Mercurial > repos > shellac > sam_consensus_v3

comparison env/lib/python3.9/site-packages/urllib3/util/ssl_.py @ 0:4f3585e2f14b draft default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
"planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
author shellac
date Mon, 22 Mar 2021 18:12:50 +0000
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:4f3585e2f14b
1 from __future__ import absolute_import
2
3 import hmac
4 import os
5 import sys
6 import warnings
7 from binascii import hexlify, unhexlify
8 from hashlib import md5, sha1, sha256
9
10 from ..exceptions import (
11 InsecurePlatformWarning,
12 ProxySchemeUnsupported,
13 SNIMissingWarning,
14 SSLError,
15 )
16 from ..packages import six
17 from .url import BRACELESS_IPV6_ADDRZ_RE, IPV4_RE
18
19 SSLContext = None
20 SSLTransport = None
21 HAS_SNI = False
22 IS_PYOPENSSL = False
23 IS_SECURETRANSPORT = False
24 ALPN_PROTOCOLS = ["http/1.1"]
25
26 # Maps the length of a digest to a possible hash function producing this digest
27 HASHFUNC_MAP = {32: md5, 40: sha1, 64: sha256}
28
29
30 def _const_compare_digest_backport(a, b):
31 """
32 Compare two digests of equal length in constant time.
33
34 The digests must be of type str/bytes.
35 Returns True if the digests match, and False otherwise.
36 """
37 result = abs(len(a) - len(b))
38 for left, right in zip(bytearray(a), bytearray(b)):
39 result |= left ^ right
40 return result == 0
41
42
43 _const_compare_digest = getattr(hmac, "compare_digest", _const_compare_digest_backport)
44
45 try: # Test for SSL features
46 import ssl
47 from ssl import CERT_REQUIRED, wrap_socket
48 except ImportError:
49 pass
50
51 try:
52 from ssl import HAS_SNI # Has SNI?
53 except ImportError:
54 pass
55
56 try:
57 from .ssltransport import SSLTransport
58 except ImportError:
59 pass
60
61
62 try: # Platform-specific: Python 3.6
63 from ssl import PROTOCOL_TLS
64
65 PROTOCOL_SSLv23 = PROTOCOL_TLS
66 except ImportError:
67 try:
68 from ssl import PROTOCOL_SSLv23 as PROTOCOL_TLS
69
70 PROTOCOL_SSLv23 = PROTOCOL_TLS
71 except ImportError:
72 PROTOCOL_SSLv23 = PROTOCOL_TLS = 2
73
74
75 try:
76 from ssl import OP_NO_COMPRESSION, OP_NO_SSLv2, OP_NO_SSLv3
77 except ImportError:
78 OP_NO_SSLv2, OP_NO_SSLv3 = 0x1000000, 0x2000000
79 OP_NO_COMPRESSION = 0x20000
80
81
82 try: # OP_NO_TICKET was added in Python 3.6
83 from ssl import OP_NO_TICKET
84 except ImportError:
85 OP_NO_TICKET = 0x4000
86
87
88 # A secure default.
89 # Sources for more information on TLS ciphers:
90 #
91 # - https://wiki.mozilla.org/Security/Server_Side_TLS
92 # - https://www.ssllabs.com/projects/best-practices/index.html
93 # - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
94 #
95 # The general intent is:
96 # - prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE),
97 # - prefer ECDHE over DHE for better performance,
98 # - prefer any AES-GCM and ChaCha20 over any AES-CBC for better performance and
99 # security,
100 # - prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common,
101 # - disable NULL authentication, MD5 MACs, DSS, and other
102 # insecure ciphers for security reasons.
103 # - NOTE: TLS 1.3 cipher suites are managed through a different interface
104 # not exposed by CPython (yet!) and are enabled by default if they're available.
105 DEFAULT_CIPHERS = ":".join(
106 [
107 "ECDHE+AESGCM",
108 "ECDHE+CHACHA20",
109 "DHE+AESGCM",
110 "DHE+CHACHA20",
111 "ECDH+AESGCM",
112 "DH+AESGCM",
113 "ECDH+AES",
114 "DH+AES",
115 "RSA+AESGCM",
116 "RSA+AES",
117 "!aNULL",
118 "!eNULL",
119 "!MD5",
120 "!DSS",
121 ]
122 )
123
124 try:
125 from ssl import SSLContext # Modern SSL?
126 except ImportError:
127
128 class SSLContext(object): # Platform-specific: Python 2
129 def __init__(self, protocol_version):
130 self.protocol = protocol_version
131 # Use default values from a real SSLContext
132 self.check_hostname = False
133 self.verify_mode = ssl.CERT_NONE
134 self.ca_certs = None
135 self.options = 0
136 self.certfile = None
137 self.keyfile = None
138 self.ciphers = None
139
140 def load_cert_chain(self, certfile, keyfile):
141 self.certfile = certfile
142 self.keyfile = keyfile
143
144 def load_verify_locations(self, cafile=None, capath=None, cadata=None):
145 self.ca_certs = cafile
146
147 if capath is not None:
148 raise SSLError("CA directories not supported in older Pythons")
149
150 if cadata is not None:
151 raise SSLError("CA data not supported in older Pythons")
152
153 def set_ciphers(self, cipher_suite):
154 self.ciphers = cipher_suite
155
156 def wrap_socket(self, socket, server_hostname=None, server_side=False):
157 warnings.warn(
158 "A true SSLContext object is not available. This prevents "
159 "urllib3 from configuring SSL appropriately and may cause "
160 "certain SSL connections to fail. You can upgrade to a newer "
161 "version of Python to solve this. For more information, see "
162 "https://urllib3.readthedocs.io/en/latest/advanced-usage.html"
163 "#ssl-warnings",
164 InsecurePlatformWarning,
165 )
166 kwargs = {
167 "keyfile": self.keyfile,
168 "certfile": self.certfile,
169 "ca_certs": self.ca_certs,
170 "cert_reqs": self.verify_mode,
171 "ssl_version": self.protocol,
172 "server_side": server_side,
173 }
174 return wrap_socket(socket, ciphers=self.ciphers, **kwargs)
175
176
177 def assert_fingerprint(cert, fingerprint):
178 """
179 Checks if given fingerprint matches the supplied certificate.
180
181 :param cert:
182 Certificate as bytes object.
183 :param fingerprint:
184 Fingerprint as string of hexdigits, can be interspersed by colons.
185 """
186
187 fingerprint = fingerprint.replace(":", "").lower()
188 digest_length = len(fingerprint)
189 hashfunc = HASHFUNC_MAP.get(digest_length)
190 if not hashfunc:
191 raise SSLError("Fingerprint of invalid length: {0}".format(fingerprint))
192
193 # We need encode() here for py32; works on py2 and p33.
194 fingerprint_bytes = unhexlify(fingerprint.encode())
195
196 cert_digest = hashfunc(cert).digest()
197
198 if not _const_compare_digest(cert_digest, fingerprint_bytes):
199 raise SSLError(
200 'Fingerprints did not match. Expected "{0}", got "{1}".'.format(
201 fingerprint, hexlify(cert_digest)
202 )
203 )
204
205
206 def resolve_cert_reqs(candidate):
207 """
208 Resolves the argument to a numeric constant, which can be passed to
209 the wrap_socket function/method from the ssl module.
210 Defaults to :data:`ssl.CERT_REQUIRED`.
211 If given a string it is assumed to be the name of the constant in the
212 :mod:`ssl` module or its abbreviation.
213 (So you can specify `REQUIRED` instead of `CERT_REQUIRED`.
214 If it's neither `None` nor a string we assume it is already the numeric
215 constant which can directly be passed to wrap_socket.
216 """
217 if candidate is None:
218 return CERT_REQUIRED
219
220 if isinstance(candidate, str):
221 res = getattr(ssl, candidate, None)
222 if res is None:
223 res = getattr(ssl, "CERT_" + candidate)
224 return res
225
226 return candidate
227
228
229 def resolve_ssl_version(candidate):
230 """
231 like resolve_cert_reqs
232 """
233 if candidate is None:
234 return PROTOCOL_TLS
235
236 if isinstance(candidate, str):
237 res = getattr(ssl, candidate, None)
238 if res is None:
239 res = getattr(ssl, "PROTOCOL_" + candidate)
240 return res
241
242 return candidate
243
244
245 def create_urllib3_context(
246 ssl_version=None, cert_reqs=None, options=None, ciphers=None
247 ):
248 """All arguments have the same meaning as ``ssl_wrap_socket``.
249
250 By default, this function does a lot of the same work that
251 ``ssl.create_default_context`` does on Python 3.4+. It:
252
253 - Disables SSLv2, SSLv3, and compression
254 - Sets a restricted set of server ciphers
255
256 If you wish to enable SSLv3, you can do::
257
258 from urllib3.util import ssl_
259 context = ssl_.create_urllib3_context()
260 context.options &= ~ssl_.OP_NO_SSLv3
261
262 You can do the same to enable compression (substituting ``COMPRESSION``
263 for ``SSLv3`` in the last line above).
264
265 :param ssl_version:
266 The desired protocol version to use. This will default to
267 PROTOCOL_SSLv23 which will negotiate the highest protocol that both
268 the server and your installation of OpenSSL support.
269 :param cert_reqs:
270 Whether to require the certificate verification. This defaults to
271 ``ssl.CERT_REQUIRED``.
272 :param options:
273 Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``,
274 ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``, and ``ssl.OP_NO_TICKET``.
275 :param ciphers:
276 Which cipher suites to allow the server to select.
277 :returns:
278 Constructed SSLContext object with specified options
279 :rtype: SSLContext
280 """
281 context = SSLContext(ssl_version or PROTOCOL_TLS)
282
283 context.set_ciphers(ciphers or DEFAULT_CIPHERS)
284
285 # Setting the default here, as we may have no ssl module on import
286 cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
287
288 if options is None:
289 options = 0
290 # SSLv2 is easily broken and is considered harmful and dangerous
291 options |= OP_NO_SSLv2
292 # SSLv3 has several problems and is now dangerous
293 options |= OP_NO_SSLv3
294 # Disable compression to prevent CRIME attacks for OpenSSL 1.0+
295 # (issue #309)
296 options |= OP_NO_COMPRESSION
297 # TLSv1.2 only. Unless set explicitly, do not request tickets.
298 # This may save some bandwidth on wire, and although the ticket is encrypted,
299 # there is a risk associated with it being on wire,
300 # if the server is not rotating its ticketing keys properly.
301 options |= OP_NO_TICKET
302
303 context.options |= options
304
305 # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is
306 # necessary for conditional client cert authentication with TLS 1.3.
307 # The attribute is None for OpenSSL <= 1.1.0 or does not exist in older
308 # versions of Python. We only enable on Python 3.7.4+ or if certificate
309 # verification is enabled to work around Python issue #37428
310 # See: https://bugs.python.org/issue37428
311 if (cert_reqs == ssl.CERT_REQUIRED or sys.version_info >= (3, 7, 4)) and getattr(
312 context, "post_handshake_auth", None
313 ) is not None:
314 context.post_handshake_auth = True
315
316 context.verify_mode = cert_reqs
317 if (
318 getattr(context, "check_hostname", None) is not None
319 ): # Platform-specific: Python 3.2
320 # We do our own verification, including fingerprints and alternative
321 # hostnames. So disable it here
322 context.check_hostname = False
323
324 # Enable logging of TLS session keys via defacto standard environment variable
325 # 'SSLKEYLOGFILE', if the feature is available (Python 3.8+). Skip empty values.
326 if hasattr(context, "keylog_filename"):
327 sslkeylogfile = os.environ.get("SSLKEYLOGFILE")
328 if sslkeylogfile:
329 context.keylog_filename = sslkeylogfile
330
331 return context
332
333
334 def ssl_wrap_socket(
335 sock,
336 keyfile=None,
337 certfile=None,
338 cert_reqs=None,
339 ca_certs=None,
340 server_hostname=None,
341 ssl_version=None,
342 ciphers=None,
343 ssl_context=None,
344 ca_cert_dir=None,
345 key_password=None,
346 ca_cert_data=None,
347 tls_in_tls=False,
348 ):
349 """
350 All arguments except for server_hostname, ssl_context, and ca_cert_dir have
351 the same meaning as they do when using :func:`ssl.wrap_socket`.
352
353 :param server_hostname:
354 When SNI is supported, the expected hostname of the certificate
355 :param ssl_context:
356 A pre-made :class:`SSLContext` object. If none is provided, one will
357 be created using :func:`create_urllib3_context`.
358 :param ciphers:
359 A string of ciphers we wish the client to support.
360 :param ca_cert_dir:
361 A directory containing CA certificates in multiple separate files, as
362 supported by OpenSSL's -CApath flag or the capath argument to
363 SSLContext.load_verify_locations().
364 :param key_password:
365 Optional password if the keyfile is encrypted.
366 :param ca_cert_data:
367 Optional string containing CA certificates in PEM format suitable for
368 passing as the cadata parameter to SSLContext.load_verify_locations()
369 :param tls_in_tls:
370 Use SSLTransport to wrap the existing socket.
371 """
372 context = ssl_context
373 if context is None:
374 # Note: This branch of code and all the variables in it are no longer
375 # used by urllib3 itself. We should consider deprecating and removing
376 # this code.
377 context = create_urllib3_context(ssl_version, cert_reqs, ciphers=ciphers)
378
379 if ca_certs or ca_cert_dir or ca_cert_data:
380 try:
381 context.load_verify_locations(ca_certs, ca_cert_dir, ca_cert_data)
382 except (IOError, OSError) as e:
383 raise SSLError(e)
384
385 elif ssl_context is None and hasattr(context, "load_default_certs"):
386 # try to load OS default certs; works well on Windows (require Python3.4+)
387 context.load_default_certs()
388
389 # Attempt to detect if we get the goofy behavior of the
390 # keyfile being encrypted and OpenSSL asking for the
391 # passphrase via the terminal and instead error out.
392 if keyfile and key_password is None and _is_key_file_encrypted(keyfile):
393 raise SSLError("Client private key is encrypted, password is required")
394
395 if certfile:
396 if key_password is None:
397 context.load_cert_chain(certfile, keyfile)
398 else:
399 context.load_cert_chain(certfile, keyfile, key_password)
400
401 try:
402 if hasattr(context, "set_alpn_protocols"):
403 context.set_alpn_protocols(ALPN_PROTOCOLS)
404 except NotImplementedError:
405 pass
406
407 # If we detect server_hostname is an IP address then the SNI
408 # extension should not be used according to RFC3546 Section 3.1
409 use_sni_hostname = server_hostname and not is_ipaddress(server_hostname)
410 # SecureTransport uses server_hostname in certificate verification.
411 send_sni = (use_sni_hostname and HAS_SNI) or (
412 IS_SECURETRANSPORT and server_hostname
413 )
414 # Do not warn the user if server_hostname is an invalid SNI hostname.
415 if not HAS_SNI and use_sni_hostname:
416 warnings.warn(
417 "An HTTPS request has been made, but the SNI (Server Name "
418 "Indication) extension to TLS is not available on this platform. "
419 "This may cause the server to present an incorrect TLS "
420 "certificate, which can cause validation failures. You can upgrade to "
421 "a newer version of Python to solve this. For more information, see "
422 "https://urllib3.readthedocs.io/en/latest/advanced-usage.html"
423 "#ssl-warnings",
424 SNIMissingWarning,
425 )
426
427 if send_sni:
428 ssl_sock = _ssl_wrap_socket_impl(
429 sock, context, tls_in_tls, server_hostname=server_hostname
430 )
431 else:
432 ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
433 return ssl_sock
434
435
436 def is_ipaddress(hostname):
437 """Detects whether the hostname given is an IPv4 or IPv6 address.
438 Also detects IPv6 addresses with Zone IDs.
439
440 :param str hostname: Hostname to examine.
441 :return: True if the hostname is an IP address, False otherwise.
442 """
443 if not six.PY2 and isinstance(hostname, bytes):
444 # IDN A-label bytes are ASCII compatible.
445 hostname = hostname.decode("ascii")
446 return bool(IPV4_RE.match(hostname) or BRACELESS_IPV6_ADDRZ_RE.match(hostname))
447
448
449 def _is_key_file_encrypted(key_file):
450 """Detects if a key file is encrypted or not."""
451 with open(key_file, "r") as f:
452 for line in f:
453 # Look for Proc-Type: 4,ENCRYPTED
454 if "ENCRYPTED" in line:
455 return True
456
457 return False
458
459
460 def _ssl_wrap_socket_impl(sock, ssl_context, tls_in_tls, server_hostname=None):
461 if tls_in_tls:
462 if not SSLTransport:
463 # Import error, ssl is not available.
464 raise ProxySchemeUnsupported(
465 "TLS in TLS requires support for the 'ssl' module"
466 )
467
468 SSLTransport._validate_ssl_context_for_tls_in_tls(ssl_context)
469 return SSLTransport(sock, ssl_context, server_hostname)
470
471 if server_hostname:
472 return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
473 else:
474 return ssl_context.wrap_socket(sock)