gvsig-scripting / org.gvsig.scripting / trunk / org.gvsig.scripting / org.gvsig.scripting.app / org.gvsig.scripting.app.mainplugin / src / main / resources-plugin / scripting / lib / requests / packages / urllib3 / util / ssl_.py @ 564
History | View | Annotate | Download (11.1 KB)
1 |
from __future__ import absolute_import |
---|---|
2 |
import errno |
3 |
import warnings |
4 |
import hmac |
5 |
|
6 |
from binascii import hexlify, unhexlify |
7 |
from hashlib import md5, sha1, sha256 |
8 |
|
9 |
from ..exceptions import SSLError, InsecurePlatformWarning, SNIMissingWarning |
10 |
|
11 |
|
12 |
SSLContext = None
|
13 |
HAS_SNI = False
|
14 |
create_default_context = None
|
15 |
|
16 |
# Maps the length of a digest to a possible hash function producing this digest
|
17 |
HASHFUNC_MAP = { |
18 |
32: md5,
|
19 |
40: sha1,
|
20 |
64: sha256,
|
21 |
} |
22 |
|
23 |
|
24 |
def _const_compare_digest_backport(a, b): |
25 |
"""
|
26 |
Compare two digests of equal length in constant time.
|
27 |
|
28 |
The digests must be of type str/bytes.
|
29 |
Returns True if the digests match, and False otherwise.
|
30 |
"""
|
31 |
result = abs(len(a) - len(b)) |
32 |
for l, r in zip(bytearray(a), bytearray(b)): |
33 |
result |= l ^ r |
34 |
return result == 0 |
35 |
|
36 |
|
37 |
_const_compare_digest = getattr(hmac, 'compare_digest', |
38 |
_const_compare_digest_backport) |
39 |
|
40 |
|
41 |
try: # Test for SSL features |
42 |
import ssl |
43 |
from ssl import wrap_socket, CERT_NONE, PROTOCOL_SSLv23 |
44 |
from ssl import HAS_SNI # Has SNI? |
45 |
except ImportError: |
46 |
pass
|
47 |
|
48 |
|
49 |
try:
|
50 |
from ssl import OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION |
51 |
except ImportError: |
52 |
OP_NO_SSLv2, OP_NO_SSLv3 = 0x1000000, 0x2000000 |
53 |
OP_NO_COMPRESSION = 0x20000
|
54 |
|
55 |
# A secure default.
|
56 |
# Sources for more information on TLS ciphers:
|
57 |
#
|
58 |
# - https://wiki.mozilla.org/Security/Server_Side_TLS
|
59 |
# - https://www.ssllabs.com/projects/best-practices/index.html
|
60 |
# - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
61 |
#
|
62 |
# The general intent is:
|
63 |
# - Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE),
|
64 |
# - prefer ECDHE over DHE for better performance,
|
65 |
# - prefer any AES-GCM over any AES-CBC for better performance and security,
|
66 |
# - use 3DES as fallback which is secure but slow,
|
67 |
# - disable NULL authentication, MD5 MACs and DSS for security reasons.
|
68 |
DEFAULT_CIPHERS = ( |
69 |
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
|
70 |
'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:'
|
71 |
'!eNULL:!MD5'
|
72 |
) |
73 |
|
74 |
try:
|
75 |
from ssl import SSLContext # Modern SSL? |
76 |
except ImportError: |
77 |
import sys |
78 |
|
79 |
class SSLContext(object): # Platform-specific: Python 2 & 3.1 |
80 |
supports_set_ciphers = ((2, 7) <= sys.version_info < (3,) or |
81 |
(3, 2) <= sys.version_info) |
82 |
|
83 |
def __init__(self, protocol_version): |
84 |
self.protocol = protocol_version
|
85 |
# Use default values from a real SSLContext
|
86 |
self.check_hostname = False |
87 |
self.verify_mode = ssl.CERT_NONE
|
88 |
self.ca_certs = None |
89 |
self.options = 0 |
90 |
self.certfile = None |
91 |
self.keyfile = None |
92 |
self.ciphers = None |
93 |
|
94 |
def load_cert_chain(self, certfile, keyfile): |
95 |
self.certfile = certfile
|
96 |
self.keyfile = keyfile
|
97 |
|
98 |
def load_verify_locations(self, cafile=None, capath=None): |
99 |
self.ca_certs = cafile
|
100 |
|
101 |
if capath is not None: |
102 |
raise SSLError("CA directories not supported in older Pythons") |
103 |
|
104 |
def set_ciphers(self, cipher_suite): |
105 |
if not self.supports_set_ciphers: |
106 |
raise TypeError( |
107 |
'Your version of Python does not support setting '
|
108 |
'a custom cipher suite. Please upgrade to Python '
|
109 |
'2.7, 3.2, or later if you need this functionality.'
|
110 |
) |
111 |
self.ciphers = cipher_suite
|
112 |
|
113 |
def wrap_socket(self, socket, server_hostname=None): |
114 |
warnings.warn( |
115 |
'A true SSLContext object is not available. This prevents '
|
116 |
'urllib3 from configuring SSL appropriately and may cause '
|
117 |
'certain SSL connections to fail. For more information, see '
|
118 |
'https://urllib3.readthedocs.org/en/latest/security.html'
|
119 |
'#insecureplatformwarning.',
|
120 |
InsecurePlatformWarning |
121 |
) |
122 |
kwargs = { |
123 |
'keyfile': self.keyfile, |
124 |
'certfile': self.certfile, |
125 |
'ca_certs': self.ca_certs, |
126 |
'cert_reqs': self.verify_mode, |
127 |
'ssl_version': self.protocol, |
128 |
} |
129 |
if self.supports_set_ciphers: # Platform-specific: Python 2.7+ |
130 |
return wrap_socket(socket, ciphers=self.ciphers, **kwargs) |
131 |
else: # Platform-specific: Python 2.6 |
132 |
return wrap_socket(socket, **kwargs)
|
133 |
|
134 |
|
135 |
def assert_fingerprint(cert, fingerprint): |
136 |
"""
|
137 |
Checks if given fingerprint matches the supplied certificate.
|
138 |
|
139 |
:param cert:
|
140 |
Certificate as bytes object.
|
141 |
:param fingerprint:
|
142 |
Fingerprint as string of hexdigits, can be interspersed by colons.
|
143 |
"""
|
144 |
|
145 |
fingerprint = fingerprint.replace(':', '').lower() |
146 |
digest_length = len(fingerprint)
|
147 |
hashfunc = HASHFUNC_MAP.get(digest_length) |
148 |
if not hashfunc: |
149 |
raise SSLError(
|
150 |
'Fingerprint of invalid length: {0}'.format(fingerprint))
|
151 |
|
152 |
# We need encode() here for py32; works on py2 and p33.
|
153 |
fingerprint_bytes = unhexlify(fingerprint.encode()) |
154 |
|
155 |
cert_digest = hashfunc(cert).digest() |
156 |
|
157 |
if not _const_compare_digest(cert_digest, fingerprint_bytes): |
158 |
raise SSLError('Fingerprints did not match. Expected "{0}", got "{1}".' |
159 |
.format(fingerprint, hexlify(cert_digest))) |
160 |
|
161 |
|
162 |
def resolve_cert_reqs(candidate): |
163 |
"""
|
164 |
Resolves the argument to a numeric constant, which can be passed to
|
165 |
the wrap_socket function/method from the ssl module.
|
166 |
Defaults to :data:`ssl.CERT_NONE`.
|
167 |
If given a string it is assumed to be the name of the constant in the
|
168 |
:mod:`ssl` module or its abbrevation.
|
169 |
(So you can specify `REQUIRED` instead of `CERT_REQUIRED`.
|
170 |
If it's neither `None` nor a string we assume it is already the numeric
|
171 |
constant which can directly be passed to wrap_socket.
|
172 |
"""
|
173 |
if candidate is None: |
174 |
return CERT_NONE
|
175 |
|
176 |
if isinstance(candidate, str): |
177 |
res = getattr(ssl, candidate, None) |
178 |
if res is None: |
179 |
res = getattr(ssl, 'CERT_' + candidate) |
180 |
return res
|
181 |
|
182 |
return candidate
|
183 |
|
184 |
|
185 |
def resolve_ssl_version(candidate): |
186 |
"""
|
187 |
like resolve_cert_reqs
|
188 |
"""
|
189 |
if candidate is None: |
190 |
return PROTOCOL_SSLv23
|
191 |
|
192 |
if isinstance(candidate, str): |
193 |
res = getattr(ssl, candidate, None) |
194 |
if res is None: |
195 |
res = getattr(ssl, 'PROTOCOL_' + candidate) |
196 |
return res
|
197 |
|
198 |
return candidate
|
199 |
|
200 |
|
201 |
def create_urllib3_context(ssl_version=None, cert_reqs=None, |
202 |
options=None, ciphers=None): |
203 |
"""All arguments have the same meaning as ``ssl_wrap_socket``.
|
204 |
|
205 |
By default, this function does a lot of the same work that
|
206 |
``ssl.create_default_context`` does on Python 3.4+. It:
|
207 |
|
208 |
- Disables SSLv2, SSLv3, and compression
|
209 |
- Sets a restricted set of server ciphers
|
210 |
|
211 |
If you wish to enable SSLv3, you can do::
|
212 |
|
213 |
from urllib3.util import ssl_
|
214 |
context = ssl_.create_urllib3_context()
|
215 |
context.options &= ~ssl_.OP_NO_SSLv3
|
216 |
|
217 |
You can do the same to enable compression (substituting ``COMPRESSION``
|
218 |
for ``SSLv3`` in the last line above).
|
219 |
|
220 |
:param ssl_version:
|
221 |
The desired protocol version to use. This will default to
|
222 |
PROTOCOL_SSLv23 which will negotiate the highest protocol that both
|
223 |
the server and your installation of OpenSSL support.
|
224 |
:param cert_reqs:
|
225 |
Whether to require the certificate verification. This defaults to
|
226 |
``ssl.CERT_REQUIRED``.
|
227 |
:param options:
|
228 |
Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``,
|
229 |
``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``.
|
230 |
:param ciphers:
|
231 |
Which cipher suites to allow the server to select.
|
232 |
:returns:
|
233 |
Constructed SSLContext object with specified options
|
234 |
:rtype: SSLContext
|
235 |
"""
|
236 |
context = SSLContext(ssl_version or ssl.PROTOCOL_SSLv23)
|
237 |
|
238 |
# Setting the default here, as we may have no ssl module on import
|
239 |
cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs |
240 |
|
241 |
if options is None: |
242 |
options = 0
|
243 |
# SSLv2 is easily broken and is considered harmful and dangerous
|
244 |
options |= OP_NO_SSLv2 |
245 |
# SSLv3 has several problems and is now dangerous
|
246 |
options |= OP_NO_SSLv3 |
247 |
# Disable compression to prevent CRIME attacks for OpenSSL 1.0+
|
248 |
# (issue #309)
|
249 |
options |= OP_NO_COMPRESSION |
250 |
|
251 |
context.options |= options |
252 |
|
253 |
if getattr(context, 'supports_set_ciphers', True): # Platform-specific: Python 2.6 |
254 |
context.set_ciphers(ciphers or DEFAULT_CIPHERS)
|
255 |
|
256 |
context.verify_mode = cert_reqs |
257 |
if getattr(context, 'check_hostname', None) is not None: # Platform-specific: Python 3.2 |
258 |
# We do our own verification, including fingerprints and alternative
|
259 |
# hostnames. So disable it here
|
260 |
context.check_hostname = False
|
261 |
return context
|
262 |
|
263 |
|
264 |
def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None, |
265 |
ca_certs=None, server_hostname=None, |
266 |
ssl_version=None, ciphers=None, ssl_context=None, |
267 |
ca_cert_dir=None):
|
268 |
"""
|
269 |
All arguments except for server_hostname, ssl_context, and ca_cert_dir have
|
270 |
the same meaning as they do when using :func:`ssl.wrap_socket`.
|
271 |
|
272 |
:param server_hostname:
|
273 |
When SNI is supported, the expected hostname of the certificate
|
274 |
:param ssl_context:
|
275 |
A pre-made :class:`SSLContext` object. If none is provided, one will
|
276 |
be created using :func:`create_urllib3_context`.
|
277 |
:param ciphers:
|
278 |
A string of ciphers we wish the client to support. This is not
|
279 |
supported on Python 2.6 as the ssl module does not support it.
|
280 |
:param ca_cert_dir:
|
281 |
A directory containing CA certificates in multiple separate files, as
|
282 |
supported by OpenSSL's -CApath flag or the capath argument to
|
283 |
SSLContext.load_verify_locations().
|
284 |
"""
|
285 |
context = ssl_context |
286 |
if context is None: |
287 |
context = create_urllib3_context(ssl_version, cert_reqs, |
288 |
ciphers=ciphers) |
289 |
|
290 |
if ca_certs or ca_cert_dir: |
291 |
try:
|
292 |
context.load_verify_locations(ca_certs, ca_cert_dir) |
293 |
except IOError as e: # Platform-specific: Python 2.6, 2.7, 3.2 |
294 |
raise SSLError(e)
|
295 |
# Py33 raises FileNotFoundError which subclasses OSError
|
296 |
# These are not equivalent unless we check the errno attribute
|
297 |
except OSError as e: # Platform-specific: Python 3.3 and beyond |
298 |
if e.errno == errno.ENOENT:
|
299 |
raise SSLError(e)
|
300 |
raise
|
301 |
|
302 |
if certfile:
|
303 |
context.load_cert_chain(certfile, keyfile) |
304 |
if HAS_SNI: # Platform-specific: OpenSSL with enabled SNI |
305 |
return context.wrap_socket(sock, server_hostname=server_hostname)
|
306 |
|
307 |
warnings.warn( |
308 |
'An HTTPS request has been made, but the SNI (Subject Name '
|
309 |
'Indication) extension to TLS is not available on this platform. '
|
310 |
'This may cause the server to present an incorrect TLS '
|
311 |
'certificate, which can cause validation failures. For more '
|
312 |
'information, see '
|
313 |
'https://urllib3.readthedocs.org/en/latest/security.html'
|
314 |
'#snimissingwarning.',
|
315 |
SNIMissingWarning |
316 |
) |
317 |
return context.wrap_socket(sock)
|