explode for wildcard names. This avoids that problem. rN)z*..ascii)idna startswithlenencodecore IDNAError)namer3prefixr r r idna_encodes  z'_dnsname_to_stdlib..idna_encode:N)rutf-8)sys version_infodecode)r9r;r r r _dnsname_to_stdlibs  rBc Cst|dr|}n tt|j}z|jtjj }WnVtj yLgYStj t tj tfy}ztd|gWYd}~Sd}~00ddtt|tjD}|dd|tjD|S)zU Given an PyOpenSSL certificate, provides all the subject alternative names. to_cryptographyzA problem was encountered with the certificate that prevented urllib3 from finding the SubjectAlternativeName field. This can affect certificate validation. The error was %sNcSsg|]}|durd|fqS)NDNSr rr9r r r sz%get_subj_alt_name..css|]}dt|fVqdS)z IP AddressN)strrEr r r r!sz$get_subj_alt_name..)hasattrrCropenssl_backendr. extensionsr,rZSubjectAlternativeNamevalueZExtensionNotFoundZDuplicateExtensionrZUnsupportedGeneralNameType UnicodeErrorlogwarningmaprBZget_values_for_typeZDNSNameextendZ IPAddress)Z peer_certcertextenamesr r r get_subj_alt_names2       rUc@seZdZdZd!ddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ d"ddZddZddZddZd S)# WrappedSocketzAPI-compatibility wrapper for Python OpenSSL's Connection-class. Note: _makefile_refs, _drop() and _reuse() are needed for the garbage collector of pypy. TcCs"||_||_||_d|_d|_dSNrF) connectionsocketsuppress_ragged_eofs_makefile_refs_closed)selfrXrYrZr r r __init__s zWrappedSocket.__init__cCs |jSr)rYfilenor]r r r r_szWrappedSocket.filenocCs*|jdkr|jd8_|jr&|dS)Nr)r[r\closer`r r r _decref_socketioss zWrappedSocket._decref_socketiosc Osz|jj|i|}Wntjjyj}z6|jrJ|jdkrJWYd}~dStt|WYd}~nd}~0tjj y|j tjj krYdSYntjj yt |j|jstdn|j|i|YSYn<tjjy}ztd|WYd}~nd}~00|SdS)NzUnexpected EOFr"The read operation timed outread error: %r)rXrecvOpenSSLSSL SysCallErrorrZargs SocketErrorrGZeroReturnError get_shutdownRECEIVED_SHUTDOWN WantReadErrorr wait_for_readrY gettimeoutrErrorsslSSLError)r]rlkwargsdatarSr r r rh$s"  $zWrappedSocket.recvc Osz|jj|i|WStjjyf}z6|jrF|jdkrFWYd}~dStt|WYd}~nd}~0tjj y|j tjj krYdSYn~tjj yt |j|jstdn|j|i|YSYn8tjjy}ztd|WYd}~n d}~00dS)Nrdrrfrg)rX recv_intorirjrkrZrlrmrGrnrorprqrrrrYrsrrtrurv)r]rlrwrSr r r ry=s   zWrappedSocket.recv_intocCs |j|Sr)rY settimeout)r]rr r r rzTszWrappedSocket.settimeoutc Cs|z|j|WStjjyBt|j|js:t YqYqtjj yt}zt t |WYd}~qd}~00qdSr) rXsendrirjZWantWriteErrorrwait_for_writerYrsrrkrmrG)r]rxrSr r r _send_until_doneWszWrappedSocket._send_until_donecCs4d}|t|kr0||||t}||7}qdSNr)r5r}SSL_WRITE_BLOCKSIZE)r]rx total_sentsentr r r sendallbs  zWrappedSocket.sendallcCs|jdSr)rXshutdownr`r r r rjszWrappedSocket.shutdowncCsJ|jdkr8zd|_|jWStjjy4YdS0n|jd8_dS)NraT)r[r\rXrbrirjrtr`r r r rbns   zWrappedSocket.closeFcCsD|j}|s|S|r(tjtjj|Sd|jffft|dS)N commonName)subjectsubjectAltName) rXZget_peer_certificateriZcryptoZdump_certificateZ FILETYPE_ASN1Z get_subjectZCNrU)r] binary_formrr r r getpeercertxs zWrappedSocket.getpeercertcCs |jSr)rXZget_protocol_version_namer`r r r versionszWrappedSocket.versioncCs|jd7_dSNra)r[r`r r r _reuseszWrappedSocket._reusecCs&|jdkr|n|jd8_dSr)r[rbr`r r r _drops  zWrappedSocket._dropN)T)F)rrr __doc__r^r_rcrhryrzr}rrrbrrrrr r r r rV s   rVrecCs|jd7_t|||ddS)NraT)rb)r[r)r]modebufsizer r r makefilesrc@seZdZdZddZeddZejddZeddZejd dZd d Z d d Z dddZ dddZ ddZ dddZdS)r$z I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible for translating the interface of the standard library ``SSLContext`` object to calls into PyOpenSSL. cCs*t||_tj|j|_d|_d|_dSrW)_openssl_versionsprotocolrirjContext_ctx_optionscheck_hostname)r]rr r r r^s zPyOpenSSLContext.__init__cCs|jSr)rr`r r r optionsszPyOpenSSLContext.optionscCs||_|j|dSr)rrZ set_optionsr]rKr r r rscCst|jSr)_openssl_to_stdlib_verifyrZget_verify_moder`r r r verify_modeszPyOpenSSLContext.verify_modecCs|jt|tdSr)rZ set_verify_stdlib_to_openssl_verify_verify_callbackrr r r rscCs|jdSr)rset_default_verify_pathsr`r r r rsz)PyOpenSSLContext.set_default_verify_pathscCs&t|tjr|d}|j|dS)Nr>) isinstancer text_typer6rZset_cipher_list)r]ciphersr r r set_cipherss  zPyOpenSSLContext.set_ciphersNc Cs|dur|d}|dur$|d}z*|j|||durL|jt|Wn6tjjy}ztd|WYd}~n d}~00dS)Nr>z'unable to load trusted certificates: %r) r6rload_verify_locationsr rirjrtrurv)r]cafilecapathcadatarSr r r rs  z&PyOpenSSLContext.load_verify_locationscsR|j|dur>ttjs*d|jfdd|j|pJ|dS)Nr>csSrr )_passwordr r r"z2PyOpenSSLContext.load_cert_chain..)rZuse_certificate_chain_filerr binary_typer6Z set_passwd_cbZuse_privatekey_file)r]certfilekeyfilerr rr load_cert_chains    z PyOpenSSLContext.load_cert_chaincCsdd|D}|j|S)NcSsg|]}t|qSr )r ensure_binary)rpr r r rFr"z7PyOpenSSLContext.set_alpn_protocols..)rZset_alpn_protos)r]Z protocolsr r r set_alpn_protocolssz#PyOpenSSLContext.set_alpn_protocolsFTc Cstj|j|}t|tjr&|d}|dur8||| z | Wqtjj y~t ||svtdYq@Yqtjjy}ztd|WYd}~qd}~00qq@t||S)Nr>zselect timed outzbad handshake: %r)rirj Connectionrrrrr6Zset_tlsext_host_nameZset_connect_state do_handshakerqrrrrsrrtrurvrV)r]sock server_sidedo_handshake_on_connectrZserver_hostnamecnxrSr r r wrap_sockets     $zPyOpenSSLContext.wrap_socket)NNN)NN)FTTN)rrr rr^propertyrsetterrrrrrrrr r r r r$s(     r$cCs|dkSr~r )rrZerr_noZ err_depthZ return_coder r r rsr)re)Mr __future__rZ OpenSSL.SSLriZ cryptographyrZ$cryptography.hazmat.backends.opensslrrIZ)cryptography.hazmat.backends.openssl.x509rZcryptography.x509rr0 Exceptionior rYr rmrrZpackages.backports.makefilerloggingrur?rpackagesrZ util.ssl_r__all__r' PROTOCOL_TLSrjZ SSLv23_METHODPROTOCOL_TLSv1Z TLSv1_METHODrrHrrrrrr CERT_NONEZ VERIFY_NONE CERT_OPTIONALZ VERIFY_PEER CERT_REQUIREDZVERIFY_FAIL_IF_NO_PEER_CERTrdictitemsrrr*r&r%r) getLoggerrrMrrr#rBrUobjectrVrr$rr r r r sv/                    +6 ^