BwgEddlmZmZmZmZddlZddlmZddlmZm Z m Z ddl m Z ddl mZmZmZgdZd Zd Zd Zd Zd ZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(y) )unicode_literalsdivisionabsolute_importprint_functionN)datetime) Certificateint_from_bytestimezone)CIPHER_SUITE_MAP)TLSVerificationErrorTLSDisconnectErrorTLSError)detect_client_auth_request extract_chainget_dh_params_length parse_alertparse_handshake_messagesparse_session_infoparse_tls_recordsraise_client_authraise_dh_paramsraise_disconnectionraise_expired_not_yet_validraise_handshakeraise_hostnameraise_no_issuerraise_protocol_error raise_revokedraise_self_signedraise_verificationraise_weak_signaturecPg}d}t|D],\}}}|dk7r t|D]\}}|dk(s |}n|s,n|red}|t|krUt|||dz} |dz} | | z} | }|| | } |j t j | |t|krU|S)a Extracts the X.509 certificates from the server handshake bytes for use when debugging :param server_handshake_bytes: A byte string of the handshake data received from the server :return: A list of asn1crypto.x509.Certificate objects N )rrlenr appendr load) server_handshake_bytesoutput chain_bytes record_type_ record_data message_type message_datapointer cert_length cert_startcert_end cert_bytess D/var/www/horilla/myenv/lib/python3.12/site-packages/oscrypto/_tls.pyrr#sFK'89O'P# Q ' ! *B;*O  &L,w&*    K(((WWq[)IJK 1J!K/HG$Z9J MM+**:6 7 K(( Mcnt|D]'\}}}|dk7r t|D] \}}|dk(s y)y)a) Determines if a CertificateRequest message is sent from the server asking the client for a certificate :param server_handshake_bytes: A byte string of the handshake data received from the server :return: A boolean - if a client certificate request was found r$ TF)rr)r*r-r.r/r0r1s r7rrKsT(99O'P# Q ' ! *B;*O  &L,w&  r8cd}d}t|D],\}}}|dk7r t|D]\}}|dk(s |}n|s,n|rt|dddz}|S)a Determines the length of the DH params from the ServerKeyExchange :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None or an integer of the bit size of the DH parameters Nr$ r)rrr )r*r+dh_params_bytesr-r.r/r0r1s r7rr`sFO'89O'P# Q ' ! *B;*O  &L,w&".   ! 459 Mr8ct|D]9\}}}|dk7r t|dk7ryt|ddt|ddfcSy)aV Parses the handshake for protocol alerts :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None or an 2-element tuple of integers: 0: 1 (warning) or 2 (fatal) 1: The alert description (see https://tools.ietf.org/html/rfc5246#section-7.2) r=Nrr)rr'r )r*r-r.r/s r7rrse(99O'PT# Q ' !  { q {1Q/0.QqAQ2RSS T r8cd}d}d}d}d}d}d}t|D]\} } } | dk7r t| D]\} } | dk7r ddddd d | d d }t| d d}|d kDr| dd|z}d|z}| ||d z}t|}|d z}| ||dzdk7}|dz}| |d}t |D]\}}|dk(s d}nt|D]\} } } | dk7r t| D]\} } | dk7r t| d d}|d kDr| dd|z}d|z}t| ||d z}|d z|z}t| ||dz}|+|)|dz|z}| |d}t |D]\}}|dk(s d}n||d}n ||k7rd}nd}|||||dS)a Parse the TLS handshake from the client to the server to extract information including the cipher suite selected, if compression is enabled, the session id and if a new or reused session ticket exists. :param server_handshake_bytes: A byte string of the handshake data received from the server :param client_handshake_bytes: A byte string of the handshake data sent to the server :return: A dict with the following keys: - "protocol": unicode string - "cipher_suite": unicode string - "compression": boolean - "session_id": "new", "reused" or None - "session_ticket: "new", "reused" or None NFr$SSLv3TLSv1zTLSv1.1zTLSv1.2zTLSv1.3)sssssrr="#rnewreused)protocol cipher_suite compression session_idsession_ticket)rrr r _parse_hello_extensions)r*client_handshake_bytesrLrMrNrOrPserver_session_idclient_session_idr-r.r/r0r1session_id_lengthcipher_suite_startcipher_suite_bytescompression_startextensions_length_startextensions_dataextension_typeextension_datacipher_suite_lengthcompression_lengths r7rrs*HLKJN'89O'P # Q ' ! *B;*O  &L,w&$$&&&  1Q !H!/|Br/B C  1$$0B9J4J$K!!#&7!7 !-.@ASVWAW!X +,>?L 2Q 6 &'89JQ9NOSZZK&7!&; #*+B+CDO2I/2Z .!R'%*N  ;  D(99O'P# Q ' ! *B;*O  &L,w& .|Br/B C  1$$0B9J4J$K!!#&7!7 "0>PQcfgQg1h"i  2Q 69L L !/ =NO`cdOd0e!f !(^-C*;a*?BT*T'"./F/G"H6Mo6^2NN%+)1 1 :$  $J $55" % $" (  r8c#Kd}t|}||krQ|||dzdk(ryt||dz|dz}|||dz||dz|dz||dz|dz|zf|d|zz }||krPyyw)a Creates a generator returning tuples of information about each record in a byte string of data from a TLS client or server. Stops as soon as it find a ChangeCipherSpec message since all data from then on is encrypted. :param data: A byte string of TLS records :return: A generator that yields 3-element tuples: [0] Byte string of record type [1] Byte string of protocol version [2] Byte string of record data rrr&Nr'r datar2data_lenlengths r7rrs G4yH H  ! $ / Wq[1 => 1 % 1Wq[ ) 1Wq[61 2  1v: H s A"A'%A'c#Kd}t|}||kr;t||dz|dz}|||dz||dz|dz|zf|d|zz }||kr:yyw)a` Creates a generator returning tuples of information about each message in a byte string of data from a TLS handshake record :param data: A byte string of a TLS handshake record data :return: A generator that yields 2-element tuples: [0] Byte string of message type [1] Byte string of message data rrNrbrcs r7rr#sG4yH H Wq[1 => 1 % 1Wq[61 2   1v: H s A AAc#K|dk(ryt|dd}d}d|z}|}||krFt|||dz}t||dz|dz}|||dz|dz|zf|d|zz }||krEyyw)a Creates a generator returning tuples of information about each extension from a byte string of extension data contained in a ServerHello ores ClientHello message :param data: A byte string of a extension data from a TLS ServerHello or ClientHello message :return: A generator that yields 2-element tuples: [0] Byte string of extension type [1] Byte string of extension data r8Nrr=rh)r )rdextentions_lengthextensions_startextensions_endr2r[extension_lengths r7rQrQ<s  s{&tAay1**NG N "'WWq[(AB)$w{7Q;*GH  1Wq[+;; <   1''' N "s A'A,*A,c<tjd|xs|jddk7}|rd|z}nd|z}d|z}dj|j}dj|j }|r|d|zz }|r|r|d z }|r|d |zz }t ||) z Raises a TLSVerificationError due to a hostname mismatch :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError z^\d+\.\d+\.\d+\.\d+$:z IP address %szdomain name %sz:Server certificate verification failed - %s does not matchz, z valid domains: %sz orz valid IP addresses: %s)rematchfindjoin valid_ips valid_domainsr ) certificatehostnameis_ip hostname_typemessagerurvs r7rr^s HH2H = YsASWYAYE '(2 (83 J]ZG +//0IIIk778M'-775,y88 w 44r8cd}t||)z Raises a generic TLSVerificationError :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError z&Server certificate verification failedr rwr{s r7r!r!zs7G w 44r8cd}t||)z Raises a TLSVerificationError when a certificate uses a weak signature algorithm :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zMServer certificate verification failed - weak certificate signature algorithmr}r~s r7r"r"s^G w 44r8cd}t|)zg Raises a TLSError indicating client authentication is required :raises: TLSError z5TLS handshake failed - client authentication requiredr)r{s r7rrsFG 7 r8cd}t||)z Raises a TLSVerificationError due to the certificate being revoked :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zEServer certificate verification failed - certificate has been revokedr}r~s r7rrsVG w 44r8cd}t||)z Raises a TLSVerificationError due to no issuer certificate found in trust roots :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zgServer certificate verification failed - certificate issuer not found in trusted root certificate storer}r~s r7rrsxG w 44r8cd}t||)z Raises a TLSVerificationError due to a self-signed certificate roots :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zCServer certificate verification failed - certificate is self-signedr}r~s r7r r sTG w 44r8cd}t||)z Raises a TLSVerificationError due to a certificate lifetime exceeding the CAB forum certificate lifetime limit :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zIServer certificate verification failed - certificate lifetime is too longr}r~s r7raise_lifetime_too_longrsZG w 44r8c|dd}|dj}|dj}tjtj}||kDr|j d}d|z}n||kr|j d}d|z}t |)z Raises a TLSVerificationError due to certificate being expired, or not yet being valid :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError tbs_certificatevalidity not_after not_beforez%Y-%m-%d %H:%M:%SZzGServer certificate verification failed - certificate not valid until %sz?Server certificate verification failed - certificate expired %s)nativernowr utcstrftimer )rwrrrrformatted_beforer{formatted_afters r7rrs,-j9H%,,I,'..J ,,x|| $CC%../CD[^nn S#,,-ABSVee w 44r8ctd)ze Raises a TLSDisconnectError due to a disconnection :raises: TLSDisconnectError z$The remote end closed the connection)rr8r7rrs C DDr8cNt|}|rtd|ztd)z Raises a TLSError due to a protocol error :param server_handshake_bytes: A byte string of the handshake data received from the server :raises: TLSError z.TLS protocol error - server responded using %sz@TLS protocol error - server responded using a different protocol)detect_other_protocolr)r*other_protocols r7rr s/++ABNG.XYY U VVr8ctd)zS Raises a TLSError due to a handshake error :raises: TLSError zTLS handshake failedrrr8r7rrs ) **r8ctd)z_ Raises a TLSError due to a TLS version incompatibility :raises: TLSError z-TLS handshake failed - protocol version errorrrr8r7raise_protocol_versionr)s B CCr8ctd)zP Raises a TLSError due to weak DH params :raises: TLSError z)TLS handshake failed - weak DH parametersrrr8r7rr4s > ??r8c|dddk(ry|dddk(r'tjd|tjryy |ddd k(ry|ddd k(ry |ddd k(s|dddk(ryy)a Looks at the server handshake bytes to try and detect a different protocol :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None, or a unicode string of "ftp", "http", "imap", "pop3", "smtp" rrasHTTP/HTTPrhs220 s ^[^ ]*ftpFTPSMTPs220-s+OK POP3s* OK s * PREAUTHIMAPN)rqrrI)r*s r7rr?sa"h.a"g- 88O%;RTT Ba"g-a"g-a"g-1G!1LP\1\ r8)) __future__rrrrrqr_asn1r r r _cipher_suitesr errorsr rr__all__rrrrrrrrQrr!r"rrrr rrrrrrrrrr8r7rsRR 88,FF .%P*>,l^>2(D58 5 5  5 5 5 5 58EW&+D@r8