U ;gE@sFddlmZmZmZmZddlZddlmZddlmZm Z m Z ddl m Z ddl mZmZmZdd d d d d dddddddddddddgZdd ZddZdd Zdd Zdd Zd dZd!d Zd"d#Zd$dZd%dZd&dZd'dZd(dZd)dZd*dZ d+d,Z!d-dZ"d.dZ#d/dZ$d0dZ%d1d2Z&d3dZ'd4d5Z(dS)6)unicode_literalsdivisionabsolute_importprint_functionN)datetime) Certificateint_from_bytestimezone)CIPHER_SUITE_MAP)TLSVerificationErrorTLSDisconnectErrorTLSErrordetect_client_auth_request extract_chainget_dh_params_length parse_alertparse_handshake_messagesparse_session_infoparse_tls_recordsraise_client_authraise_dh_paramsraise_disconnectionraise_expired_not_yet_validraise_handshakeraise_hostnameraise_no_issuerraise_protocol_error raise_revokedraise_self_signedraise_verificationraise_weak_signaturec Csg}d}t|D]>\}}}|dkr$qt|D]\}}|dkr,|}qFq,|rqPq|rd}|t|krt|||d} |d} | | } | }|| | } |t| qX|S)a Extracts the X.509 certificates from the server handshake bytes for use when debugging :param server_handshake_bytes: A byte string of the handshake data received from the server :return: A list of asn1crypto.x509.Certificate objects N )rrlenr appendrload) server_handshake_bytesoutputZ chain_bytes record_type_ record_data message_type message_datapointerZ cert_lengthZ cert_startZcert_endZ cert_bytesr01/tmp/pip-unpacked-wheel-x1gypflw/oscrypto/_tls.pyr#s*   cCsDt|D]6\}}}|dkrqt|D]\}}|dkr$dSq$qdS)a) Determines if a CertificateRequest message is sent from the server asking the client for a certificate :param server_handshake_bytes: A byte string of the handshake data received from the server :return: A boolean - if a client certificate request was found r" TF)rr)r(r*r+r,r-r.r0r0r1rKs  cCsld}d}t|D]>\}}}|dkr$qt|D]\}}|dkr,|}qFq,|rqPq|rht|ddd}|S)a Determines the length of the DH params from the ServerKeyExchange :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None or an integer of the bit size of the DH parameters Nr" r)rrr )r(r)Zdh_params_bytesr*r+r,r-r.r0r0r1r`s cCsVt|D]H\}}}|dkrqt|dkr.dSt|ddt|ddfSdS)aV Parses the handshake for protocol alerts :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None or an 2-element tuple of integers: 0: 1 (warning) or 2 (fatal) 1: The alert description (see https://tools.ietf.org/html/rfc5246#section-7.2) r4Nrr)rr%r )r(r*r+r,r0r0r1rs  $cCsVd}d}d}d}d}d}d}t|D]\} } } | dkr8q$t| D]\} } | dkrRq@ddddd d | d d }t| d d}|d kr| dd|}d|}| ||d }t|}|d }| ||ddk}|d}| |d}t|D]\}}|dkrd}q qq$q@q$t|D]\} } } | dkr2qt| D]\} } | dkrPq:t| d d}|d krz| dd|}d|}t| ||d }|d |}t| ||d}|dkr |dkr |d|}| |d}t|D]\}}|dkrd}q qqq:q|dk rF|dkr2d}n||krBd}nd}|||||dS)a Parse the TLS handshake from the client to the server to extract information including the cipher suite selected, if compression is enabled, the session id and if a new or reused session ticket exists. :param server_handshake_bytes: A byte string of the handshake data received from the server :param client_handshake_bytes: A byte string of the handshake data sent to the server :return: A dict with the following keys: - "protocol": unicode string - "cipher_suite": unicode string - "compression": boolean - "session_id": "new", "reused" or None - "session_ticket: "new", "reused" or None NFr"SSLv3TLSv1zTLSv1.1zTLSv1.2zTLSv1.3)sssssrr4"#rnewZreused)protocol cipher_suite compression session_idsession_ticket)rrr r _parse_hello_extensions)r(Zclient_handshake_bytesr?r@rArBrCZserver_session_idZclient_session_idr*r+r,r-r.Zsession_id_lengthZcipher_suite_startZcipher_suite_bytesZcompression_startZextensions_length_startZextensions_dataextension_typeZextension_dataZcipher_suite_lengthZcompression_lengthr0r0r1rs             ccsd}t|}||kr|||ddkr*qt||d|d}|||d||d|d||d|d|fV|d|7}q dS)a Creates a generator returning tuples of information about each record in a byte string of data from a TLS client or server. Stops as soon as it find a ChangeCipherSpec message since all data from then on is encrypted. :param data: A byte string of TLS records :return: A generator that yields 3-element tuples: [0] Byte string of record type [1] Byte string of protocol version [2] Byte string of record data rrr$Nr%r datar/data_lenlengthr0r0r1rsccshd}t|}||krdt||d|d}|||d||d|d|fV|d|7}q dS)a` Creates a generator returning tuples of information about each message in a byte string of data from a TLS handshake record :param data: A byte string of a TLS handshake record data :return: A generator that yields 2-element tuples: [0] Byte string of message type [1] Byte string of message data rrNrHrIr0r0r1r#sccs|dkr dSt|dd}d}d|}|}||krt|||d}t||d|d}|||d|d|fV|d|7}q,dS)a Creates a generator returning tuples of information about each extension from a byte string of extension data contained in a ServerHello ores ClientHello message :param data: A byte string of a extension data from a TLS ServerHello or ClientHello message :return: A generator that yields 2-element tuples: [0] Byte string of extension type [1] Byte string of extension data Nrr4rM)r )rJZextentions_lengthZextensions_startZextensions_endr/rEZextension_lengthr0r0r1rD<srDcCstd|p|ddk}|r(d|}nd|}d|}d|j}d|j}|r`|d|7}|rp|rp|d 7}|r|d |7}t||d S) z Raises a TLSVerificationError due to a hostname mismatch :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError z^\d+\.\d+\.\d+\.\d+$:z IP address %szdomain name %sz:Server certificate verification failed - %s does not matchz, z valid domains: %sz orz valid IP addresses: %sN)rematchfindjoin valid_ips valid_domainsr ) certificatehostnameZis_ipZ hostname_typemessagerUrVr0r0r1r^s      cCsd}t||dS)z Raises a generic TLSVerificationError :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError z&Server certificate verification failedNr rWrYr0r0r1r zs cCsd}t||dS)z Raises a TLSVerificationError when a certificate uses a weak signature algorithm :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zMServer certificate verification failed - weak certificate signature algorithmNrZr[r0r0r1r!s cCsd}t|dS)zg Raises a TLSError indicating client authentication is required :raises: TLSError z5TLS handshake failed - client authentication requiredNr)rYr0r0r1rscCsd}t||dS)z Raises a TLSVerificationError due to the certificate being revoked :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zEServer certificate verification failed - certificate has been revokedNrZr[r0r0r1rs cCsd}t||dS)z Raises a TLSVerificationError due to no issuer certificate found in trust roots :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zgServer certificate verification failed - certificate issuer not found in trusted root certificate storeNrZr[r0r0r1rs cCsd}t||dS)z Raises a TLSVerificationError due to a self-signed certificate roots :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zCServer certificate verification failed - certificate is self-signedNrZr[r0r0r1rs cCsd}t||dS)z Raises a TLSVerificationError due to a certificate lifetime exceeding the CAB forum certificate lifetime limit :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zIServer certificate verification failed - certificate lifetime is too longNrZr[r0r0r1raise_lifetime_too_longs r]cCsp|dd}|dj}|dj}ttj}||krH|d}d|}n||krb|d}d|}t||dS) z Raises a TLSVerificationError due to certificate being expired, or not yet being valid :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError Ztbs_certificatevalidity not_after not_beforez%Y-%m-%d %H:%M:%SZzGServer certificate verification failed - certificate not valid until %sz?Server certificate verification failed - certificate expired %sN)Znativernowr utcstrftimer )rWr^r_r`raZformatted_beforerYZformatted_afterr0r0r1rs       cCs tddS)ze Raises a TLSDisconnectError due to a disconnection :raises: TLSDisconnectError z$The remote end closed the connectionN)r r0r0r0r1rscCs$t|}|rtd|tddS)z Raises a TLSError due to a protocol error :param server_handshake_bytes: A byte string of the handshake data received from the server :raises: TLSError z.TLS protocol error - server responded using %sz@TLS protocol error - server responded using a different protocolN)detect_other_protocolr)r(Zother_protocolr0r0r1r s  cCs tddS)zS Raises a TLSError due to a handshake error :raises: TLSError zTLS handshake failedNr\r0r0r0r1rscCs tddS)z_ Raises a TLSError due to a TLS version incompatibility :raises: TLSError z-TLS handshake failed - protocol version errorNr\r0r0r0r1raise_protocol_version)srecCs tddS)zP Raises a TLSError due to weak DH params :raises: TLSError z)TLS handshake failed - weak DH parametersNr\r0r0r0r1r4scCs|dddkrdS|dddkrs`  (o"