bac@@sLdZddlmZddlZddlmZddlmZ ddl m Z yddl m Z Wn'ek rdefd YZ nXdd lmZdd lmZdd lmZydd lmZWn'ek rdZddlmZnXddlZddlZddlZddlmZddlm Z ddl!m"Z"ddgZ#e$Z%iej&j'ej(6ej&j'e"6ej&j)ej*6Z+e,edre,ej&drej&j-e+ej.ej?j@ZAejBeCZDdZEdZFdZGd ZHd!ZId"eJfd#YZKerd$d%ZLneZLeLeK_Ld&eJfd'YZMd(ZNdS()s TLS with SNI_-support for Python 2. Follow these instructions if you would like to verify TLS certificates in Python 2. Note, the default libraries do *not* do certificate checking; you need to do additional work to validate certificates yourself. This needs the following packages installed: * `pyOpenSSL`_ (tested with 16.0.0) * `cryptography`_ (minimum 1.3.4, from pyopenssl) * `idna`_ (minimum 2.0, from cryptography) However, pyopenssl depends on cryptography, which depends on idna, so while we use all three directly here we end up having relatively few packages required. You can install them with the following command: .. code-block:: bash $ python -m pip install pyopenssl cryptography idna To activate certificate checking, call :func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code before you begin making HTTP requests. This can be done in a ``sitecustomize`` module, or at any other time before your application begins using ``urllib3``, like this: .. code-block:: python try: import urllib3.contrib.pyopenssl urllib3.contrib.pyopenssl.inject_into_urllib3() except ImportError: pass Now you can use :mod:`urllib3` as you normally would, and it will support SNI when the required modules are installed. Activating this module also has the positive side effect of disabling SSL/TLS compression in Python 2 (see `CRIME attack`_). .. _sni: https://en.wikipedia.org/wiki/Server_Name_Indication .. _crime attack: https://en.wikipedia.org/wiki/CRIME_(security_exploit) .. _pyopenssl: https://www.pyopenssl.org .. _cryptography: https://cryptography.io .. _idna: https://github.com/kjd/idna i(tabsolute_importN(tx509(tbackend(t _Certificate(tUnsupportedExtensionRcB@seZRS((t__name__t __module__(((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyR;s(tBytesIO(terror(ttimeout(t _fileobjecti(tbackport_makefile(tutil(tsix(tPROTOCOL_TLS_CLIENTtinject_into_urllib3textract_from_urllib3tPROTOCOL_SSLv3t SSLv3_METHODtPROTOCOL_TLSv1_1tTLSv1_1_METHODtPROTOCOL_TLSv1_2tTLSv1_2_METHODcc@s!|]\}}||fVqdS(N((t.0tktv((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pys msi@cC@sJttt_ttj_tt_ttj_tt_ttj_dS(s7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.N(t_validate_dependencies_mettPyOpenSSLContextR t SSLContexttssl_tHAS_SNItTruet IS_PYOPENSSL(((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRys     cC@sCtt_ttj_tt_ttj_tt_ttj_dS(s4Undo monkey-patching by :func:`inject_into_urllib3`.N(torig_util_SSLContextR RRtorig_util_HAS_SNIRtFalseR (((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRs      cC@s{ddlm}t|dddkr7tdnddlm}|}t|dddkrwtdndS( s{ Verifies that PyOpenSSL's package-level dependencies have been met. Throws `ImportError` if they are not met. i(t Extensionstget_extension_for_classsX'cryptography' module missing required functionality. Try upgrading to v1.3.4 or newer.(tX509t_x509sS'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.N(tcryptography.x509.extensionsR$tgetattrtNonet ImportErrortOpenSSL.cryptoR&(R$R&R((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRs  cC@sZd}d|kr|S||}|dkr5dStjdkrV|jd}n|S(s% Converts a dNSName SubjectAlternativeName field to the form used by the standard library on the given Python version. Cryptography produces a dNSName as a unicode string that was idna-decoded from ASCII bytes. We need to idna-encode that string to get it back, and then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8). If the name cannot be idna-encoded then we return None signalling that the name given should be skipped. cS@sddl}yaxMddgD]?}|j|r|t|}|jd|j|SqW|j|SWn|jjk rdSXdS(s Borrowed wholesale from the Python Cryptography Project. It turns out that we can't just safely call `idna.encode`: it can explode for wildcard names. This avoids that problem. iNu*.u.tascii(tidnat startswithtlentencodetcoret IDNAErrorR*(tnameR.tprefix((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt idna_encodes t:iisutf-8N(ii(R*tsyst version_infotdecode(R4R6((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt_dnsname_to_stdlibs    cC@st|dr|j}ntt|j}y|jjtjj }WnJtj k rcgStj t tj tfk r}tjd|gSXgtt|jtjD]}|dk rd|f^q}|jd|jtjD|S(sU Given an PyOpenSSL certificate, provides all the subject alternative names. tto_cryptographysA problem was encountered with the certificate that prevented urllib3 from finding the SubjectAlternativeName field. This can affect certificate validation. The error was %stDNScs@s!|]}dt|fVqdS(s IP AddressN(tstr(RR4((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pys sN(thasattrR<Rtopenssl_backendR't extensionsR%RtSubjectAlternativeNametvaluetExtensionNotFoundtDuplicateExtensionRtUnsupportedGeneralNameTypet UnicodeErrortlogtwarningtmapR;tget_values_for_typetDNSNameR*textendt IPAddress(t peer_certtcerttextteR4tnames((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pytget_subj_alt_names.  t WrappedSocketcB@seZdZedZdZdZdZdZdZ dZ dZ d Z d Z ed Zd Zd ZdZRS(sAPI-compatibility wrapper for Python OpenSSL's Connection-class. Note: _makefile_refs, _drop() and _reuse() are needed for the garbage collector of pypy. cC@s1||_||_||_d|_t|_dS(Ni(t connectiontsockettsuppress_ragged_eofst_makefile_refsR#t_closed(tselfRVRWRX((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt__init__s     cC@s |jjS(N(RWtfileno(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyR]scC@s;|jdkr!|jd8_n|jr7|jndS(Nii(RYRZtclose(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt_decref_socketioss cO@s!y|jj||}Wntjjk rb}|jrM|jdkrMdStt|ntjj k r|jj tjj krdSntjj k rt j|j|jjstdq|j||Sn0tjjk r}tjd|nX|SdS(NisUnexpected EOFtsThe read operation timed outsread error: %r(isUnexpected EOF(RVtrecvtOpenSSLtSSLt SysCallErrorRXtargst SocketErrorR>tZeroReturnErrort get_shutdowntRECEIVED_SHUTDOWNt WantReadErrorR t wait_for_readRWt gettimeoutR tErrortssltSSLError(R[RetkwargstdataRR((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRa$s"cO@sy|jj||SWntjjk r`}|jrK|jdkrKdStt|ntjj k r|jj tjj krdSntjj k rt j|j|jjstdq|j||Sn,tjjk r}tjd|nXdS(NisUnexpected EOFisThe read operation timed outsread error: %r(isUnexpected EOF(RVt recv_intoRbRcRdRXReRfR>RgRhRiRjR RkRWRlR RmRnRo(R[ReRpRR((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRr=s cC@s|jj|S(N(RWt settimeout(R[R ((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRsTscC@sxtry|jj|SWqtjjk rctj|j|jj st qqqtjj k r}t t |qXqWdS(N(RRVtsendRbRctWantWriteErrorR twait_for_writeRWRlR RdRfR>(R[RqRR((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt_send_until_doneWs  cC@sGd}x:|t|krB|j|||t!}||7}q WdS(Ni(R0RwtSSL_WRITE_BLOCKSIZE(R[Rqt total_senttsent((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pytsendallbs cC@s|jjdS(N(RVtshutdown(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyR|jscC@sZ|jdkrGyt|_|jjSWqVtjjk rCdSXn|jd8_dS(Ni(RYRRZRVR^RbRcRm(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyR^ns cC@se|jj}|s|S|r8tjjtjj|Sid|jjfffd6t|d6S(Nt commonNametsubjecttsubjectAltName( RVtget_peer_certificateRbtcryptotdump_certificatet FILETYPE_ASN1t get_subjecttCNRT(R[t binary_formR((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt getpeercertxscC@s |jjS(N(RVtget_protocol_version_name(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pytversionscC@s|jd7_dS(Ni(RY(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt_reusescC@s/|jdkr|jn|jd8_dS(Ni(RYR^(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt_drops (RRt__doc__RR\R]R_RaRrRsRwR{R|R^R#RRRR(((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRU s           icC@s%|jd7_t|||dtS(NiR^(RYR R(R[tmodetbufsize((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pytmakefilesRcB@seZdZdZedZejdZedZejdZdZdZ d d d dZ d d d Z d Z eeed d ZRS( s I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible for translating the interface of the standard library ``SSLContext`` object to calls into PyOpenSSL. cC@s;t||_tjj|j|_d|_t|_dS(Ni( t_openssl_versionstprotocolRbRctContextt_ctxt_optionsR#tcheck_hostname(R[R((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyR\s  cC@s|jS(N(R(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pytoptionsscC@s||_|jj|dS(N(RRt set_options(R[RC((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRs cC@st|jjS(N(t_openssl_to_stdlib_verifyRtget_verify_mode(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt verify_modescC@s|jjt|tdS(N(Rt set_verifyt_stdlib_to_openssl_verifyt_verify_callback(R[RC((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRscC@s|jjdS(N(Rtset_default_verify_paths(R[((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRscC@s8t|tjr$|jd}n|jj|dS(Nsutf-8(t isinstanceR t text_typeR1Rtset_cipher_list(R[tciphers((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt set_ciphersscC@s|dk r|jd}n|dk r<|jd}ny<|jj|||dk rw|jjt|nWn,tjjk r}tj d|nXdS(Nsutf-8s'unable to load trusted certificates: %r( R*R1Rtload_verify_locationsRRbRcRmRnRo(R[tcafiletcapathtcadataRR((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRs   c@sv|jj|dk r\ttjs@jdn|jjfdn|jj|pn|dS(Nsutf-8c@sS(N((t_(tpassword(s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyts( Rtuse_certificate_chain_fileR*RR t binary_typeR1t set_passwd_cbtuse_privatekey_file(R[tcertfiletkeyfileR((Rs:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pytload_cert_chains  cC@s2g|D]}tj|^q}|jj|S(N(R t ensure_binaryRtset_alpn_protos(R[t protocolstp((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pytset_alpn_protocolss"cC@stjj|j|}t|tjr<|jd}n|dk rX|j |n|j xt ry|j Wnltjj k rtj||jsetdqeqen,tjjk r}tjd|nXPqeWt||S(Nsutf-8sselect timed outsbad handshake: %r(RbRct ConnectionRRR RR1R*tset_tlsext_host_nametset_connect_stateRt do_handshakeRjR RkRlR RmRnRoRU(R[tsockt server_sidetdo_handshake_on_connectRXtserver_hostnametcnxRR((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt wrap_sockets"   N(RRRR\tpropertyRtsetterRRRR*RRRR#RR(((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRs     cC@s |dkS(Ni((RRterr_not err_deptht return_code((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyRs(ORt __future__Rt OpenSSL.SSLRbt cryptographyRt$cryptography.hazmat.backends.opensslRR@t)cryptography.hazmat.backends.openssl.x509Rtcryptography.x509RR+t ExceptiontioRRWRRfR R R*tpackages.backports.makefileR tloggingRnR8R`R tpackagesR t util.ssl_Rt__all__RRRct SSLv23_METHODt PROTOCOL_TLSt TLSv1_METHODtPROTOCOL_TLSv1RR?RRRRRRt VERIFY_NONEt CERT_NONEt VERIFY_PEERt CERT_OPTIONALtVERIFY_FAIL_IF_NO_PEER_CERTt CERT_REQUIREDRtdicttitemsRRxR"RRR!t getLoggerRRHRRRR;RTtobjectRURRR(((s:/usr/lib/fence-agents/bundled/urllib3/contrib/pyopenssl.pyt/sr        !!!     + 6 ^