o -׾gE@s$ddlmZmZmZmZddlZddlmZddlmZm Z m Z ddl m Z ddl mZmZmZgdZd d Zd d Zd dZddZddZddZddZddZddZddZddZdd Zd!d"Zd#d$Zd%d&Z d'd(Z!d)d*Z"d+d,Z#d-d.Z$d/d0Z%d1d2Z&d3d4Z'd5d6Z(dS)7)unicode_literalsdivisionabsolute_importprint_functionN)datetime) Certificateint_from_bytestimezone)CIPHER_SUITE_MAP)TLSVerificationErrorTLSDisconnectErrorTLSError)detect_client_auth_request extract_chainget_dh_params_length parse_alertparse_handshake_messagesparse_session_infoparse_tls_recordsraise_client_authraise_dh_paramsraise_disconnectionraise_expired_not_yet_validraise_handshakeraise_hostnameraise_no_issuerraise_protocol_error raise_revokedraise_self_signedraise_verificationraise_weak_signaturec Csg}d}t|D]\}}}|dkrqt|D] \}}|dkr"|}nq|r'nq|rZd}|t|krZt|||d} |d} | | } | }|| | } |t| |t|ks2|S)a Extracts the X.509 certificates from the server handshake bytes for use when debugging :param server_handshake_bytes: A byte string of the handshake data received from the server :return: A list of asn1crypto.x509.Certificate objects N )rrlenr appendrload) server_handshake_bytesoutput chain_bytes record_type_ record_data message_type message_datapointer cert_length cert_startcert_end cert_bytesr5W/var/www/html/backend_erp/backend_erp_env/lib/python3.10/site-packages/oscrypto/_tls.pyr#s0    rcCsDt|D]\}}}|dkrqt|D] \}}|dkrdSqqdS)a) Determines if a CertificateRequest message is sent from the server asking the client for a certificate :param server_handshake_bytes: A byte string of the handshake data received from the server :return: A boolean - if a client certificate request was found r" TF)rr)r(r+r,r-r.r/r5r5r6rKs rcCsld}d}t|D]\}}}|dkrqt|D] \}}|dkr"|}nq|r'nq|r4t|ddd}|S)a Determines the length of the DH params from the ServerKeyExchange :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None or an integer of the bit size of the DH parameters Nr" r)rrr )r(r)dh_params_bytesr+r,r-r.r/r5r5r6r`s  rcCsVt|D]$\}}}|dkrqt|dkrdSt|ddt|ddfSdS)aV Parses the handshake for protocol alerts :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None or an 2-element tuple of integers: 0: 1 (warning) or 2 (fatal) 1: The alert description (see https://tools.ietf.org/html/rfc5246#section-7.2) r9Nrr)rr%r )r(r+r,r-r5r5r6rs  $rcCs2d}d}d}d}d}d}d}t|D]s\} } } | dkrqt| D]d\} } | dkr)q ddddd d | d d }t| d d}|d krK| dd|}d|}| ||d }t|}|d }| ||ddk}|d}| |d}t|D] \}}|dkrd}nqwqt|D]o\} } } | dkrqt| D]`\} } | dkrqt| d d}|d kr| dd|}d|}t| ||d }|d |}t| ||d}|dur|dur|d|}| |d}t|D] \}}|dkrd}nqq|dur|durd}n ||krd}nd}|||||dS)a Parse the TLS handshake from the client to the server to extract information including the cipher suite selected, if compression is enabled, the session id and if a new or reused session ticket exists. :param server_handshake_bytes: A byte string of the handshake data received from the server :param client_handshake_bytes: A byte string of the handshake data sent to the server :return: A dict with the following keys: - "protocol": unicode string - "cipher_suite": unicode string - "compression": boolean - "session_id": "new", "reused" or None - "session_ticket: "new", "reused" or None NFr"SSLv3TLSv1zTLSv1.1zTLSv1.2zTLSv1.3)sssssrr9"#rnewreused)protocol cipher_suite compression session_idsession_ticket)rrr r _parse_hello_extensions)r(client_handshake_bytesrFrGrHrIrJserver_session_idclient_session_idr+r,r-r.r/session_id_lengthcipher_suite_startcipher_suite_bytescompression_startextensions_length_startextensions_dataextension_typeextension_datacipher_suite_lengthcompression_lengthr5r5r6rs        rccsd}t|}||krM|||ddkrdSt||d|d}|||d||d|d||d|d|fV|d|7}||ks dSdS)a Creates a generator returning tuples of information about each record in a byte string of data from a TLS client or server. Stops as soon as it find a ChangeCipherSpec message since all data from then on is encrypted. :param data: A byte string of TLS records :return: A generator that yields 3-element tuples: [0] Byte string of record type [1] Byte string of protocol version [2] Byte string of record data rrr$Nr%r datar0data_lenlengthr5r5r6rs rccstd}t|}||kr8t||d|d}|||d||d|d|fV|d|7}||ks dSdS)a` Creates a generator returning tuples of information about each message in a byte string of data from a TLS handshake record :param data: A byte string of a TLS handshake record data :return: A generator that yields 2-element tuples: [0] Byte string of message type [1] Byte string of message data rrNr[r\r5r5r6r#s rccs|dkrdSt|dd}d}d|}|}||krLt|||d}t||d|d}|||d|d|fV|d|7}||ksdSdS)a Creates a generator returning tuples of information about each extension from a byte string of extension data contained in a ServerHello ores ClientHello message :param data: A byte string of a extension data from a TLS ServerHello or ClientHello message :return: A generator that yields 2-element tuples: [0] Byte string of extension type [1] Byte string of extension data Nrr9r`)r )r]extentions_lengthextensions_startextensions_endr0rUextension_lengthr5r5r6rK<s rKcCstd|p |ddk}|rd|}nd|}d|}d|j}d|j}|r0|d|7}|r8|r8|d 7}|r@|d |7}t||) z Raises a TLSVerificationError due to a hostname mismatch :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError z^\d+\.\d+\.\d+\.\d+$:z IP address %szdomain name %sz:Server certificate verification failed - %s does not matchz, z valid domains: %sz orz valid IP addresses: %s)rematchfindjoin valid_ips valid_domainsr ) certificatehostnameis_ip hostname_typemessagerlrmr5r5r6r^s       rcCd}t||)z Raises a generic TLSVerificationError :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError z&Server certificate verification failedr rnrrr5r5r6r z r cCrs)z Raises a TLSVerificationError when a certificate uses a weak signature algorithm :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zMServer certificate verification failed - weak certificate signature algorithmrtrur5r5r6r! r!cCs d}t|)zg Raises a TLSError indicating client authentication is required :raises: TLSError z5TLS handshake failed - client authentication requiredr)rrr5r5r6rsrcCrs)z Raises a TLSVerificationError due to the certificate being revoked :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zEServer certificate verification failed - certificate has been revokedrtrur5r5r6rrvrcCrs)z Raises a TLSVerificationError due to no issuer certificate found in trust roots :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zgServer certificate verification failed - certificate issuer not found in trusted root certificate storertrur5r5r6rrwrcCrs)z Raises a TLSVerificationError due to a self-signed certificate roots :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zCServer certificate verification failed - certificate is self-signedrtrur5r5r6rrwrcCrs)z Raises a TLSVerificationError due to a certificate lifetime exceeding the CAB forum certificate lifetime limit :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zIServer certificate verification failed - certificate lifetime is too longrtrur5r5r6raise_lifetime_too_longrwrycCsl|dd}|dj}|dj}ttj}||kr$|d}d|}n ||kr1|d}d|}t||)z Raises a TLSVerificationError due to certificate being expired, or not yet being valid :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError tbs_certificatevalidity not_after not_beforez%Y-%m-%d %H:%M:%SZzGServer certificate verification failed - certificate not valid until %sz?Server certificate verification failed - certificate expired %s)nativernowr utcstrftimer )rnr{r|r}rformatted_beforerrformatted_afterr5r5r6rs       rcCtd)ze Raises a TLSDisconnectError due to a disconnection :raises: TLSDisconnectError z$The remote end closed the connection)r r5r5r5r6rrcCs t|}|r td|td)z Raises a TLSError due to a protocol error :param server_handshake_bytes: A byte string of the handshake data received from the server :raises: TLSError z.TLS protocol error - server responded using %sz@TLS protocol error - server responded using a different protocol)detect_other_protocolr)r(other_protocolr5r5r6r s  rcCr)zS Raises a TLSError due to a handshake error :raises: TLSError zTLS handshake failedrxr5r5r5r6rrrcCr)z_ Raises a TLSError due to a TLS version incompatibility :raises: TLSError z-TLS handshake failed - protocol version errorrxr5r5r5r6raise_protocol_version)rrcCr)zP Raises a TLSError due to weak DH params :raises: TLSError z)TLS handshake failed - weak DH parametersrxr5r5r5r6r4rrcCs|dddkr dS|dddkrtd|tjrdSd S|ddd kr(dS|ddd kr2d S|ddd ksB|dddkrDdSdS)a Looks at the server handshake bytes to try and detect a different protocol :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None, or a unicode string of "ftp", "http", "imap", "pop3", "smtp" rrZsHTTP/HTTPr`s220 s ^[^ ]*ftpFTPSMTPs220-s+OK POP3s* OK s * PREAUTHIMAPN)rhriI)r(r5r5r6r?s  r)) __future__rrrrrhr_asn1rr r _cipher_suitesr errorsr r r__all__rrrrrrrrKrr r!rrrrryrrrrrrrr5r5r5r6s<  (o"