o gB @sddlmZddlZddlZddlZddlZddlmZmZddl m Z m Z m Z ddl mZmZmZmZddlZddlmZmZdZdZd Zd Zd Zd gZe e e d Zd d ZeedeZzddl Z ddl m!Z!m"Z"Wn e#ytYnwzddl mZWn e#yYnwzddl$mZWn e#yYnwz ddl m%Z%e%Z&Wn!e#yz ddl m&Z%e%Z&Wn e#ydZ&Z%YnwYnwzddl m'Z'Wn e#ye%Z'Ynwz ddl m(Z(m)Z)m*Z*Wne#yd\Z)Z*dZ(Ynwzddl m+Z+Wn e#y dZ+Ynwd,gdZ-zddl mZWne#y+Gddde.ZYnwdd Z/d!d"Z0d#d$Z1 d/d%d&Z2            d0d'd(Z3d)d*Z4d+d,Z5d1d-d.Z6dS)2)absolute_importN)hexlify unhexlify)md5sha1sha256)InsecurePlatformWarningProxySchemeUnsupportedSNIMissingWarningSSLError)BRACELESS_IPV6_ADDRZ_REIPV4_REFzhttp/1.1) (@cCsDtt|t|}tt|t|D] \}}|||AO}q|dkS)z Compare two digests of equal length in constant time. The digests must be of type str/bytes. Returns True if the digests match, and False otherwise. r)abslenzip bytearray)abresultleftrightr3/usr/lib/python3/dist-packages/urllib3/util/ssl_.py_const_compare_digest_backportsrcompare_digest) CERT_REQUIRED wrap_socket)HAS_SNI) SSLTransport) PROTOCOL_TLS)PROTOCOL_SSLv23)PROTOCOL_TLS_CLIENT)OP_NO_COMPRESSION OP_NO_SSLv2 OP_NO_SSLv3)iii) OP_NO_TICKETi@:)z ECDHE+AESGCMzECDHE+CHACHA20z DHE+AESGCMz DHE+CHACHA20z ECDH+AESGCMz DH+AESGCMzECDH+AESzDH+AESz RSA+AESGCMzRSA+AESz!aNULLz!eNULLz!MD5z!DSS) SSLContextc@s8eZdZddZddZd ddZdd Zdd d ZdS)r,cCs6||_d|_tj|_d|_d|_d|_d|_d|_ dS)NFr) protocolcheck_hostnamessl CERT_NONE verify_modeca_certsoptionscertfilekeyfileciphers)selfprotocol_versionrrr__init__s zSSLContext.__init__cCs||_||_dSN)r4r5)r7r4r5rrrload_cert_chains zSSLContext.load_cert_chainNcCs*||_|dur td|durtddS)Nz-CA directories not supported in older Pythonsz&CA data not supported in older Pythons)r2r )r7cafilecapathcadatarrrload_verify_locationss z SSLContext.load_verify_locationscCs ||_dSr:r6)r7 cipher_suiterrr set_cipherss zSSLContext.set_ciphersFcCs>tdt|j|j|j|j|j|d}t|fd|j i|S)Na2A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings)r5r4r2 cert_reqs ssl_version server_sider6) warningswarnr r5r4r2r1r-r!r6)r7socketserver_hostnamerEkwargsrrrr!s zSSLContext.wrap_socket)NNN)NF)__name__ __module__ __qualname__r9r;r?rBr!rrrrr,s   r,cCsn|dd}t|}t|}|std|t|}|| }t ||s5td|t |dS)z Checks if given fingerprint matches the supplied certificate. :param cert: Certificate as bytes object. :param fingerprint: Fingerprint as string of hexdigits, can be interspersed by colons. r+z"Fingerprint of invalid length: {0}z6Fingerprints did not match. Expected "{0}", got "{1}".N) replacelowerr HASHFUNC_MAPgetr formatrencodedigest_const_compare_digestr)cert fingerprint digest_lengthhashfuncfingerprint_bytes cert_digestrrrassert_fingerprints     r]cC@|durtSt|trtt|d}|durttd|}|S|S)a Resolves the argument to a numeric constant, which can be passed to the wrap_socket function/method from the ssl module. Defaults to :data:`ssl.CERT_REQUIRED`. If given a string it is assumed to be the name of the constant in the :mod:`ssl` module or its abbreviation. (So you can specify `REQUIRED` instead of `CERT_REQUIRED`. If it's neither `None` nor a string we assume it is already the numeric constant which can directly be passed to wrap_socket. NCERT_)r isinstancestrgetattrr/ candidateresrrrresolve_cert_reqss   rfcCr^)z like resolve_cert_reqs N PROTOCOL_)r$r`rarbr/rcrrrresolve_ssl_versions  rhcs|r|tkrt}t||pt|durtjn|}|dur2d}|tO}|tO}|t O}|t O}j |O_ |tjksCt j dkrNtdddurNd_fdd}|tjkr`|_|n||_tdrvtjd }|rv|_S) aAll arguments have the same meaning as ``ssl_wrap_socket``. By default, this function does a lot of the same work that ``ssl.create_default_context`` does on Python 3.4+. It: - Disables SSLv2, SSLv3, and compression - Sets a restricted set of server ciphers If you wish to enable SSLv3, you can do:: from urllib3.util import ssl_ context = ssl_.create_urllib3_context() context.options &= ~ssl_.OP_NO_SSLv3 You can do the same to enable compression (substituting ``COMPRESSION`` for ``SSLv3`` in the last line above). :param ssl_version: The desired protocol version to use. This will default to PROTOCOL_SSLv23 which will negotiate the highest protocol that both the server and your installation of OpenSSL support. :param cert_reqs: Whether to require the certificate verification. This defaults to ``ssl.CERT_REQUIRED``. :param options: Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``, ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``, and ``ssl.OP_NO_TICKET``. :param ciphers: Which cipher suites to allow the server to select. :returns: Constructed SSLContext object with specified options :rtype: SSLContext Nr)post_handshake_authTcstdddur d_dSdS)Nr.F)rbr.rcontextrrdisable_check_hostnameEs z6create_urllib3_context..disable_check_hostnamekeylog_filename SSLKEYLOGFILE)r$r&r,rBDEFAULT_CIPHERSr/r r(r)r'r*r3sys version_inforbrlr1hasattrosenvironrRrp)rDrCr3r6ro sslkeylogfilerrmrcreate_urllib3_contexts: %    ryc  CsB|} | dur t|||d} |s| s| r/z | || | Wnttfy.}zt|d}~ww|durs             3 k f