ReBDdZddlmZddlZddlmZddlmZ ddl m Z  ddl m Z n#e$rGdd eZ YnwxYwdd lmZdd lmZdd lmZ dd lmZn#e$r dZddlmZYnwxYwddlZddlZddlZddlmZddlmZddl m!Z!ddgZ"dZ#ej$ej%j&e!ej%j&ej'ej%j(iZ)e*edr%e*ej%drej%j+e)ej,<e*edr%e*ej%drej%j-e)ej.<e*edr%e*ej%drej%j/e)ej0<ej1ej%j2ej3ej%j4ej5ej%j4ej%j6ziZ7e8de79DZ:dZ;ej#ZZ?ej@eAZBdZCdZDd ZEd!ZFd"ZGGd#d$eHZIerd*d&ZJneZJeJeI_JGd'd(eHZKd)ZLdS)+a TLS with SNI_-support for Python 2. Follow these instructions if you would like to verify TLS certificates in Python 2. Note, the default libraries do *not* do certificate checking; you need to do additional work to validate certificates yourself. This needs the following packages installed: * `pyOpenSSL`_ (tested with 16.0.0) * `cryptography`_ (minimum 1.3.4, from pyopenssl) * `idna`_ (minimum 2.0, from cryptography) However, pyopenssl depends on cryptography, which depends on idna, so while we use all three directly here we end up having relatively few packages required. You can install them with the following command: .. code-block:: bash $ python -m pip install pyopenssl cryptography idna To activate certificate checking, call :func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code before you begin making HTTP requests. This can be done in a ``sitecustomize`` module, or at any other time before your application begins using ``urllib3``, like this: .. code-block:: python try: import pip._vendor.urllib3.contrib.pyopenssl as pyopenssl pyopenssl.inject_into_urllib3() except ImportError: pass Now you can use :mod:`urllib3` as you normally would, and it will support SNI when the required modules are installed. Activating this module also has the positive side effect of disabling SSL/TLS compression in Python 2 (see `CRIME attack`_). .. _sni: https://en.wikipedia.org/wiki/Server_Name_Indication .. _crime attack: https://en.wikipedia.org/wiki/CRIME_(security_exploit) .. _pyopenssl: https://www.pyopenssl.org .. _cryptography: https://cryptography.io .. _idna: https://github.com/kjd/idna )absolute_importN)x509)backend) _Certificate)UnsupportedExtensionceZdZdS)rN)__name__ __module__ __qualname__/builddir/build/BUILDROOT/alt-python311-pip-21.3.1-3.el8.x86_64/opt/alt/python311/lib/python3.11/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.pyrr;s r r)BytesIO)error)timeout) _fileobject)backport_makefile)util)six)PROTOCOL_TLS_CLIENTinject_into_urllib3extract_from_urllib3TPROTOCOL_SSLv3 SSLv3_METHODPROTOCOL_TLSv1_1TLSv1_1_METHODPROTOCOL_TLSv1_2TLSv1_2_METHODc#$K|] \}}||fV dSNr ).0kvs r r%ms* V VDAq!Q V V V V V Vr i@cttt_ttj_t t_t tj_dt_dtj_dS)z7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.TN)_validate_dependencies_metPyOpenSSLContextr SSLContextssl_HAS_SNI IS_PYOPENSSLr r rrrysJ   &DO+DIDLDID!DIr ctt_ttj_tt_ttj_dt_dtj_dS)z4Undo monkey-patching by :func:`inject_into_urllib3`.FN)orig_util_SSLContextrr)r*orig_util_HAS_SNIr+r,r r rrrs>+DO/DI$DL)DID"DIr cddlm}t|ddtdddlm}|}t|ddtddS) z{ Verifies that PyOpenSSL's package-level dependencies have been met. Throws `ImportError` if they are not met. r) Extensionsget_extension_for_classNzX'cryptography' module missing required functionality. Try upgrading to v1.3.4 or newer.)X509_x509zS'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.)cryptography.x509.extensionsr1getattr ImportErrorOpenSSL.cryptor3)r1r3rs rr'r's 877777z4d;;C 0   $##### 466DtWd##+ /   ,+r cd}d|vr|S||}|dStjdkr|d}|S)a% Converts a dNSName SubjectAlternativeName field to the form used by the standard library on the given Python version. Cryptography produces a dNSName as a unicode string that was idna-decoded from ASCII bytes. We need to idna-encode that string to get it back, and then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8). If the name cannot be idna-encoded then we return None signalling that the name given should be skipped. c"ddlm} dD][}||rD|t|d}|d||zcS\||S#|jj$rYdSwxYw)z Borrowed wholesale from the Python Cryptography Project. It turns out that we can't just safely call `idna.encode`: it can explode for wildcard names. This avoids that problem. r)idna)z*..Nascii) pip._vendorr; startswithlenencodecore IDNAError)namer;prefixs r idna_encodez'_dnsname_to_stdlib..idna_encodes %$$$$$ ' F F??6**FF .D!==11DKK4E4EEEEEF;;t$$ $y"   44 sAA;%A;;B B:N)rutf-8)sys version_infodecode)rDrFs r_dnsname_to_stdlibrMs^$ d{{ ;t  D |t V # #{{7## Kr ct|dr|}ntt|j} |jtjj }nc#tj $rgcYStj ttj tf$r'}td|gcYd}~Sd}~wwxYwdt#t$|tjD}|d|tjD|S)zU Given an PyOpenSSL certificate, provides all the subject alternative names. to_cryptographyzA problem was encountered with the certificate that prevented urllib3 from finding the SubjectAlternativeName field. This can affect certificate validation. The error was %sNcg|]}|d|f S)NDNSr r"rDs r z%get_subj_alt_name..s,          r c38K|]}dt|fVdS)z IP AddressN)strrRs rr%z$get_subj_alt_name..s>&*s4yy!r )hasattrrOropenssl_backendr4 extensionsr2rSubjectAlternativeNamevalueExtensionNotFoundDuplicateExtensionrUnsupportedGeneralNameType UnicodeErrorlogwarningmaprMget_values_for_typeDNSNameextend IPAddress) peer_certcertextenamess rget_subj_alt_namerksg y+,,>((**OY_==o55d6QRRX  !   '    >      .  *C,C,CDL,Q,QRR   E  LL.1.E.Edn.U.U Ls$)A++C >&C $CC C cjeZdZdZddZdZdZdZdZdZ d Z d Z d Z d Z ddZdZdZdZdS) WrappedSocketzAPI-compatibility wrapper for Python OpenSSL's Connection-class. Note: _makefile_refs, _drop() and _reuse() are needed for the garbage collector of pypy. TcL||_||_||_d|_d|_dSNrF) connectionsocketsuppress_ragged_eofs_makefile_refs_closed)selfrprqrrs r__init__zWrappedSocket.__init__s+$ $8! r c4|jSr!)rqfilenorus rrxzWrappedSocket.filenos{!!###r cv|jdkr|xjdzc_|jr|dSdS)Nr)rsrtcloserys r_decref_socketioszWrappedSocket._decref_socketiossI   " "   1 $   <  JJLLLLL  r cr |jj|i|}|S#tjj$r9}|jr|jdkrYd}~dStt|d}~wtjj $r1|j tjj krYdStjj $rPtj|j|jst#d|j|i|cYStjj$r}t'jd|zd}~wwxYw)NzUnexpected EOFr The read operation timed outread error: %r)rprecvOpenSSLSSL SysCallErrorrrargs SocketErrorrUZeroReturnError get_shutdownRECEIVED_SHUTDOWN WantReadErrorr wait_for_readrq gettimeoutrErrorsslSSLError)rurkwargsdataris rrzWrappedSocket.recv$s` '4?'888D*K){' * * *( *QV7M-M-Msssss!#a&&))){*   ++--1NNNss{( 2 2 2%dk4;3I3I3K3KLL 2<=== ty$1&11111{  5 5 5,/!344 4 5s4D6AAAD6$A!D6D6D11D6cn |jj|i|S#tjj$r9}|jr|jdkrYd}~dStt|d}~wtjj $r1|j tjj krYdStjj $rPtj|j|jst#d|j|i|cYStjj$r}t'jd|zd}~wwxYw)Nrrrr)rp recv_intorrrrrrrrUrrrrrrrqrrrrr)rurrris rrzWrappedSocket.recv_into=sX 5,4?,d=f== ={' * * *( *QV7M-M-Mqqqqq!#a&&))){*   ++--1NNNqq{( 7 7 7%dk4;3I3I3K3KLL 7<===%t~t6v66666{  5 5 5,/!344 4 5s4D4AAAD4"A!D4D4D//D4c6|j|Sr!)rq settimeout)rurs rrzWrappedSocket.settimeoutTs{%%g...r cR |j|S#tjj$rBt j|j|jstYqtjj $r!}tt|d}~wwxYwr!) rpsendrrWantWriteErrorrwait_for_writerqrrrrrU)rurris r_send_until_donezWrappedSocket._send_until_doneWs * *++D111;-   *4; 8N8N8P8PQQ$!))O;+ * * *!#a&&))) *sAB&2B&B!!B&cd}|t|kr?||||tz}||z }|t|k=dSdSNr)r@rSSL_WRITE_BLOCKSIZE)rur total_sentsents rsendallzWrappedSocket.sendallbsk 3t99$$((Z*/B"BBCD $ J 3t99$$$$$$r c8|jdSr!)rpshutdownrys rrzWrappedSocket.shutdownjs   """""r c|jdkr< d|_|jS#tjj$rYdSwxYw|xjdzc_dS)Nr{T)rsrtrpr|rrrrys rr|zWrappedSocket.closenss   " " # ,,...;$       1 $    s-AAFc|j}|s|S|r/tjtjj|Sd|jjffft|dS)N commonName)subjectsubjectAltName) rpget_peer_certificatercryptodump_certificate FILETYPE_ASN1 get_subjectCNrk)ru binary_formrs r getpeercertzWrappedSocket.getpeercertxs3355 K  W>227>3OQUVV V'(8(8(:(:(=>@B/55   r c4|jSr!)rpget_protocol_version_namerys rversionzWrappedSocket.versions88:::r c&|xjdz c_dSNr{)rsrys r_reusezWrappedSocket._reuses q r ch|jdkr|dS|xjdzc_dSr)rsr|rys r_dropzWrappedSocket._drops;   " " JJLLLLL   1 $    r N)T)F)r r r __doc__rvrxr}rrrrrrr|rrrrr r rrmrm s $$$ 2555./// * * *###%%%     ;;;!!!%%%%%r rmrcH|xjdz c_t|||dS)Nr{T)r|)rsr)rumodebufsizes rmakefilers- q 4wd;;;;r ceZdZdZdZedZejdZedZejdZdZ dZ dd Z dd Z d Z ddZd S)r(z I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible for translating the interface of the standard library ``SSLContext`` object to calls into PyOpenSSL. ct||_tj|j|_d|_d|_dSro)_openssl_versionsprotocolrrContext_ctx_optionscheck_hostname)rurs rrvzPyOpenSSLContext.__init__s<)(3 K'' 66  #r c|jSr!)rrys roptionszPyOpenSSLContext.optionss }r cH||_|j|dSr!)rr set_optionsrurZs rrzPyOpenSSLContext.optionss%  e$$$$$r cJt|jSr!)_openssl_to_stdlib_verifyrget_verify_moderys r verify_modezPyOpenSSLContext.verify_modes()B)B)D)DEEr c\|jt|tdSr!)r set_verify_stdlib_to_openssl_verify_verify_callbackrs rrzPyOpenSSLContext.verify_modes' 6u=?OPPPPPr c8|jdSr!)rset_default_verify_pathsrys rrz)PyOpenSSLContext.set_default_verify_pathss **,,,,,r ct|tjr|d}|j|dS)NrI) isinstancer text_typerArset_cipher_list)rucipherss r set_cipherszPyOpenSSLContext.set_cipherssC gs} - - .nnW--G !!'*****r NcV||d}||d} |j|||)|jt|dSdS#tjj$r}tjd|zd}~wwxYw)NrIz'unable to load trusted certificates: %r) rArload_verify_locationsrrrrrr)rucafilecapathcadataris rrz&PyOpenSSLContext.load_verify_locationss  ]]7++F  ]]7++F N I + +FF ; ; ;! //@@@@@"!{  N N N,H1LMM M NsAA88B( B##B(c|j|Lttjsd|jfd|j|p|dS)NrIcSr!r )_passwords rz2PyOpenSSLContext.load_cert_chain..sxr )ruse_certificate_chain_filerr binary_typerA set_passwd_cbuse_privatekey_file)rucertfilekeyfilers `rload_cert_chainz PyOpenSSLContext.load_cert_chains ,,X666  h88 4#??733 I # #$7$7$7$7 8 8 8 %%g&9:::::r cNd|D}|j|S)Nc6g|]}tj|Sr )r ensure_binary)r"ps rrSz7PyOpenSSLContext.set_alpn_protocols..s#===aS&q))===r )rset_alpn_protos)ru protocolss rset_alpn_protocolsz#PyOpenSSLContext.set_alpn_protocolss+==9=== y((333r FTcLtj|j|}t |t jr|d}||||  | n~#tjj $r9tj ||stdYctjj$r}t#jd|zd}~wwxYw t'||S)NrITzselect timed outzbad handshake: %r)rr ConnectionrrrrrAset_tlsext_host_nameset_connect_state do_handshakerrrrrrrrrm)rusock server_sidedo_handshake_on_connectrrserver_hostnamecnxris r wrap_socketzPyOpenSSLContext.wrap_sockets&k$$TY55 os} 5 5 >-44W==O  &  $ $_ 5 5 5   <  """";,   )$0A0ABB6!"4555;$ < < <l#6#:;;; < S$'''sBA D#D6D  D)NNN)NN)FTTN)r r r rrvpropertyrsetterrrrrrrrr r rr(r(s  $$$ X ^%%^%FFXFQQQ---+++ N N N N;;;;444 $! ((((((r r(c|dkSrr )rrerr_no err_depth return_codes rrrs Q;r )r)Mr __future__r OpenSSL.SSLr cryptographyr$cryptography.hazmat.backends.opensslrrW)cryptography.hazmat.backends.openssl.x509rcryptography.x509rr7 Exceptioniorrqrrrrpackages.backports.makefilerloggingrrJrpackagesr util.ssl_r__all__r+ PROTOCOL_TLSr SSLv23_METHODPROTOCOL_TLSv1 TLSv1_METHODrrVrrrrrr CERT_NONE VERIFY_NONE CERT_OPTIONAL VERIFY_PEER CERT_REQUIREDVERIFY_FAIL_IF_NO_PEER_CERTrdictitemsrrr/r*r)r. getLoggerr r_rrr'rMrkobjectrmrr(rr r rr!sJ..^'&&&&&KKKKKKBBBBBB 6666666        y      ''''''@"""""""@@@K????????@ ++++++ "8 9  w{02 0  73 !!Egggk>&J&JE,3K,Dc() 73"##I =M(N(NI.5k.Hc*+ 73"##I =M(N(NI.5k.Hc*+M7;*w{.w{. k-. !D V V4M4S4S4U4U V V VVVLy+g!! " " "###   4(((V333lD%D%D%D%D%FD%D%D%N!<<<<< !H! [([([([([(v[([([(|s'==A A*)A*