Bwg ddlmZmZmZmZddlZddlZddlZddlZ ddl Z ddl Z ddl Z ddl Z ddlmZmZmZmZddlmZmZmZddlmZmZmZddlmZdd lmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,dd l-m.Z.m/Z/m0Z0m1Z1dd l2m3Z3dd l4m5Z5dd l6m7Z7m8Z8m9Z9ddl:m;Z;mZ>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMddlNmOZOmZddlPmQZQejdkreSZTejdkr ejZVn ejZVddgZWejejejejejdZ]ejdejdejdejdejdiZ^ejdZ`ejdZae jZciZddZedZfdZge#ed eeZhe#ed!egZiGd"dejZkGd#dejZly)$)unicode_literalsdivisionabsolute_importprint_functionN)Securityosx_version_infohandle_sec_error SecurityConst)CoreFoundationhandle_cf_error CFHelpers) Certificate int_to_bytestimezone)pretty_message)array_from_pointer array_setbuffer_from_bytesbytes_from_buffercallbackcastderefnewnull pointer_setstruct struct_bytesunwrapwrite_to_buffer) type_namestr_clsbyte_cls int_types)CIPHER_SUITE_MAP) rand_bytes)TLSErrorTLSDisconnectErrorTLSGracefulDisconnectError)detect_client_auth_requestdetect_other_protocol extract_chainget_dh_params_lengthparse_session_inforaise_client_authraise_dh_paramsraise_disconnectionraise_expired_not_yet_validraise_handshakeraise_hostnameraise_lifetime_too_longraise_no_issuerraise_protocol_errorraise_protocol_version raise_revokedraise_self_signedraise_verificationraise_weak_signature)load_certificater)parse_certificate))r@ TLSSession TLSSocket)SSLv2SSLv3TLSv1TLSv1.1TLSv1.2rDrErFrGrHs( | | )zGanon|PSK|SEED|RC4|MD5|NULL|CAMELLIA|ARIA|SRP|KRB5|EXPORT|(?>>d)o-$  %,,!6(((EU[[,@$999 22 2 ,,4yA~#d&8&8"9Q">$(1Igw5G1H$H!)-ac;7*&)0F&&$1H*HH&(777   $ &  T*'T3 t9 ' 11 1E  GGE F / DO.../so=JJ"B*I* I*I*-A J8JB JAJ*J= J JJJ K J>8K>Kcd}|j} |jd||jdz }|j||S#tj$rY(wxYw#|j|wxYw)z Reads everything available from the socket - used for debugging when there is a protocol error :param socket: The socket to read from :return: A byte string of the remaining data rJrK )rR settimeoutrYrUrV)rjoutput old_timeouts rtraras{F##%K'#&++d## +& M MM    +&s#%A A"A%!A""A%%A8c tj|}|stj|}n |j}|s|syt |}t ||}|r!|j s|xj|z c_d} |j|}|Y|tjk7rF|tjk(s|tjk(rtj Stj"S|k7rt%||tj&Sy#tj$r} | j}Yd} ~ d} ~ wwxYw#t($r!} | _tj,cYd} ~ Sd} ~ wwxYw)a Callback called by Secure Transport to actually write to the socket :param connection_id: An integer identifying the connection :param data_buffer: A char pointer FFI type containing the data to write :param data_length_pointer: A size_t pointer FFI type of the amount of data to write. Will be overwritten with the amount of data actually written on return. :return: An integer status code of the result - 0 for success rN)rNrOrPrQrrr^ _client_hellosendrUrVrWrXr\r]r rZr[rrcrdreerrSSLPeerUserCancelled) rfrgrhrirj data_lengthrmrVsentrqs rt_write_callbackrs/$"5##M2!%%m4F\\FF/0  k: ,,   $ &  ;;t$D  %,,!6(((EU[[,@$999 22 2 ;  +T 2 11 1  GGE  54445sZ=D7+T2N+,  #4  :;H h (H:HHc*N(#  !)3/W+X X ^*+  #"$ $5 A . <'7'<'<$ 0(;'89I'J$ 0':.5G+||;ja|>j;tj|d} t | tuj|;}?tj||?} t | ttd}@tj||@} t | tM|@}Attjtjg}B|A|Bvrtj}"nQtjj|}"|"tjnk(r)tjj|}"|"tjnk(r)d|_\ttjtjtjtjtjtjtjg}C|"|Cvrn|rt{j||d}ttd}%tjr||%} t | t |%}ttd}Dtj||D} tM|D}Et|j}Fd}Gd}Hd}Id}Jd}Kd}=d}L|Fr Fd}=t|=}M|Mj}GEtjk(}H|G xrEtjk(}KEtjk(}I|Etjk(}J|Etjk(}L|Etjk(}Ntdk\rq|=dd}O|Od jj}P|Od!jj}Qtjjtj}R|Q|Rk}I|P|RkD}JFr*Fdjtd"d#gvrtFdHr t|=Lrt|=|j(n9IsJr t|=n)Kr t|=nGr t|=n Nr t|=t|jr tt|=|"tjk(r)t|jr tt|"tjk(r t|"tjk(r t|"ttjtj gvr?|xjt |j"z c_et|j|"ttjtjgvrl|js)|xjt |j"z c_et|jrt|jttdkr(t|j}S|SSd$kr t|"tjnk(}T|"tjpk(}U|j0j2xrU}VTsVst |"t||_ttd%}Wtj||W} t | tM|W}t ||_ttd&}Xtj$||X} t | tM|X}YtW|Yd}ZtYjZ|Z|Z|_t)|j|j*}[|[d'|_|[d(|_|[d)|_ |r"t{j||} t| d}|r"t{j||} t| d}|r"t{j||} t| d}|r"t{j||} t| d}|rt{j||d}yycc}w#t2t4j6f$rg|rKtdkr"tj8|} t | n t{j||} t| d|_|j;wxYw#|r"t{j||} t| d}|r"t{j||} t| d}|r"t{j||} t| d}|r"t{j||} t| d}|rt{j||d}wwxYw)*z2 Perform an initial TLS handshake N rzSSLContextRef *Fizutf-8)rrT)rDrErFsize_t *z uint32_t *uint32_tr)widthz uint32_t[])rrAr SecTrustRef *CSSM_OIDzchar *zSecPolicySearchRef *zSecPolicyRef *CSSM_APPLE_TP_OCSP_OPTIONS CSSM_DATACSSM_APPLE_TP_CRL_OPTIONSzSecTrustResultType *z OSStatus *)r tbs_certificatevalidity not_before not_aftermd5md2iz SSLProtocol *zSSLCipherSuite * compression session_idsession_ticket)r rr SSLNewContextr r SSLCreateContextrr kSSLClientSidekSSLStreamType SSLSetIOFuncs_read_callback_pointer_write_callback_pointerid_connection_idrNrQrPSSLSetConnectionrencodeSSLSetPeerDomainNamerSrrr_PROTOCOL_STRING_CONST_MAPrSSLSetProtocolVersionEnabledSSLSetEnableCertVerifyminmaxSSLSetProtocolVersionMinSSLSetProtocolVersionMaxSSLSetSessionOption"kSSLSessionOptionBreakOnServerAuthSSLGetNumberSupportedCiphersrrrSSLGetSupportedCiphersrrr&rO_cipher_blacklist_regexsearchrrSSLSetEnabledCiphersr SSLSetPeerID SSLHandshakerercerrSSLServerAuthCompletedSSLCopyPeerTrustrcf_string_from_unicodeSecPolicyCreateSSLr CFReleaser rAPPLE_TP_REVOCATION_OCSPLengthDataSecPolicySearchCreateCSSM_CERT_X_509v3SecPolicySearchCopyNextCSSM_APPLE_TP_OCSP_OPTS_VERSIONVersionCSSM_TP_ACTION_OCSP_DISABLE_NET&CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLEFlagsrSecPolicySetValueAPPLE_TP_REVOCATION_CRLCSSM_APPLE_TP_CRL_OPTS_VERSIONCrlFlagscf_array_from_listSecTrustSetPoliciesr>sec_certificate_ref!SecTrustSetAnchorCertificatesOnlySecTrustSetAnchorCertificatesSecTrustEvaluater`kSecTrustResultProceedkSecTrustResultUnspecifiederrSSLXCertChainInvalidr^errSSLCertExpirederrSSLCertNotYetValiderrSSLUnknownRootCerterrSSLNoRootCerterrSSLHostNameMismatcherrSSLInternalSecTrustGetCssmResultCoder-r_ self_signedCSSMERR_TP_CERT_REVOKEDCSSMERR_TP_NOT_TRUSTEDCSSMERR_TP_CERT_EXPIREDCSSMERR_TP_CERT_NOT_VALID_YET!CSSMERR_APPLETP_HOSTNAME_MISMATCHCSSMERR_TP_CERT_SUSPENDEDchosennativedatetimenowrutc hash_algor=r:r5r3r7r;r6r+r0r<errSSLPeerHandshakeFailr4errSSLWeakPeerEphemeralDHKeyr1errSSLPeerProtocolVersionr9errSSLRecordOverflowrbrar8rZr[r,r2r.r(_session_contextSSLGetNegotiatedProtocolVersion_PROTOCOL_CONST_STRING_MAP _protocolSSLGetNegotiatedCipher _cipher_suiter/r| _compression _session_id_session_ticketOSErrorrUrVSSLDisposeContextclose)\risession_contextssl_policy_refcrl_search_refcrl_policy_refocsp_search_refocsp_policy_refpolicy_array_ref trust_refsession_context_pointerresult utf8_domaindisable_auto_validationexplicit_validationrprotocol_constenabledprotocol_consts min_protocol max_protocolsupported_ciphers_pointersupported_ciphers cipher_buffersupported_cipher_suites_pointersupported_cipher_suites good_cipherssupported_cipher_suite cipher_suitecipher_suite_name good_ciphernum_good_ciphersgood_ciphers_arraygood_ciphers_pointerpeer_idhandshake_result exception do_validationtrust_ref_pointercf_string_hostnameocsp_oid_pointerocsp_oidocsp_oid_bufferocsp_search_ref_pointerocsp_policy_ref_pointerocsp_struct_pointer ocsp_structocsp_struct_bytescssm_data_pointer cssm_dataocsp_struct_buffercrl_oid_pointercrl_oidcrl_oid_buffercrl_search_ref_pointercrl_policy_ref_pointercrl_struct_pointer crl_structcrl_struct_bytescrl_struct_buffer ca_cert_refsca_certscertca_cert array_refresult_pointertrust_result_codeinvalid_chain_error_codeshandshake_error_codesresult_code_pointer result_codechainr revokedexpired not_yet_valid no_issuer bad_hostname oscrypto_certvalidity_too_longrrrutcnowdh_params_length would_blockserver_auth_completerprotocol_const_pointercipher_int_pointer cipher_int cipher_bytes session_infos\ rtrzTLSSocket._handshakes  X !')*-h8I*J'!//7NO ("()@"A#+";";F!00!00# ++&'F V $"$T(Z"7D 48 T00 104 L,, -..@S@STF V $..//8K22K F V $8+*.--*J*J*ndmmNnNn'+/==+K+K'K&qQUQ^Q^QqQq#*.'*.--*J*J&J# ') ;-H%?%IN&$--*B*BBG%BB'&F %V,-+%<<_eTF$V,Y]XeXeXpXp"qH#=h#G"q"q"?3 "?3 !::# !(!::# !(*%99'%HHF %V,),Hj(A %::?LefF V $ %&? @ -.?!.CDM.28\=.Y +44/)F V $ %&? @ &8/! ' # L*A @&+,B!L $4$8$8|$T!5<<=NOSWW  ''(>?  @ #<0 !$X|=M!N  (, 7#',@R#S 22$ F V $ mm,,t~~/D/DW/MMG**?GS\RF V $'44_E * OO "&"m&D&DD#+#8#8#I ??. $I&*DO#O #m&D&DD ').>'.I 3 M8HA8M 3 s8HMLsLs8s $'/$B!!22#%!("#45 %.%E%Ednn%U"!)! 1!$]%J%J!K!2=3X3X!Y#HhG ),X7M)N&!77!33#F*  !(!'(>!?),X7G)H&!99.J`a (!'(>!?%+H6Q%R"#$67 %2%Q%Q "&' ##/0B#C $*8[$A!"#45 #&'7#8  $56F$G!!%h:K!L !33NDUV (#,#?#?""#A$ "55iAQR (==33#%L!H $ @ @I"24"8 0$++G,G,GHI &GG SXYF$V, ) < <\ JI%CCIyYF$V,!$X/E!F!229nM ($).$9!,/!88!<<1-)%,EE'4'L'L$'/'<'<_'M$*m.L.LL+3+@+@+Q(+m.L.LL$(D $'55//3333..44,,)% ! #88",,Y7 $I$'/$B!!22#%!("#45 &)(L&A#!;;IGZ[#$78 %d&8&89#  % ! $  8D$4T$:M"/";";K)]-R-RRG$/ gK=CgCg4gI)]-R-RRG$/=3^3^$^M#.-2a2a#aL(3}7^7^(^%(83#'(9#::#F%-l%;%B%B%I%I $,[$9$@$@$G$G !)!2!2!6!6x||!D"+f"4(2V(; U1X//3u~3FF(q2!$'"48 /5#D) %d+&+D1-d.@.@A%'"4(=#H#HH-d.@.@A%'!=#M#MM!=#J#JJ&(3 (J(JMLhLh'i#jj""odll&CC"$T%7%783 (J(JMLkLk'l#mm++&&/$,,*GG&(););<(););<#%(*#78J8J#K #/4Dt4K#%*m.L.LLK#3}7^7^#^ $ @ @ YEY '8 !18<$3D !%(?%C "==&F V $"#9:N7GDN!$X/A!B 44"F V $12J' !&(+Jvw4ON&!  fg.4(()A---(+%002:d '*[F eOF f-$))+C AvF 3a78 FE2B;#f+-C14!'st t/D/D Da}rJcttd}tj|j|}t |t |S)a Returns the number of bytes of decrypted data stored in the Secure Transport read buffer. This amount of data can be read from SSLRead() without calling self._socket.recv(). :return: An integer - the number of available bytes r)rrSSLGetBufferedReadSizerr r)rinum_bytes_pointerr1s rtrzTLSSocket._os_buffered_sizesC *500  ! !    &''rJc,|jtS)z Reads a line from the socket, including the line ending of "\r\n", "\r", or "\n" :return: A byte string of the next line from the socket )r _line_regexris rt read_linezTLSSocket.read_lines{++rJchd}|}|dkDr(||j|z }|t|z }|dkDr(|S)z Reads exactly the specified number of bytes from the socket :param num_bytes: An integer - the exact number of bytes to read :return: A byte string of the data that was read rJr)rrS)ri num_bytesry remainings rt read_exactlyzTLSSocket.read_exactlysF !m dii * *F!CK/I!m rJc|j|jttd}t |}|rt |}tj |j|||}|j|j}d|_|t|tt|}||d}t |}|dkDr|j|ryy)a Writes data to the TLS-wrapped socket :param data: A byte string to write to the socket :raises: socket.socket - when a non-TLS socket error occurs oscrypto.errors.TLSError - when a TLS-related error occurs oscrypto.errors.TLSDisconnectError - when the connection disconnects oscrypto.errors.TLSGracefulDisconnectError - when the remote end gracefully closed the connection ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library Nrr) rr~rrrSrSSLWriterer r(r select_write)rirmrdata_len write_bufferr1rI bytes_writtens rtwritezTLSSocket.writes"  (    *5t9,T2L&&%%! F * OO "& VX .!"34M 'D4yH!|!!#%rJcltjg|jgg|\}}}t|dkDS)aw Blocks until the socket is ready to be written to, or the timeout is hit :param timeout: A float - the period of time to wait for the socket to be ready to written to. None for no time limit. :return: A boolean - if the socket is ready for writing. Will only be False if timeout is not None. r)rTrQrS)rirlro write_readys rtrzTLSSocket.select_writes5#MM"t||nb'J;;!##rJc|jytj|j}tdkr+tj|j}t |n*t j|j}t|d|_|rd|_ |jjtjy#tj$rYywxYw)z Shuts down the TLS session and then shuts down the underlying socket :param manual: A boolean if the connection was manually shutdown NrT)rrSSLCloser r&r r rr _local_closedrQshutdownrU SHUT_RDWRrV)rimanualr1s rtrzTLSSocket._shutdown s  ( ""4#8#89 g %//0E0EFF V $#--d.C.CDF F # $ !%D   LL ! !'"3"3 4    s)CCCc&|jdy)zV Shuts down the TLS session and then shuts down the underlying socket TN)rrs rtrzTLSSocket.shutdown(s trJc |j|jr" |jjd|_|j t vrt |j =yy#tj$rYAwxYw#|jr< |jjn#tj$rYnwxYwd|_|j t vrt |j =wwxYw)zN Shuts down the TLS session and socket and forcibly closes it N)rrQr'rUrVrrPrs rtr'zTLSSocket.close/s 6 MMO||LL&&( $ ""l2 !4!453  ||LL&&( # ""l2 !4!453s@A>A%%A;:A;> C, B'&C,'B=:C,<B==/C,cVd}d}d} ttd}tj|j|}t |t |}tj |}g|_td|D]}tj||}tj|}tj|}tj|}t|d}t!j"|} |dk(r| |_|jj'|  |r tj|}t||r!tj|}t|yy#|r tj|}t||r!tj|}t|wwxYw)zh Reads end-entity and intermediate certificate information from the TLS session Nrr)rrrrr r SecTrustGetCertificateCount_intermediatesrangeSecTrustGetCertificateAtIndexSecCertificateCopyDatarcf_data_to_bytesr rr rload _certificater) rir/ cf_data_refr1rK number_certsindexr cert_datarcs rt_read_certificateszTLSSocket._read_certificatesBs   ( ( #Ho > ..%%!F V $01I#?? JL"$D q,/ 5&.&L&L'#'==>QR %66{C '11+>'" &++I6A:(,D%''..t4% 5*'11)<''11+>''11)<''11+>'s DE!!AF(ct|jr td|jr tdtd)zi Raises an exception describing if the local or remote end closed the connection z!The connection was already closedz$The remote end closed the connectionzThe connection was closed)rr)rr*rs rtr~zTLSSocket._raise_closedvs:   $%HI I  $ $,-ST T$%@A ArJc|j|j|j|j|jS)zu An asn1crypto.x509.Certificate object of the end-entity certificate presented by the server )rr~rrrs rt certificatezTLSSocket.certificates@  (       $  # # %   rJc|j|j|j|j|jS)zz A list of asn1crypto.x509.Certificate objects that were presented as intermediates by the server )rr~rrrrs rt intermediateszTLSSocket.intermediatess@  (       $  # # %"""rJc|jS)zg A unicode string of the IANA cipher suite name of the negotiated cipher suite )r!rs rtrAzTLSSocket.cipher_suites!!!rJc|jS)zM A unicode string of: "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3" )rrs rtrzTLSSocket.protocol ~~rJc|jS)z5 A boolean if compression is enabled )r"rs rtrzTLSSocket.compressions    rJc|jSzM A unicode string of "new" or "reused" or None for no ticket )r#rs rtrzTLSSocket.session_ids rJc|jSr)r$rs rtrzTLSSocket.session_tickets ###rJc|jS)zM The oscrypto.tls.TLSSession object used for this connection )rrs rtrzTLSSocket.sessions }}rJc|jS)zN A unicode string of the TLS server domain name or IP address )rrs rtrzTLSSocket.hostnamerrJc<|jjdS)zJ An integer of the port number the socket is connected to r)rj getpeernamers rtrzTLSSocket.ports {{&&(++rJcR|j|j|jS)z9 The underlying socket.socket connection )rr~rQrs rtrjzTLSSocket.sockets&  (    ||rJc$|jyN)r'rs rt__del__zTLSSocket.__del__s  rJr)rN)5rrrrrQrrerrrrrrr!r"r#r$r^r_r|rrr classmethodrrrrrrrrrrrrrr'rr~propertyrrrArrrrrrrrjrrrJrtrCrC{sGHJILNIMLKOOMMMN11fDLf!PQ$f#(6p(& ,&)$V$ >6&2(h B ! ! # #""!!  $$,,rJ)m __future__rrrrrsysrerjrUrTrrWweakref _securityrr r r _core_foundationr r r_asn1rrrr_errorsr_ffirrrrrrrrrrrrr r!_typesr"r#r$r%_cipher_suitesr&utilr'errorsr(r)r*_tlsr+r,r-r.r/r0r1r2r3r4r5r6r7r8r9r:r;r<r= asymmetricr>keysr? version_infoxranger _pattern_typer__all__ kSSLProtocol2 kSSLProtocol3 kTLSProtocol1kTLSProtocol11kTLSProtocol12rrcompilerrWeakValueDictionaryrNrPrurarrrobjectrBrCrrJrtrsRR   RRHH % =<-MM*6$d EfGjjG  ( (  ( (  ( (++++   )  ) bjj) $"**%no.7..0 X/v045n"(M>J"8^_Md&d&NssrJ