관리-도구
편집 파일: ssl.cpython-37.pyc
B � f�� � @ s� d Z ddlZddlZddlmZ ddlmZmZ m Z ddlZddlm Z mZmZ ddlmZmZmZ ddlmZmZmZmZmZmZmZ ddlmZmZ dd lmZmZm Z m!Z! ydd lm"Z" W n e#k r� Y nX ddlm$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z- ddlm.Z.m/Z/ e j0d e1dd� ed� ej0de1dd� ed� e j0de1dd� ed� e j0de1dd� ed� ej0de1dd� ed� e j0de1dd� ed� e2j3 Z4e2_4dd� e2j5�6� D �Z7e8e2dd�Z9G dd� de �Z:ej;d k�r�dd!lm<Z<m=Z= dd"l>m>Z>m?Z?m@Z@mAZA dd#l>mBZBmCZC ddl>ZDddlEZEddlFZFddlGZGeHZId$gZJeKed%�ZLe.ZMeZNd&d'� ZOd(d)� ZPd*d+� ZQd,d-� ZRed.d/�ZSd0d1� ZTG d2d3� d3ed3d4��ZUG d5d6� d6eUe�ZVG d7d8� d8e�ZWeVjXfdddd9�d:d;�ZYe3feZd<eVjXdddddd=�d>d?�Z[eYZ\e[Z]G d@dA� dA�Z^dBdC� Z_G dDdE� dEe>�Z`e`eW_ae^eW_bddd<eZe3ddFdFdf dGdH�ZcdIdJ� ZddKZedLZfdMdN� ZgdOdP� Zhe3dfdQdR�ZidSdT� ZjdS )Ua� This module provides some more Pythonic support for SSL. Object types: SSLSocket -- subtype of socket.socket which does SSL over the socket Exceptions: SSLError -- exception raised for I/O errors Functions: cert_time_to_seconds -- convert time string used for certificate notBefore and notAfter functions to integer seconds past the Epoch (the time values returned from time.time()) fetch_server_certificate (HOST, PORT) -- fetch the certificate provided by the server running on HOST at port PORT. No validation of the certificate is performed. Integer constants: SSL_ERROR_ZERO_RETURN SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE SSL_ERROR_WANT_X509_LOOKUP SSL_ERROR_SYSCALL SSL_ERROR_SSL SSL_ERROR_WANT_CONNECT SSL_ERROR_EOF SSL_ERROR_INVALID_ERROR_CODE The following group define certificate requirements that one side is allowing/requiring from the other side: CERT_NONE - no certificates from the other side are required (or will be looked at if provided) CERT_OPTIONAL - certificates are not required, but if provided will be validated, and if validation fails, the connection will also fail CERT_REQUIRED - certificates are required, and will be validated, and if validation fails, the connection will also fail The following constants identify various SSL protocol variants: PROTOCOL_SSLv2 PROTOCOL_SSLv3 PROTOCOL_SSLv23 PROTOCOL_TLS PROTOCOL_TLS_CLIENT PROTOCOL_TLS_SERVER PROTOCOL_TLSv1 PROTOCOL_TLSv1_1 PROTOCOL_TLSv1_2 The following constants identify various SSL alert message descriptions as per http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6 ALERT_DESCRIPTION_CLOSE_NOTIFY ALERT_DESCRIPTION_UNEXPECTED_MESSAGE ALERT_DESCRIPTION_BAD_RECORD_MAC ALERT_DESCRIPTION_RECORD_OVERFLOW ALERT_DESCRIPTION_DECOMPRESSION_FAILURE ALERT_DESCRIPTION_HANDSHAKE_FAILURE ALERT_DESCRIPTION_BAD_CERTIFICATE ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE ALERT_DESCRIPTION_CERTIFICATE_REVOKED ALERT_DESCRIPTION_CERTIFICATE_EXPIRED ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN ALERT_DESCRIPTION_ILLEGAL_PARAMETER ALERT_DESCRIPTION_UNKNOWN_CA ALERT_DESCRIPTION_ACCESS_DENIED ALERT_DESCRIPTION_DECODE_ERROR ALERT_DESCRIPTION_DECRYPT_ERROR ALERT_DESCRIPTION_PROTOCOL_VERSION ALERT_DESCRIPTION_INSUFFICIENT_SECURITY ALERT_DESCRIPTION_INTERNAL_ERROR ALERT_DESCRIPTION_USER_CANCELLED ALERT_DESCRIPTION_NO_RENEGOTIATION ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE ALERT_DESCRIPTION_UNRECOGNIZED_NAME ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY � N)� namedtuple)�Enum�IntEnum�IntFlag)�OPENSSL_VERSION_NUMBER�OPENSSL_VERSION_INFO�OPENSSL_VERSION)�_SSLContext� MemoryBIO� SSLSession)�SSLError�SSLZeroReturnError�SSLWantReadError�SSLWantWriteError�SSLSyscallError�SSLEOFError�SSLCertVerificationError)�txt2obj�nid2obj)�RAND_status�RAND_add� RAND_bytes�RAND_pseudo_bytes)�RAND_egd) �HAS_SNI�HAS_ECDH�HAS_NPN�HAS_ALPN� HAS_SSLv2� HAS_SSLv3� HAS_TLSv1�HAS_TLSv1_1�HAS_TLSv1_2�HAS_TLSv1_3)�_DEFAULT_CIPHERS�_OPENSSL_API_VERSION� _SSLMethodc C s | � d�o| dkS )NZ PROTOCOL_�PROTOCOL_SSLv23)� startswith)�name� r* �(/opt/alt/python37/lib64/python3.7/ssl.py�<lambda>| � r, )�source�Optionsc C s | � d�S )NZOP_)r( )r) r* r* r+ r, � r- ZAlertDescriptionc C s | � d�S )NZALERT_DESCRIPTION_)r( )r) r* r* r+ r, � r- ZSSLErrorNumberc C s | � d�S )NZ SSL_ERROR_)r( )r) r* r* r+ r, � r- �VerifyFlagsc C s | � d�S )NZVERIFY_)r( )r) r* r* r+ r, � r- � VerifyModec C s | � d�S )NZCERT_)r( )r) r* r* r+ r, � r- c C s i | ]\}}||�qS r* r* )�.0r) �valuer* r* r+ � <dictcomp>� s r4 ZPROTOCOL_SSLv2c @ s6 e Zd ZejZejZejZ ej ZejZ ejZejZdS )� TLSVersionN)�__name__� __module__�__qualname__�_sslZPROTO_MINIMUM_SUPPORTEDZMINIMUM_SUPPORTEDZPROTO_SSLv3�SSLv3ZPROTO_TLSv1ZTLSv1Z PROTO_TLSv1_1ZTLSv1_1Z PROTO_TLSv1_2ZTLSv1_2Z PROTO_TLSv1_3ZTLSv1_3ZPROTO_MAXIMUM_SUPPORTEDZMAXIMUM_SUPPORTEDr* r* r* r+ r5 � s r5 �win32)�enum_certificates� enum_crls)�socket�AF_INET�SOCK_STREAM�create_connection)� SOL_SOCKET�SO_TYPEz tls-unique�HOSTFLAG_NEVER_CHECK_SUBJECTc C s� | sdS | � d�}|s&| �� |�� kS |dkr<td�| ���| �d�\}}}d|krbtd�| ���|sttd�| ���|dkr�td�| ���|�d�\}}}|r�|s�dS |�� |�� kS ) a� Matching according to RFC 6125, section 6.4.3 - Hostnames are compared lower case. - For IDNA, both dn and hostname must be encoded as IDN A-label (ACE). - Partial wildcards like 'www*.example.org', multiple wildcards, sole wildcard or wildcards in labels other then the left-most label are not supported and a CertificateError is raised. - A wildcard must match at least one character. F�*� z1too many wildcards in certificate DNS name: {!r}.�.z9wildcard can only be present in the leftmost label: {!r}.z>sole wildcard without additional labels are not support: {!r}.z<partial wildcards in leftmost label are not supported: {!r}.)�count�lower�CertificateError�format� partition)Zdn�hostnameZ wildcardsZdn_leftmost�sepZdn_remainderZhostname_leftmostZhostname_remainderr* r* r+ �_dnsname_match� s2 rO c C s� yt �| �}W n tk r" Y n"X t �|�| kr6|S td�| ���yt �t j| �S tk rt td�| ���Y n tk r� Y nX td�| ���dS )z�Try to convert an IP address to packed binary form Supports IPv4 addresses on all platforms and IPv6 on platforms with IPv6 support. z'{!r} is not a quad-dotted IPv4 address.z+{!r} is neither an IPv4 nor an IP6 address.z{!r} is not an IPv4 address.N) �_socketZ inet_aton�OSErrorZ inet_ntoa� ValueErrorrK Z inet_ptonZAF_INET6�AttributeError)Zipname�addrr* r* r+ �_inet_paton� s rU c C s t | �� �}||kS )z�Exact matching of IP addresses. RFC 6125 explicitly doesn't define an algorithm for this (section 1.7.2 - "Out of Scope"). )rU �rstrip)Zcert_ipaddress�host_ipZipr* r* r+ �_ipaddress_match s rX c C sN | st d��yt|�}W n t k r0 d}Y nX g }| �dd�}xb|D ]Z\}}|dkrz|dkrnt||�rndS |�|� qH|dkrH|dk r�t||�r�dS |�|� qHW |s�xF| �dd�D ]6}x0|D ](\}}|dkr�t||�r�dS |�|� q�W q�W t|�d k�rtd |d�t t |��f ��n,t|�d k�rBtd||d f ��ntd��dS )a� Verify that *cert* (in decoded format as returned by SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 rules are followed. The function matches IP addresses rather than dNSNames if hostname is a valid ipaddress string. IPv4 addresses are supported on all platforms. IPv6 addresses are supported on platforms with IPv6 support (AF_INET6 and inet_pton). CertificateError is raised on failure. On success, the function returns nothing. ztempty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIREDNZsubjectAltNamer* ZDNSz IP AddressZsubjectZ commonNamerF z&hostname %r doesn't match either of %sz, zhostname %r doesn't match %rr z=no appropriate commonName or subjectAltName fields were found)rR rU �getrO �appendrX �lenrJ �join�map�repr)�certrM rW ZdnsnamesZsan�keyr3 �subr* r* r+ �match_hostname s>