B ` C@sddlmZddlZddlZddlZddlZddlmZmZddl m Z m Z m Z ddl mZmZmZmZddlmZdd lmZmZdZdZd Zd Zd Zd gZe e e d Zd dZeedeZ yddl!Z!ddl!m"Z"m#Z#Wne$k rYnXyddl!mZWne$k rYnXyddl%mZWne$k r>YnXyddl!m&Z&e&Z'WnJe$k ryddl!m'Z&e&Z'Wne$k rdZ'Z&YnXYnXyddl!m(Z(Wne$k re&Z(YnXyddl!m)Z)m*Z*m+Z+Wn"e$k rd\Z*Z+dZ)YnXyddl!m,Z,Wne$k r2dZ,YnXd-ddddd d!d"d#d$d%d&d'd(d)gZ.ydd*l!mZWn&e$k rGd+d,d,e/ZYnXd-d.Z0d/d0Z1d1d2Z2d=d3d4Z3d>d5d6Z4d7d8Z5d9d:Z6d?d;d<Z7dS)@)absolute_importN)hexlify unhexlify)md5sha1sha256)InsecurePlatformWarningProxySchemeUnsupportedSNIMissingWarningSSLError)six)BRACELESS_IPV6_ADDRZ_REIPV4_REFzhttp/1.1) (@cCsHtt|t|}x*tt|t|D]\}}|||AO}q(W|dkS)z Compare two digests of equal length in constant time. The digests must be of type str/bytes. Returns True if the digests match, and False otherwise. r)abslenzip bytearray)abresultleftrightrB/opt/alt/python37/lib/python3.7/site-packages/urllib3/util/ssl_.py_const_compare_digest_backportsrZcompare_digest) CERT_REQUIRED wrap_socket)HAS_SNI) SSLTransport) PROTOCOL_TLS)PROTOCOL_SSLv23)PROTOCOL_TLS_CLIENT)OP_NO_COMPRESSION OP_NO_SSLv2 OP_NO_SSLv3)iii) OP_NO_TICKETi@:z ECDHE+AESGCMzECDHE+CHACHA20z DHE+AESGCMz DHE+CHACHA20z ECDH+AESGCMz DH+AESGCMzECDH+AESzDH+AESz RSA+AESGCMzRSA+AESz!aNULLz!eNULLz!MD5z!DSS) SSLContextc@s8eZdZddZddZd ddZdd Zdd d ZdS)r,cCs6||_d|_tj|_d|_d|_d|_d|_d|_ dS)NFr) protocolcheck_hostnamesslZ CERT_NONE verify_modeca_certsoptionscertfilekeyfileciphers)selfZprotocol_versionrrr__init__szSSLContext.__init__cCs||_||_dS)N)r3r4)r6r3r4rrrload_cert_chainszSSLContext.load_cert_chainNcCs*||_|dk rtd|dk r&tddS)Nz-CA directories not supported in older Pythonsz&CA data not supported in older Pythons)r1r )r6ZcafileZcapathZcadatarrrload_verify_locationss z SSLContext.load_verify_locationscCs ||_dS)N)r5)r6Z cipher_suiterrr set_ciphersszSSLContext.set_ciphersFcCs>tdt|j|j|j|j|j|d}t|fd|j i|S)Na2A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings)r4r3r1 cert_reqs ssl_version server_sider5) warningswarnr r4r3r1r0r-r!r5)r6socketserver_hostnamer=kwargsrrrr!szSSLContext.wrap_socket)NNN)NF)__name__ __module__ __qualname__r7r8r9r:r!rrrrr,s   r,cCsn|dd}t|}t|}|s4td|t|}|| }t ||sjtd|t |dS)z Checks if given fingerprint matches the supplied certificate. :param cert: Certificate as bytes object. :param fingerprint: Fingerprint as string of hexdigits, can be interspersed by colons. r+z"Fingerprint of invalid length: {0}z6Fingerprints did not match. Expected "{0}", got "{1}".N) replacelowerr HASHFUNC_MAPgetr formatrencodedigest_const_compare_digestr)ZcertZ fingerprintZ digest_lengthZhashfuncZfingerprint_bytesZ cert_digestrrrassert_fingerprints     rOcCs@|dkr tSt|tr.disable_check_hostnamekeylog_filenameZ SSLKEYLOGFILE)r$r&r,r:DEFAULT_CIPHERSr/r r(r)r'r*r2sys version_inforRrZr0hasattrosenvironrJr])r<r;r2r5r\Z sslkeylogfiler)r[rcreate_urllib3_contexts6%    rdc  Cs\|} | dkrt|||d} |s&| s&| rjy| || | Wqttfk rf}z t|Wdd}~XYqXn|dkrt| dr| |r| dkrt|rtd|r| dkr| ||n| ||| yt| dr| t Wnt k rYnX|ot | }|rt pto|}t s4|r4tdt|rLt|| | |d}n t|| | }|S)a All arguments except for server_hostname, ssl_context, and ca_cert_dir have the same meaning as they do when using :func:`ssl.wrap_socket`. :param server_hostname: When SNI is supported, the expected hostname of the certificate :param ssl_context: A pre-made :class:`SSLContext` object. If none is provided, one will be created using :func:`create_urllib3_context`. :param ciphers: A string of ciphers we wish the client to support. :param ca_cert_dir: A directory containing CA certificates in multiple separate files, as supported by OpenSSL's -CApath flag or the capath argument to SSLContext.load_verify_locations(). :param key_password: Optional password if the keyfile is encrypted. :param ca_cert_data: Optional string containing CA certificates in PEM format suitable for passing as the cadata parameter to SSLContext.load_verify_locations() :param tls_in_tls: Use SSLTransport to wrap the existing socket. N)r5load_default_certsz5Client private key is encrypted, password is requiredset_alpn_protocolsaAn HTTPS request has been made, but the SNI (Server Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings)rA)rdr9IOErrorOSErrorr rare_is_key_file_encryptedr8rfALPN_PROTOCOLSNotImplementedError is_ipaddressr"IS_SECURETRANSPORTr>r?r _ssl_wrap_socket_impl)sockr4r3r;r1rAr<r5 ssl_contextZ ca_cert_dirZ key_passwordZ ca_cert_data tls_in_tlsr[eZuse_sni_hostnameZsend_sniZssl_sockrrrssl_wrap_socketcsB&      rscCs2tjst|tr|d}tt|p.t|S)zDetects whether the hostname given is an IPv4 or IPv6 address. Also detects IPv6 addresses with Zone IDs. :param str hostname: Hostname to examine. :return: True if the hostname is an IP address, False otherwise. ascii) r PY2rPbytesdecodeboolrmatchr)hostnamerrrrls rlc Cs4t|d }x|D]}d|krdSqWWdQRXdS)z*Detects if a key file is encrypted or not.rZ ENCRYPTEDTNF)open)Zkey_fileflinerrrris   ricCsF|r&tstdt|t|||S|r8|j||dS||SdS)Nz0TLS in TLS requires support for the 'ssl' module)rA)r#r Z$_validate_ssl_context_for_tls_in_tlsr!)rorprqrArrrrns  rn)NNNN) NNNNNNNNNNNF)N)8 __future__rZhmacrbr_r>binasciirrhashlibrrr exceptionsr r r r packagesr urlrrr,r#r"Z IS_PYOPENSSLrmrjrIrrRrNr/r r! ImportErrorZ ssltransportr$r%r&r'r(r)r*joinr^objectrOrUrVrdrsrlrirnrrrrs         1 j Y