3

Z'ícŸBã@sŒdZddlmZddlZddlZddlmZddlm	Z
yddlmZWn$e
k
rlGdd„deƒZYnXdd	lmZdd
lmZddlmZyddlmZWn$e
k
rÆdZd
dlmZYnXddlZddlZddlZddlZd
dlmZd
dlmZd
dl m!Z!ej"de#d
dddgZ$dZ%ej&ej'j(e!ej'j(ej)ej'j*iZ+e,edƒrpe,ej'dƒrpej'j-e+ej.<e,edƒr˜e,ej'dƒr˜ej'j/e+ej0<e,edƒrÀe,ej'dƒrÀej'j1e+ej2<ej3ej'j4ej5ej'j6ej7ej'j6ej'j8iZ9e:dd„e9j;ƒDƒƒZ<dZ=ej%Z>ej?j@ZAejBeCƒZDd d„ZEd!d„ZFd"d#„ZGd$d%„ZHd&d'„ZIGd(d)„d)eJƒZKerfd2d+d,„ZLneZLeLeK_LGd-d.„d.eJƒZMd/d0„ZNdS)3a†
TLS with SNI_-support for Python 2. Follow these instructions if you would
like to verify TLS certificates in Python 2. Note, the default libraries do
*not* do certificate checking; you need to do additional work to validate
certificates yourself.

This needs the following packages installed:

* `pyOpenSSL`_ (tested with 16.0.0)
* `cryptography`_ (minimum 1.3.4, from pyopenssl)
* `idna`_ (minimum 2.0, from cryptography)

However, pyopenssl depends on cryptography, which depends on idna, so while we
use all three directly here we end up having relatively few packages required.

You can install them with the following command:

.. code-block:: bash

    $ python -m pip install pyopenssl cryptography idna

To activate certificate checking, call
:func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code
before you begin making HTTP requests. This can be done in a ``sitecustomize``
module, or at any other time before your application begins using ``urllib3``,
like this:

.. code-block:: python

    try:
        import urllib3.contrib.pyopenssl
        urllib3.contrib.pyopenssl.inject_into_urllib3()
    except ImportError:
        pass

Now you can use :mod:`urllib3` as you normally would, and it will support SNI
when the required modules are installed.

Activating this module also has the positive side effect of disabling SSL/TLS
compression in Python 2 (see `CRIME attack`_).

.. _sni: https://en.wikipedia.org/wiki/Server_Name_Indication
.. _crime attack: https://en.wikipedia.org/wiki/CRIME_(security_exploit)
.. _pyopenssl: https://www.pyopenssl.org
.. _cryptography: https://cryptography.io
.. _idna: https://github.com/kjd/idna
é)Úabsolute_importN)Úx509)Úbackend)ÚUnsupportedExtensionc@seZdZdS)rN)Ú__name__Ú
__module__Ú__qualname__©r	r	ú</tmp/pip-build-gk9425m9/urllib3/urllib3/contrib/pyopenssl.pyr;sr)ÚBytesIO)Úerror)Útimeout)Ú_fileobjecté)Úbackport_makefile)Úutil)Úsix)ÚPROTOCOL_TLS_CLIENTz°'urllib3.contrib.pyopenssl' module is deprecated and will be removed in a future release of urllib3 2.x. Read more in this issue: https://github.com/urllib3/urllib3/issues/2680)ÚcategoryÚ
stacklevelÚinject_into_urllib3Úextract_from_urllib3TÚPROTOCOL_SSLv3ÚSSLv3_METHODÚPROTOCOL_TLSv1_1ÚTLSv1_1_METHODÚPROTOCOL_TLSv1_2ÚTLSv1_2_METHODccs|]\}}||fVqdS)Nr	)Ú.0ÚkÚvr	r	r
ú	<genexpr>vsr!i@cCs4tƒtt_ttj_tt_ttj_dt_dtj_dS)z7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.TN)Ú_validate_dependencies_metÚPyOpenSSLContextrÚ
SSLContextÚssl_ÚHAS_SNIÚIS_PYOPENSSLr	r	r	r
r‚scCs.tt_ttj_tt_ttj_dt_dtj_dS)z4Undo monkey-patching by :func:`inject_into_urllib3`.FN)Úorig_util_SSLContextrr$r%Úorig_util_HAS_SNIr&r'r	r	r	r
rscCsRddlm}t|ddƒdkr$tdƒ‚ddlm}|ƒ}t|ddƒdkrNtdƒ‚dS)	z{
    Verifies that PyOpenSSL's package-level dependencies have been met.
    Throws `ImportError` if they are not met.
    r)Ú
ExtensionsÚget_extension_for_classNzX'cryptography' module missing required functionality.  Try upgrading to v1.3.4 or newer.)ÚX509Z_x509zS'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.)Zcryptography.x509.extensionsr*ÚgetattrÚImportErrorÚOpenSSL.cryptor,)r*r,rr	r	r
r"šsr"cCs@dd„}d|kr|S||ƒ}|dkr(dStjdkr<|jdƒ}|S)	a%
    Converts a dNSName SubjectAlternativeName field to the form used by the
    standard library on the given Python version.

    Cryptography produces a dNSName as a unicode string that was idna-decoded
    from ASCII bytes. We need to idna-encode that string to get it back, and
    then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib
    uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8).

    If the name cannot be idna-encoded then we return None signalling that
    the name given should be skipped.
    cSslddl}yFx:dD]2}|j|ƒr|t|ƒd…}|jdƒ|j|ƒSqW|j|ƒS|jjk
rfdSXdS)zÒ
        Borrowed wholesale from the Python Cryptography Project. It turns out
        that we can't just safely call `idna.encode`: it can explode for
        wildcard names. This avoids that problem.
        rNú*.Ú.Úascii)r0r1)ÚidnaÚ
startswithÚlenÚencodeÚcoreÚ	IDNAError)Únamer3Úprefixr	r	r
Úidna_encodeÂs


z'_dnsname_to_stdlib.<locals>.idna_encodeú:Nérzutf-8)r=r)ÚsysÚversion_infoÚdecode)r9r;r	r	r
Ú_dnsname_to_stdlib´s

rAcCsÐt|dƒr|jƒ}ntjjtjj|ƒ}tj|tƒ}y|j	j
tjƒj}WnLtj
k
r\gStjttjtfk
r’}ztjd|ƒgSd}~XnXdd„tt|jtjƒƒDƒ}|jdd„|jtjƒDƒƒ|S)zU
    Given an PyOpenSSL certificate, provides all the subject alternative names.
    Úto_cryptographyz­A problem was encountered with the certificate that prevented urllib3 from finding the SubjectAlternativeName field. This can affect certificate validation. The error was %sNcSsg|]}|dk	rd|f‘qS)NÚDNSr	)rr9r	r	r
ú
<listcomp>	sz%get_subj_alt_name.<locals>.<listcomp>css|]}dt|ƒfVqdS)z
IP AddressN)Ústr)rr9r	r	r
r!sz$get_subj_alt_name.<locals>.<genexpr>)ÚhasattrrBÚOpenSSLÚcryptoÚdump_certificateÚ
FILETYPE_ASN1rZload_der_x509_certificateÚopenssl_backendÚ
extensionsr+ZSubjectAlternativeNameÚvalueZExtensionNotFoundZDuplicateExtensionrZUnsupportedGeneralNameTypeÚUnicodeErrorÚlogÚwarningÚmaprAZget_values_for_typeZDNSNameÚextendZ	IPAddress)Z	peer_certÚcertZderÚextÚeÚnamesr	r	r
Úget_subj_alt_nameßs,


rWc@s„eZdZdZd!dd„Zdd„Zdd„Zd	d
„Zdd„Zd
d„Z	dd„Z
dd„Zdd„Zdd„Z
d"dd„Zdd„Zdd„Zdd„Zd S)#Ú
WrappedSocketz§API-compatibility wrapper for Python OpenSSL's Connection-class.

    Note: _makefile_refs, _drop() and _reuse() are needed for the garbage
    collector of pypy.
    TcCs"||_||_||_d|_d|_dS)NrF)Ú
connectionÚsocketÚsuppress_ragged_eofsÚ_makefile_refsÚ_closed)ÚselfrYrZr[r	r	r
Ú__init__s
zWrappedSocket.__init__cCs
|jjƒS)N)rZÚfileno)r^r	r	r
r`"szWrappedSocket.filenocCs*|jdkr|jd8_|jr&|jƒdS)Nré)r\r]Úclose)r^r	r	r
Ú_decref_socketios&s
zWrappedSocket._decref_socketioscOsy|jj||Ž}Wnètjjk
rX}z&|jr<|jdkr<dStt|ƒƒ‚WYdd}~Xn¨tjj	k
r†|jj
ƒtjjkr€dS‚Ynztjjk
rÆt
j|j|jjƒƒs¶tdƒ‚n|j||ŽSYn:tjjk
rú}ztjd|ƒ‚WYdd}~XnX|SdS)NraúUnexpected EOFózThe read operation timed outzread error: %réÿÿÿÿ)rfrd)rYÚrecvrGÚSSLÚSysCallErrorr[ÚargsÚSocketErrorrEÚZeroReturnErrorÚget_shutdownÚRECEIVED_SHUTDOWNÚ
WantReadErrorrÚ
wait_for_readrZÚ
gettimeoutr
ÚErrorÚsslÚSSLError)r^rjÚkwargsÚdatarUr	r	r
rg,s"
 zWrappedSocket.recvcOsüy|jj||ŽStjjk
rT}z&|jr8|jdkr8dStt|ƒƒ‚WYdd}~Xn¤tjj	k
r‚|jj
ƒtjjkr|dS‚Ynvtjjk
rÂt
j|j|jjƒƒs²tdƒ‚n|j||ŽSYn6tjjk
rö}ztjd|ƒ‚WYdd}~XnXdS)NraúUnexpected EOFrzThe read operation timed outzread error: %rrf)rfrw)rYÚ	recv_intorGrhrir[rjrkrErlrmrnrorrprZrqr
rrrsrt)r^rjrurUr	r	r
rxEs 
zWrappedSocket.recv_intocCs|jj|ƒS)N)rZÚ
settimeout)r^r
r	r	r
ry\szWrappedSocket.settimeoutcCs|xvy|jj|ƒStjjk
rBtj|j|jjƒƒs<t	ƒ‚wYqtjj
k
rr}ztt|ƒƒ‚WYdd}~XqXqWdS)N)
rYÚsendrGrhZWantWriteErrorrÚwait_for_writerZrqr
rirkrE)r^rvrUr	r	r
Ú_send_until_done_szWrappedSocket._send_until_donecCs8d}x.|t|ƒkr2|j|||t…ƒ}||7}qWdS)Nr)r5r|ÚSSL_WRITE_BLOCKSIZE)r^rvÚ
total_sentÚsentr	r	r
Úsendalljs
zWrappedSocket.sendallcCs|jjƒdS)N)rYÚshutdown)r^r	r	r
rrszWrappedSocket.shutdowncCsH|jdkr6yd|_|jjƒStjjk
r2dSXn|jd8_dS)NraT)r\r]rYrbrGrhrr)r^r	r	r
rbvs

zWrappedSocket.closeFcCsD|jjƒ}|s|S|r(tjjtjj|ƒSd|jƒjffft|ƒdœS)NÚ
commonName)ÚsubjectÚsubjectAltName)	rYZget_peer_certificaterGrHrIrJZget_subjectZCNrW)r^Úbinary_formrr	r	r
Úgetpeercert€s
zWrappedSocket.getpeercertcCs
|jjƒS)N)rYZget_protocol_version_name)r^r	r	r
ÚversionŽszWrappedSocket.versioncCs|jd7_dS)Nra)r\)r^r	r	r
Ú_reuse‘szWrappedSocket._reusecCs&|jdkr|jƒn|jd8_dS)Nra)r\rb)r^r	r	r
Ú_drop”s

zWrappedSocket._dropN)T)F)rrrÚ__doc__r_r`rcrgrxryr|r€rrbr†r‡rˆr‰r	r	r	r
rXs


rXracCs|jd7_t|||ddS)NraT)rb)r\r)r^ÚmodeÚbufsizer	r	r
Úmakefilesrc@s‚eZdZdZdd„Zedd„ƒZejdd„ƒZedd„ƒZejd	d„ƒZd
d„Z	dd
„Z
ddd„Zddd„Zdd„Z
ddd„ZdS)r#zÂ
    I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible
    for translating the interface of the standard library ``SSLContext`` object
    to calls into PyOpenSSL.
    cCs*t||_tjj|jƒ|_d|_d|_dS)NrF)Ú_openssl_versionsÚprotocolrGrhÚContextÚ_ctxÚ_optionsÚcheck_hostname)r^rr	r	r
r_®s
zPyOpenSSLContext.__init__cCs|jS)N)r’)r^r	r	r
Úoptions´szPyOpenSSLContext.optionscCs||_|jj|ƒdS)N)r’r‘Zset_options)r^rMr	r	r
r”¸scCst|jjƒS)N)Ú_openssl_to_stdlib_verifyr‘Zget_verify_mode)r^r	r	r
Úverify_mode½szPyOpenSSLContext.verify_modecCs|jjt|tƒdS)N)r‘Z
set_verifyÚ_stdlib_to_openssl_verifyÚ_verify_callback)r^rMr	r	r
r–ÁscCs|jjƒdS)N)r‘Úset_default_verify_paths)r^r	r	r
r™Åsz)PyOpenSSLContext.set_default_verify_pathscCs&t|tjƒr|jdƒ}|jj|ƒdS)Nzutf-8)Ú
isinstancerÚ	text_typer6r‘Zset_cipher_list)r^Úciphersr	r	r
Úset_ciphersÈs
zPyOpenSSLContext.set_ciphersNcCsˆ|dk	r|jdƒ}|dk	r$|jdƒ}y*|jj||ƒ|dk	rL|jjt|ƒƒWn4tjjk
r‚}ztjd|ƒ‚WYdd}~XnXdS)Nzutf-8z'unable to load trusted certificates: %r)	r6r‘Úload_verify_locationsrrGrhrrrsrt)r^ÚcafileÚcapathÚcadatarUr	r	r
ržÍs

z&PyOpenSSLContext.load_verify_locationscsR|jj|ƒˆdk	r>tˆtjƒs*ˆjdƒ‰|jj‡fdd„ƒ|jj|pJ|ƒdS)Nzutf-8csˆS)Nr	)Ú_)Úpasswordr	r
Ú<lambda>Þsz2PyOpenSSLContext.load_cert_chain.<locals>.<lambda>)r‘Zuse_certificate_chain_fileršrÚbinary_typer6Z
set_passwd_cbZuse_privatekey_file)r^ÚcertfileÚkeyfiler£r	)r£r
Úload_cert_chainÙs
z PyOpenSSLContext.load_cert_chaincCsdd„|Dƒ}|jj|ƒS)NcSsg|]}tj|ƒ‘qSr	)rZ
ensure_binary)rÚpr	r	r
rDâsz7PyOpenSSLContext.set_alpn_protocols.<locals>.<listcomp>)r‘Zset_alpn_protos)r^Z	protocolsr	r	r
Úset_alpn_protocolsász#PyOpenSSLContext.set_alpn_protocolsFTcCsÄtjj|j|ƒ}t|tjƒr&|jdƒ}|dk	r8|j|ƒ|j	ƒxxy|j
ƒWndtjjk
r€tj
||jƒƒsztdƒ‚wBYn4tjjk
r²}ztjd|ƒ‚WYdd}~XnXPqBWt||ƒS)Nzutf-8zselect timed outzbad handshake: %r)rGrhÚ
Connectionr‘ršrr›r6Zset_tlsext_host_nameZset_connect_stateÚdo_handshakerorrprqr
rrrsrtrX)r^ÚsockÚserver_sideÚdo_handshake_on_connectr[Úserver_hostnameÚcnxrUr	r	r
Úwrap_socketås"

 zPyOpenSSLContext.wrap_socket)NNN)NN)FTTN)rrrrŠr_Úpropertyr”Úsetterr–r™rržr¨rªr²r	r	r	r
r#§s

r#cCs|dkS)Nrr	)r±rZerr_noZ	err_depthZreturn_coder	r	r
r˜sr˜rf)rf)OrŠÚ
__future__rr/rGZOpenSSL.SSLZcryptographyrZ$cryptography.hazmat.backends.opensslrrKZcryptography.x509rr.Ú	ExceptionÚiorrZrrkr
rZpackages.backports.makefilerÚloggingrsr>ÚwarningsÚrÚpackagesrZ	util.ssl_rÚwarnÚDeprecationWarningÚ__all__r&ÚPROTOCOL_TLSrhZ
SSLv23_METHODÚPROTOCOL_TLSv1ZTLSv1_METHODrŽrFrrrrrrÚ	CERT_NONEZVERIFY_NONEÚ
CERT_OPTIONALZVERIFY_PEERÚ
CERT_REQUIREDZVERIFY_FAIL_IF_NO_PEER_CERTr—ÚdictÚitemsr•r}r)r%r$r(Ú	getLoggerrrOrrr"rArWÚobjectrXrr#r˜r	r	r	r
Ú<module>/sz





+5^