o

�N�g}F�@s>
dZd
dl
mZmZmZ
eZd
dlZd
dlZd
dl	Z	zd
dl
Z
Wney+


dZ
Yn
wzd
dlm
Z

WneyQ


zd
dlm
Z

WneyN


dZ
Yn
wYn
wd
dlZddlmZ
dd	lmZ
dd
lmZmZ
ddlmZmZ
ddlmZ
ejrejZneZd
d�Zdd�Z dd�Z!dd�Z"dd�Z#Gdd�de�Z$dS)z�
A library for integrating Python's builtin :py:mod:`ssl` library with Cheroot.

The :py:mod:`ssl` module must be importable for SSL functionality.

To use this module, set ``HTTPServer.ssl_adapter`` to an instance of
``BuiltinSSLAdapter``.
�)�absolute_import�division�print_functionN)
�DEFAULT_BUFFER_SIZE����
)
�Adapter�)
�errors)�IS_ABOVE_OPENSSL10�suppress��StreamReader�StreamWriter)
�
HTTPServerc
s6t|
�
d
kr
t
d�
�
t|�
���t�f
dd�|
D�
�
S)zACheck whether SSL exception contains either of messages provided.rzF_assert_ssl_exc_contains() requires at least one message to be passed.c
3s�|]	}
|
���vV
qdS)
N)
�lower)�.0�
m�
Z
err_msg_lower��G/opt/saltstack/salt/lib/python3.10/site-packages/cheroot/ssl/builtin.py�	<genexpr>4s�z+_assert_ssl_exc_contains.<locals>.<genexpr>)�len�	TypeError�strr�any)�excZmsgsrrr�_assert_ssl_exc_contains,s

�
rc	Cs|tt
jt��.
|j|
d
d
d��
}|�d�

Wd�
n1sw



Y
Wd�
dSWd�
dS1s7w



Y
dS)z;Wrap a socket in ssl and perform the server-side handshake.T��do_handshake_on_connect�server_sides0000N)r�ssl�SSLError�OSError�wrap_socket�send)�context�server�ssl_sockrrr�_loopback_for_cert_thread7s

���
"�r)cCs�tj
|d
�
}|�||
�
d|_tj|_t��\}}zStj	t
||fd�}z9|��
|j|ddd��}|�
d�

|��Wd�
W|��
W|��
|��
S1sRw



Y
W|��
n|��
wW|��
|��
dS|��
|��
w)z@Create a loopback connection to parse a cert with a private key.)
�cafileF)�target�argsTr�N)r!�create_default_context�load_cert_chain�check_hostname�	CERT_NONE�verify_mode�socket�
socketpair�	threading�Threadr)�startr$�recv�getpeercert�join�close)�certificate�private_key�certificate_chainr&�clientr'�threadr(rrr�_loopback_for_certVs8




�



�


�


�
�

rAcCsrtt
tjt��
t||
|�Wd
�
S1sw



Y
tt�
�
tj�|�
Wd
�
S1s2w



Y
iS)zParse a certificate.N)	r�AttributeErrorr!r"r#rA�	Exception�_ssl�_test_decode_cert)r<r=r>rrr�_parse_certxs

 �


 �rFcCs
|
|_d
S)z7Handle the SNI callback to tag the socket with the SNI.N)
�sni)�sockrGr&rrr�
_sni_callback�s
rIcs�eZ
dZd
ZdZ	dZ	dZ	dZ	ddddddd	d
�Zddd
ddddddddddd�
Z			d-�f
dd�	Z
edd��
Zej
dd��
Z�f
dd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*efd+d,�
Z�ZS).�BuiltinSSLAdapterzDWrapper for integrating Python's builtin :py:mod:`ssl` with Cheroot.NZ	M_VERSIONZM_SERIALZV_STARTZV_ENDZS_DNZI_DN�SAN)�versionZserialNumber�	notBefore�notAfter�subjectZissuer�subjectAltName�
CZST�
L�
OZOUZCN�
T�
I�
G�
S�
DZUID�Email)
ZcountryNameZstateOrProvinceNameZlocalityNameZorganizationNameZorganizationalUnitName�
commonName�titleZinitialsZ	givenNameZsurname�descriptionZuseridZemailAddressc	s
td
urt
d�
�
tt|��|
|||�
tjtjj|d�|_|j�	|
|�
|j
d
u
r/|j�|�

|�dt
|
||j��|_|js@d
Sd
}t|
dd��}|��}Wd
�
n1sWw



Y
|�tj�
}|dkrhd
S|�tj|�}|dkrud
S|ttj�
7}|||�|jd<d
S)	zASet up context in addition to base class properties if available.Nz-You must install the ssl module to use HTTPS.)�purposer*Z
SSL_SERVERZrt)
�moderZSSL_SERVER_CERT)r!�ImportError�superrJ�__init__r.�Purpose�CLIENT_AUTHr&r/�ciphers�set_ciphers�_make_env_cert_dictrFr>�_server_env�open�read�find�
PEM_HEADER�
PEM_FOOTERr)	�selfr<r=r>rd�cert�
fZ
cert_startZcert_end�
�	__class__rrra�s<


�

�




�




�






zBuiltinSSLAdapter.__init__c


Cs|jS)
z>:py:class:`~ssl.SSLContext` that will be used to wrap sockets.)
�_context)
rmrrrr&�szBuiltinSSLAdapter.contextcCsj|
|_t
t�
�$
tjr|
jd
ur#t|
_Wd
�
d
SWd
�
d
SWd
�
d
S1s.w



Y
d
S)zSet the ssl ``context`` to use.N)rrrrBr!�HAS_SNI�sni_callbackrI)rmr&rrrr&�s


�
�
"�cstt
|��|
�
S)
z!Wrap and return the given socket.)r`rJ�bind)rmrHrprrru

szBuiltinSSLAdapter.bindc
Cs�d
if}z|jj
|
ddd�}WnhtjyY
}
z=|jtjkr&|WYd
}~S|jtjkrGt|d�r4tj	�
d}t|g
|�
R�rF|WYd
}~S�t|d�rT|WYd
}~S�d
}~w
t
yw
}
z	|jdk}|rrtrr|WYd
}~S�d
}~w
w||�
|�
fS)z<Wrap and return the given socket, plus WSGI environ entries.NTrzhttp request)
zunknown protocolz
unknown caZ
unknown_caz
unknown errorzhttps proxy requestzinappropriate fallbackzwrong version numberzno shared cipherzcertificate unknownzccs received earlyzcertificate verify failedzversion too lowzunsupported protocolzhandshake operation timed out)r
�Error)r&r$r!r"�errno�
SSL_ERROR_EOF�
SSL_ERROR_SSLrr
Z
NoSSLError�generic_socket_errorr,r�get_environ)rmrHZEMPTY_RESULT�
s�exZ
_block_errorsrZ	is_error0rrr�wrap
s8



�




�
�




��zBuiltinSSLAdapter.wrapc
Cs�
|
��}d
d|d|dd|ddt
jtjftjdd	�	}tt�
�
|
��}|d
u
r.||d<Wd
�
n1s8w



Y
tt�
�
|
j	j
��|d<Wd
�
n1sTw



Y
tt�
�(
|d
d�}|
j�
�D]}||d
|dfkr}|d|d<
n
qiWd
�
n1s�w



Y
tt�
�

|
j|d<Wd
�
n1s�w



Y
|jr�|jjtjkr�|
��}|r�d|d<|�|�d|��

t�|
jdd�
�
��|d<|�|j�

|S)z;Create WSGI environ entries to be merged into each request.�https�onrr
�r	z%s Python/%sZNONE)	zwsgi.url_schemeZHTTPSZSSL_PROTOCOLZ
SSL_CIPHERZSSL_CIPHER_EXPORTZSSL_CIPHER_USEKEYSIZEZSSL_VERSION_INTERFACEZSSL_VERSION_LIBRARY�SSL_CLIENT_VERIFYNZSSL_COMPRESS_METHODZSSL_SESSION_ID�name�protocolZalg_bitsZSSL_CIPHER_ALGKEYSIZEZSSL_TLS_SNI�SUCCESSr�Z
SSL_CLIENTT)
�binary_formZSSL_CLIENT_CERT)�cipherrrL�sysr!�OPENSSL_VERSIONrrB�compression�session�id�hexr&�get_ciphersrGr2r1r9�updaterf�DER_cert_to_PEM_cert�striprg)rmrHr�Zssl_environr�Z
target_cipherZcipZclient_certrrrr{M
s`






�
�



��

�





���

�




�

��	zBuiltinSSLAdapter.get_environc	Cs�|siSi}|j�
�D]2\}}d
|
|f}|�|�
}|dkr(|�|�||��

q|�d�
r7|�|�||��

qt|�
||<qd|vrat�	|d�
}|t�	|d�
8}|d}tt
|�
�
|d|
f
<|S)z�Return a dict of WSGI environment variables for a certificate.

        E.g. SSL_CLIENT_M_VERSION, SSL_CLIENT_M_SERIAL, etc.
        See https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars.
        �%s_%srKZ_DNrMrNi�Q
z%s_V_REMAIN)�CERT_KEY_TO_ENV�items�getr��_make_env_san_dict�endswith�_make_env_dn_dictrr!�cert_time_to_seconds�int)	rm�
env_prefixZparsed_cert�envZcert_keyZenv_var�key�valueZremainrrrrf�
s"













z%BuiltinSSLAdapter._make_env_cert_dictcCsh|siSi}d
}d
}|D]%\}}|dkr!||d|
|f<|d7}q|dkr1||d|
|f<|d7}q|S)z�Return a dict of WSGI environment variables for a certificate DN.

        E.g. SSL_CLIENT_SAN_Email_0, SSL_CLIENT_SAN_DNS_0, etc.
        See SSL_CLIENT_SAN_* at
        https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars.
        r
�DNSz	%s_DNS_%irrYz%s_Email_%ir)rmr��
cert_valuer�Z	dns_countZemail_count�	attr_name�valrrrr��
s










�z$BuiltinSSLAdapter._make_env_san_dictcCs�|siSg}i}|D]*}|D]%\}}|j�
|�
}|�d
|p||f�

|s&q|�|g�
||�|�

qq
|
d�|�
i
}	|��D](\}}
d�|
�
|	d|
|f<t|
�
dkrVq@t|
�
D]
\}}||	d|
||f<qZq@|	S)z�Return a dict of WSGI environment variables for a certificate DN.

        E.g. SSL_CLIENT_S_DN_CN, SSL_CLIENT_S_DN_C, etc.
        See SSL_CLIENT_S_DN_x509 at
        https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#envvars.
        z%s=%s�
,r�rz%s_%s_%i)�CERT_KEY_TO_LDAP_CODEr��append�
setdefaultr:r�r�	enumerate)rmr�r��dnZdn_attrsZrdnr�r�Z	attr_coder��values�
irrrr��
s.









�
	�




�z#BuiltinSSLAdapter._make_env_dn_dict�
rcCsd
|vrtn
t
}||
||�S)zReturn socket file object.r�r
)rmrHr^�bufsize�clsrrr�makefile�
s
zBuiltinSSLAdapter.makefile)NN)�__name__�
__module__�__qualname__�__doc__r<r=r>rdr�r�ra�propertyr&�setterrur~r{rfr�r�rr��
__classcell__rrrprrJ�s\










�










�
�(




<> rJ)%r�Z
__future__rrr�typeZ
__metaclass__r3r�r5r!r_Z_pyior�ioZsixr�rr
Z_compatrrr�rrr'rZPY2�errorrzr#rr)rArFrIrJrrrr�<module>
sH	





�





���




"