var/opt/nydus/ops/oscrypto/__pycache__/tls.cpython-38.pyc000064400000001031147205534330017426 0ustar00U af@sddlmZmZmZmZddlmZeZedkrDddlm Z m Z n2edksTedkrfddl m Z m Z nddl m Z m Z dd gZ d S) )unicode_literalsdivisionabsolute_importprint_function)backendmac) TLSSession TLSSocketwinZ winlegacyr r N) __future__rrrrrZ_backendZ_mac.tlsr r Z_win.tlsZ _openssl.tls__all__rr=/opt/nydus/tmp/pip-target-53d1vnqk/lib/python/oscrypto/tls.pys var/opt/nydus/ops/oscrypto/_openssl/__pycache__/tls.cpython-38.pyc000064400000064774147205722370021302 0ustar00U af@sddlmZmZmZmZddlZddlZddlZddl Z ddl Z ddl m Z m Z ddlmZmZmZmZddlmZddlmZdd lmZdd lmZmZmZmZmZdd l m!Z!m"Z"m#Z#m$Z$dd l%m&Z&m'Z'm(Z(dd l)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;ddlm?Z?ddl@mAZAejBdkr\eCZDejBdkrpejEZFnejFZFddgZGeHdZIeJdZKe jLe jMe jNe jOe jPdZQddZRGdddeSZTGdddeSZUdS))unicode_literalsdivisionabsolute_importprint_functionN)libssl LibsslConst) libcryptolibcrypto_version_infohandle_openssl_errorpeek_openssl_error)_backend_config) Certificate)pretty_message)nullbytes_from_bufferbuffer_from_bytesis_nullbuffer_pointer) type_namestr_clsbyte_cls int_types)TLSErrorTLSDisconnectErrorTLSGracefulDisconnectError)detect_client_auth_request extract_chainget_dh_params_lengthparse_session_inforaise_client_authraise_dh_paramsraise_disconnectionraise_expired_not_yet_validraise_handshakeraise_hostnameraise_no_issuerraise_protocol_errorraise_protocol_versionraise_self_signedraise_verificationraise_weak_signatureparse_tls_recordsparse_handshake_messages)load_certificater)parse_certificate)get_path)r3 TLSSession TLSSockettrust_list_paths( | | ))SSLv2SSLv3TLSv1TLSv1.1TLSv1.2cCstdkr |S|dd|dfS)a^ Takes a 3-element tuple from peek_openssl_error() and modifies it to handle the changes in OpenSSL 3.0. That release removed the concept of an error function, meaning the second item in the tuple will always be 0. :param error_tuple: A 3-element tuple of integers :return: A 3-element tuple of integers r2rr )r )Z error_tupler=F/opt/nydus/tmp/pip-target-53d1vnqk/lib/python/oscrypto/_openssl/tls.py_homogenize_openssl3_errorDsr?c@s:eZdZdZdZdZdZdZdZdZ dddZ ddZ dS) r5zj A TLS session object that multiple TLSSocket objects can share for the sake of session reuse NFc Cst|tsttdt|||_|dkr8tdddg}t|trNt|g}nt|tsjttdt|tddddg}||}|rttdt |||_ g|_ |r4|D]}t|t r|j }nbt|trt|}nNt|trt|d }t|}W5QRXnt|ts&ttd t||j |qd}z|td krPt} nt} t| }t|rttd ||_t|d t|tjtj t!t"j#tddgkrt$} | dkrt%} t"j#dkrd} nd} t&|| '| t!} n t(|} t| |rtj)ntj*} t+|| t!t,|d} t| tdg}|||j O}|D]}t|tj-t.|t!qV|j rt/|}|j D]$}t0|}t1||j2} t| qWn.t3k r|rt4|d|_YnXdS)a] :param protocol: A unicode string or set of unicode strings representing allowable protocols to negotiate with the server: - "TLSv1.2" - "TLSv1.1" - "TLSv1" - "SSLv3" Default is: {"TLSv1", "TLSv1.1", "TLSv1.2"} :param manual_validation: If certificate and certificate path validation should be skipped and left to the developer to implement :param extra_trust_roots: A list containing one or more certificates to be treated as trust roots, in one of the following formats: - A byte string of the DER encoded certificate - A unicode string of the certificate filename - An asn1crypto.x509.Certificate object - An oscrypto.asymmetric.Certificate object :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library zM manual_validation must be a boolean, not %s Nr:r;r<zu protocol must be a unicode string or set of unicode strings, not %s r9z protocol must contain only the unicode strings "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", not %s rbz extra_trust_roots must be a list of byte strings, unicode strings, asn1crypto.x509.Certificate objects or oscrypto.asymmetric.Certificate objects, not %s rrriXwin32darwinmbcsutf-8sECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHAr8)5 isinstancebool TypeErrorrr_manual_validationsetr ValueErrorrepr _protocols_extra_trust_rootsrasn1rr0openreadAsn1Certificateappendr rZ SSLv23_methodZ TLS_methodZ SSL_CTX_newrr _ssl_ctxZSSL_CTX_set_timeoutZ SSL_CTX_ctrlrZSSL_CTRL_SET_SESS_CACHE_MODEZSSL_SESS_CACHE_CLIENTrsysplatform_trust_list_pathr1ZSSL_CTX_load_verify_locationsencodeZ SSL_CTX_set_default_verify_pathsZSSL_VERIFY_NONEZSSL_VERIFY_PEERZSSL_CTX_set_verifyZSSL_CTX_set_cipher_listZSSL_CTRL_OPTIONS _PROTOCOL_MAPZSSL_CTX_get_cert_storer/ZX509_STORE_add_certx509 Exception SSL_CTX_free)selfprotocolZmanual_validationZextra_trust_rootsZvalid_protocolsZunsupported_protocolsZextra_trust_rootfZssl_ctxmethodr7Z path_encodingresult verify_modeZdisabled_protocolsZdisabled_protocolZ x509_storecert oscrypto_certr=r=r>__init__ds                      zTLSSession.__init__cCs4|jrt|jd|_|jr0t|jd|_dSN)rTrr\ _ssl_sessionSSL_SESSION_freer]r=r=r>__del__s   zTLSSession.__del__)NFN) __name__ __module__ __qualname____doc__rMZ_ciphersrIrNrTrgrerjr=r=r=r>r5Ws 3c@seZdZdZdZdZdZdZdZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZed@ddZdAdd Zd d Zd d ZddZddZdBddZddZ ddZ!ddZ"ddZ#dCddZ$ddZ%d d!Z&d"d#Z'd$d%Z(d&d'Z)e*d(d)Z+e*d*d+Z,e*d,d-Z-e*d.d/Z.e*d0d1Z/e*d2d3Z0e*d4d5Z1e*d6d7Z2e*d8d9Z3e*d:d;Z4e*dd?Z6dS)Dr6z8 A wrapper around a socket.socket that adds TLS N FcCst|tjsttdt|t|ts:ttdt||dk r^t|ts^ttdt||dd|d}||_||_ | |S)az Takes an existing socket and adds TLS :param socket: A socket.socket object to wrap with TLS :param hostname: A unicode string of the hostname or IP the socket is connected to :param session: An existing TLSSession object to allow for session reuse, specific protocol or manual certificate validation :raises: ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library zU socket must be an instance of socket.socket, not %s zK hostname must be a unicode string, not %s N` session must be an instance of oscrypto.tls.TLSSession, not %s )session) rFsocket_socketrHrrrr5_socket _hostname _handshake)clsrshostnamerqZ new_socketr=r=r>wrapSs(  zTLSSocket.wrap cCsd|_d|_|dkr$|dkr$d|_n|t|ts@ttdt|t|ts\ttdt||dk rt|t j sttdt|t ||f||_|j ||dkrt}nt|tsttdt|||_|jr||_|dS)a :param address: A unicode string of the domain name or IP address to connect to :param port: An integer of the port number to connect to :param timeout: An integer timeout to use for the socket :param session: An oscrypto.tls.TLSSession object to allow for session reuse and controlling the protocols and validation performed NzR address must be a unicode string, not %s zI port must be an integer, not %s zJ timeout must be a number, not %s rp) _raw_bytes_decrypted_bytesrtrFrrHrrrnumbersNumberrrcreate_connection settimeoutr5_sessionrurv)r]addressporttimeoutrqr=r=r>res@    zTLSSocket.__init__c# CsNd|_d|_d|_zt|jj|_t|jr>d|_tdt }t ||_t|jrdtdt ||_t|jrtdt |j|j|j|j d}t|jtjtj|t|j|jjrt|j|jjt|j|_t|j|_d}d}t|j}||7}|dkr$qt|j|}|tjkr|}|dkrx|dkr`tt|rpt t!|||7}q|tj"kr||7}q|tj#krd|_$|%d|&qt'}tj(tj)tj*f} t+| } tj(tj,tj*f} t+| } tj(tj-tj.f} t+| } || ks.|| ks.|| kr4t/t0dkrPtj(tj1tj2f} ntj(tj3tj4f} t+| } || krzt!|tj(tj1tj5f} t+| } || krt6tj(tj1tj7f}t0d kr||krt8tj(tj9tj7f}t+|}||krPd}t:|D]B\}}}|d krqt;|D]\}}|d krd}qqq|rJt t8t0dkrltj(tjtj=f}t+|}tj?tj@tjAf}t+|}||krtB|}|r|d}tC|}|jDjEtFd d gkrtG|||krtH|j}tB|}d}d}d}d}d}|rl|d}tC|}|jI}tFtjJtjKtjLg}||krT| }tFtjMtjNg} || k}|rztO||rtP||rtQ||r|jDjEtFd d gkrtG|tR|tdtSqtT||}!|!d|_U|!d|_V|!d|_W|!d|_X|!d|_Y|jVZddkrrvs                                             zTLSSocket._handshakecCs\|j}z||jd7}Wntjk r0YnX|}t|j|t|}||d|_|S)aD Reads data from the socket and writes it to the memory bio used by libssl to decrypt the data. Returns the unencrypted data for the purpose of debugging handshakes. :return: A byte string of ciphertext from the socket. Used for debugging the handshake only. roN) r|rtrecvrrrrZ BIO_writerlen)r]dataoutputZwrittenr=r=r>rs zTLSSocket._raw_readc Cst|j}|dkrdSt|j|}t|j|j|}t|j|}|}t|rd}z|j |}WnZt j k r}z:|j dks|j dkrd}ntjdkr|j dkrd}nW5d }~XYnX|rt||d }t|rF|qF|S) z Takes ciphertext from the memory bio and writes it to the socket. :return: A byte string of ciphertext going to the socket. Used for debugging the handshake only. rr{Fh TrC)N)rZBIO_ctrl_pendingrminrZBIO_readrrrrtsendrrrerrnorUrVr# select_write) r]Zdata_availableto_readrQZto_writerZraise_disconnectsenter=r=r>rs.     zTLSSocket._raw_writecCst|tsttdt|t|j}||krP|jd|}|j|d|_|S|jdkrb||dkr| ds|j}d|_|St |j ||}|j}d}|rXd}t |j|j|}||dkrFt |j|}|tjkr|dkrd}qtnH|tjkr|d}qn,|tjkrrQsX          zTLSSocket.readcCs8t|jdkrdSt|jggg|\}}}t|dkS)aZ Blocks until the socket is ready to be read from, or the timeout is hit :param timeout: A float - the period of time to wait for data to be read. None for no time limit. :return: A boolean - if data is ready to be read. Will only be False if timeout is not None. rT)rr}selectrt)r]rZ read_readyrr=r=r>rvszTLSSocket.select_readc Cst|ts&t|ts&ttdt|d}t|t}t|jdkrP|j}d|_n,|jdkrb| t |jppd}| |}t|}||7}|r| |}|dk r|}qq4td|t|d} ||| }|dkr4|t|}qq4||d|j|_|d|S)a Reads data from the socket until a marker is found. Data read includes the marker. :param marker: A byte string or regex object from re.compile(). Used to determine when to stop reading. Regex objects are more inefficient since they must scan the entire byte string of read data each time data is read off the socket. :return: A byte string of the data read, including the marker z_ marker must be a byte string or compiled regex object, not %s r{rNrorr)rFrPatternrHrrrr}rrrZ SSL_pendingrQsearchendmaxr) r]markerris_regexrroffsetmatchrstartr=r=r> read_untils8      zTLSSocket.read_untilcCs |tS)z Reads a line from the socket, including the line ending of "\r\n", "\r", or "\n" :return: A byte string of the next line from the socket )r _line_regexrir=r=r> read_lines zTLSSocket.read_linecCs0d}|}|dkr,|||7}|t|}q|S)z Reads exactly the specified number of bytes from the socket :param num_bytes: An integer - the exact number of bytes to read :return: A byte string of the data that was read r{r)rQr)r] num_bytesr remainingr=r=r> read_exactlys zTLSSocket.read_exactlycCst|}|r|jdkr|t|j||}||dkrt|j|}|tjkrl| dkrdqt nD|tj kr|qn.|tj krd|_ |d|n tdt||d}t|}qdS)a Writes data to the TLS-wrapped socket :param data: A byte string to write to the socket :raises: socket.socket - when a non-TLS socket error occurs oscrypto.errors.TLSError - when a TLS-related error occurs ValueError - when any of the parameters contain an invalid value TypeError - when any of the parameters are of the wrong type OSError - when an error is returned by the OS crypto library Nrr{TF)rrrrZ SSL_writerrrrrr#rrrrr r)r]rdata_lenrarr=r=r>writes,         zTLSSocket.writecCs&tg|jgg|\}}}t|dkS)aw Blocks until the socket is ready to be written to, or the timeout is hit :param timeout: A float - the period of time to wait for the socket to be ready to written to. None for no time limit. :return: A boolean - if the socket is ready for writing. Will only be False if timeout is not None. r)rrtr)r]rrZ write_readyr=r=r>rs zTLSSocket.select_writecCs|jdkrdSt|j}z |Wntk r:YnX|dkrFq|dkrt|j|}|tjkrz|dkrqqqq|tj kr|qqt dt q|rd|_ t |jd|_d|_d|_z|jtjWntjk rYnXdS)z Shuts down the TLS session and then shuts down the underlying socket :param manual: A boolean if the connection was manually shutdown Nrr{T)rrZ SSL_shutdownrrrrrrrr r _local_closedrrrrtshutdownrr SHUT_RDWRr)r]Zmanualrarr=r=r>rs:        zTLSSocket._shutdowncCs|ddS)zV Shuts down the TLS session and then shuts down the underlying socket TN)rrir=r=r>rQszTLSSocket.shutdowncCsFz |W5|jr@z|jWntjk r8YnXd|_XdS)zN Shuts down the TLS session and socket and forcibly closes it N)rtrrrrrrir=r=r>rXs zTLSSocket.closec Cst|j}t|rtdttdkr2t|}n t|}g|_ t d|D]}tdkrft ||}n t ||}t |t}t|}t|}t ||}t|t||} t| } |dkr| |_qL|j | qLdS)zh Reads end-entity and intermediate certificate information from the TLS session rrAN)rZSSL_get_peer_cert_chainrrr rr Zsk_numZOPENSSL_sk_num_intermediatesrangeZsk_valueZOPENSSL_sk_valuer Zi2d_X509rrrrrRload _certificaterS) r]Z stack_pointerZ number_certsindexZx509_ buffer_sizeZ cert_bufferZ cert_pointerZ cert_lengthZ cert_datarcr=r=r>_read_certificateshs*        zTLSSocket._read_certificatescCs,|jrtdn|jr tdntddS)zi Raises an exception describing if the local or remote end closed the connection z!The connection was already closedz$The remote end closed the connectionzThe connection was closedN)rrrrrir=r=r>rs   zTLSSocket._raise_closedcCs*|jdkr||jdkr$||jS)zu An asn1crypto.x509.Certificate object of the end-entity certificate presented by the server N)rrrrrir=r=r>rs   zTLSSocket.certificatecCs*|jdkr||jdkr$||jS)zz A list of asn1crypto.x509.Certificate objects that were presented as intermediates by the server N)rrrrrrir=r=r> intermediatess   zTLSSocket.intermediatescCs|jS)zg A unicode string of the IANA cipher suite name of the negotiated cipher suite )rrir=r=r>rszTLSSocket.cipher_suitecCs|jS)zM A unicode string of: "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3" )rrir=r=r>r^szTLSSocket.protocolcCs|jS)z5 A boolean if compression is enabled )rrir=r=r>rszTLSSocket.compressioncCs|jSzM A unicode string of "new" or "reused" or None for no ticket )rrir=r=r>rszTLSSocket.session_idcCs|jSr)rrir=r=r>rszTLSSocket.session_ticketcCs|jS)zM The oscrypto.tls.TLSSession object used for this connection )rrir=r=r>rqszTLSSocket.sessioncCs|jS)zN A unicode string of the TLS server domain name or IP address )rurir=r=r>rxszTLSSocket.hostnamecCs|jdS)zJ An integer of the port number the socket is connected to r)rs getpeernamerir=r=r>rszTLSSocket.portcCs|jdkr||jS)z9 The underlying socket.socket connection N)rrrtrir=r=r>rss zTLSSocket.socketcCs |dSrf)rrir=r=r>rjszTLSSocket.__del__)N)rzN)N)N)7rkrlrmrnrtrrrrrrrr|r}rurrrrrrrrr classmethodryrervrrrQrrrrrrrrrrrpropertyrrrr^rrrrqrxrrsrjr=r=r=r>r6 s 3 C'W : , 3$            )V __future__rrrrrUrersrrrr~Z_libsslrrZ _libcryptor r r r rZ_asn1rrR_errorsrZ_ffirrrrr_typesrrrrerrorsrrr_tlsrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.Z asymmetricr/keysr0Z trust_listr1 version_infoxrangerZ _pattern_typer__all__getrWcompilerZSSL_OP_NO_SSLv2ZSSL_OP_NO_SSLv3ZSSL_OP_NO_TLSv1ZSSL_OP_NO_TLSv1_1ZSSL_OP_NO_TLSv1_2rYr?objectr5r6r=r=r=r>sJ   P       J