hEddlmZmZmZmZddlZddlmZddlmZm Z m Z ddl m Z ddl mZmZmZgdZd Zd Zd Zd Zd ZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(dS) )unicode_literalsdivisionabsolute_importprint_functionN)datetime) Certificateint_from_bytestimezone)CIPHER_SUITE_MAP)TLSVerificationErrorTLSDisconnectErrorTLSError)detect_client_auth_request extract_chainget_dh_params_length parse_alertparse_handshake_messagesparse_session_infoparse_tls_recordsraise_client_authraise_dh_paramsraise_disconnectionraise_expired_not_yet_validraise_handshakeraise_hostnameraise_no_issuerraise_protocol_error raise_revokedraise_self_signedraise_verificationraise_weak_signaturecg}d}t|D]0\}}}|dkr t|D]\}}|dkr|}n|rn1|rd}|t|krjt|||dz} |dz} | | z} | }|| | } |t j| |t|kj|S)a Extracts the X.509 certificates from the server handshake bytes for use when debugging :param server_handshake_bytes: A byte string of the handshake data received from the server :return: A list of asn1crypto.x509.Certificate objects N )rrlenr appendr load) server_handshake_bytesoutput chain_bytes record_type_ record_data message_type message_datapointer cert_length cert_startcert_end cert_bytess I/var/www/html/Sam_Eipo/venv/lib/python3.11/site-packages/oscrypto/_tls.pyrr#s"FK'89O'P'P# Q ' ! ! *B;*O*O   &L,w&&* '   E  8K(((((WWq[5H)IJJK 1J!K/HG$Z%89J MM+*:66 7 7 7 K(((( Mc~t|D],\}}}|dkr t|D]\}}|dkrdS-dS)a) Determines if a CertificateRequest message is sent from the server asking the client for a certificate :param server_handshake_bytes: A byte string of the handshake data received from the server :return: A boolean - if a client certificate request was found r$ TF)rr)r*r-r.r/r0r1s r7rrKsr(99O'P'P# Q ' ! ! *B;*O*O   &L,w&&ttt'  5r8cd}d}t|D]0\}}}|dkr t|D]\}}|dkr|}n|rn1|rt|dddz}|S)a Determines the length of the DH params from the ServerKeyExchange :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None or an integer of the bit size of the DH parameters Nr$ r)rrr )r*r+dh_params_bytesr-r.r/r0r1s r7rr`sFO'89O'P'P# Q ' ! ! *B;*O*O   &L,w&&".'   E :! 4559 Mr8ct|D]R\}}}|dkr t|dkrdSt|ddt|ddfcSdS)aV Parses the handshake for protocol alerts :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None or an 2-element tuple of integers: 0: 1 (warning) or 2 (fatal) 1: The alert description (see https://tools.ietf.org/html/rfc5246#section-7.2) r=Nrr)rr'r )r*r-r.r/s r7rrs(99O'P'PTT# Q ' ! !  {  q 44{1Q3/00.QqSAQ2R2RSSSS 4r8cd}d}d}d}d}d}d}t|D]\} } } | dkr t| D]\} } | dkr ddddd d | d d }t| d d}|d kr | dd|z}d|z}| ||d z}t|}|d z}| ||dzdk}|dz}| |d}t |D]\}}|dkrd}nt|D]\} } } | dkr t| D]\} } | dkr t| d d}|d kr | dd|z}d|z}t| ||d z}|d z|z}t| ||dz}|3|1|dz|z}| |d}t |D]\}}|dkrd}n||d}n ||krd}nd}|||||dS)a Parse the TLS handshake from the client to the server to extract information including the cipher suite selected, if compression is enabled, the session id and if a new or reused session ticket exists. :param server_handshake_bytes: A byte string of the handshake data received from the server :param client_handshake_bytes: A byte string of the handshake data sent to the server :return: A dict with the following keys: - "protocol": unicode string - "cipher_suite": unicode string - "compression": boolean - "session_id": "new", "reused" or None - "session_ticket: "new", "reused" or None NFr$SSLv3TLSv1zTLSv1.1zTLSv1.2zTLSv1.3)sssssrr="#rnewreused)protocol cipher_suite compression session_idsession_ticket)rrr r _parse_hello_extensions)r*client_handshake_bytesrLrMrNrOrPserver_session_idclient_session_idr-r.r/r0r1session_id_lengthcipher_suite_startcipher_suite_bytescompression_startextensions_length_startextensions_dataextension_typeextension_datacipher_suite_lengthcompression_lengths r7rrs8*HLKJN'89O'P'P  # Q ' ! ! *B;*O*O   &L,w&&$$&&&  1Q3 !H!/|BrE/B C C  1$$$0B9J4J1J$K!!#&7!7 !-.@ASVWAW.W!X +,>?L 2Q 6 &'89JQ9N'NOSZZK&7!&; #*+B+C+CDO2I/2Z2Z  .!R''%*NE( '89O'P'P# Q ' ! ! *B;*O*O   &L,w&& .|BrE/B C C  1$$$0B9J4J1J$K!!#&7!7 "0>PQcfgQg>g1h"i"i  2Q 69L L !/ =NO`cdOd=d0e!f!f !(^-C*;a*?BT*T'"./F/G/G"H6Mo6^6^2NN%++)1, $  $JJ $555" % $" (   r8c#Kd}t|}||krq|||dzdkrdSt||dz|dz}|||dz||dz|dz||dz|dz|zfV|d|zz }||kodSdS)a Creates a generator returning tuples of information about each record in a byte string of data from a TLS client or server. Stops as soon as it find a ChangeCipherSpec message since all data from then on is encrypted. :param data: A byte string of TLS records :return: A generator that yields 3-element tuples: [0] Byte string of record type [1] Byte string of protocol version [2] Byte string of record data rrr&Nr'r datar2data_lenlengths r7rrs G4yyH H   ! # $ / / EWq[1%< =>> 1$ % 1Wq[( ) 1Wq[611 2    1v: H      r8c#Kd}t|}||krOt||dz|dz}|||dz||dz|dz|zfV|d|zz }||kMdSdS)a` Creates a generator returning tuples of information about each message in a byte string of data from a TLS handshake record :param data: A byte string of a TLS handshake record data :return: A generator that yields 2-element tuples: [0] Byte string of message type [1] Byte string of message data rrNrbrcs r7rr#sG4yyH H  Wq[1%< =>> 1$ % 1Wq[611 2     1v: H      r8c#"K|dkrdSt|dd}d}d|z}|}||kr^t|||dz}t||dz|dz}|||dz|dz|zfV|d|zz }||k\dSdS)a Creates a generator returning tuples of information about each extension from a byte string of extension data contained in a ServerHello ores ClientHello message :param data: A byte string of a extension data from a TLS ServerHello or ClientHello message :return: A generator that yields 2-element tuples: [0] Byte string of extension type [1] Byte string of extension data r8Nrr=rh)r )rdextentions_lengthextensions_startextensions_endr2r[extension_lengths r7rQrQ<s  s{{&tAaCy11**NG N " "'WWq[-@(ABB)$w{7Q;/F*GHH  1Wq[+;;; <     1''' N " " " " " "r8cDtjd|p|ddk}|rd|z}nd|z}d|z}d|j}d|j}|r|d|zz }|r|r|d z }|r|d |zz }t ||) z Raises a TLSVerificationError due to a hostname mismatch :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError z^\d+\.\d+\.\d+\.\d+$:z IP address %szdomain name %sz:Server certificate verification failed - %s does not matchz, z valid domains: %sz orz valid IP addresses: %s)rematchfindjoin valid_ips valid_domainsr ) certificatehostnameis_ip hostname_typemessagerurvs r7rr^s H2H = = YsASASWYAYE 4'(2 (83 J]ZG +/00IIIk788M8'-7759,y88 w 4 44r8c&d}t||)z Raises a generic TLSVerificationError :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError z&Server certificate verification failedr rwr{s r7r!r!zs7G w 4 44r8c&d}t||)z Raises a TLSVerificationError when a certificate uses a weak signature algorithm :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zMServer certificate verification failed - weak certificate signature algorithmr}r~s r7r"r"s^G w 4 44r8c$d}t|)zg Raises a TLSError indicating client authentication is required :raises: TLSError z5TLS handshake failed - client authentication requiredr)r{s r7rrsFG 7  r8c&d}t||)z Raises a TLSVerificationError due to the certificate being revoked :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zEServer certificate verification failed - certificate has been revokedr}r~s r7rrsVG w 4 44r8c&d}t||)z Raises a TLSVerificationError due to no issuer certificate found in trust roots :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zgServer certificate verification failed - certificate issuer not found in trusted root certificate storer}r~s r7rrsxG w 4 44r8c&d}t||)z Raises a TLSVerificationError due to a self-signed certificate roots :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zCServer certificate verification failed - certificate is self-signedr}r~s r7r r sTG w 4 44r8c&d}t||)z Raises a TLSVerificationError due to a certificate lifetime exceeding the CAB forum certificate lifetime limit :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError zIServer certificate verification failed - certificate lifetime is too longr}r~s r7raise_lifetime_too_longrsZG w 4 44r8c0|dd}|dj}|dj}tjtj}||kr|d}d|z}n ||kr|d}d|z}t ||)z Raises a TLSVerificationError due to certificate being expired, or not yet being valid :param certificate: An asn1crypto.x509.Certificate object :raises: TLSVerificationError tbs_certificatevalidity not_after not_beforez%Y-%m-%d %H:%M:%SZzGServer certificate verification failed - certificate not valid until %sz?Server certificate verification failed - certificate expired %s)nativernowr utcstrftimer )rwrrrrformatted_beforer{formatted_afters r7rrs,-j9H%,I,'.J ,x| $ $CC%../CDD[^nn S#,,-ABBSVee w 4 44r8c td)ze Raises a TLSDisconnectError due to a disconnection :raises: TLSDisconnectError z$The remote end closed the connection)rr8r7rrs C D DDr8cft|}|rtd|ztd)z Raises a TLSError due to a protocol error :param server_handshake_bytes: A byte string of the handshake data received from the server :raises: TLSError z.TLS protocol error - server responded using %sz@TLS protocol error - server responded using a different protocol)detect_other_protocolr)r*other_protocols r7rr s>++ABBNZG.XYYY U V VVr8c td)zS Raises a TLSError due to a handshake error :raises: TLSError zTLS handshake failedrrr8r7rrs ) * **r8c td)z_ Raises a TLSError due to a TLS version incompatibility :raises: TLSError z-TLS handshake failed - protocol version errorrrr8r7raise_protocol_versionr)s B C CCr8c td)zP Raises a TLSError due to weak DH params :raises: TLSError z)TLS handshake failed - weak DH parametersrrr8r7rr4s > ? ??r8c|dddkrdS|dddkr$tjd|tjrdSd S|ddd krdS|ddd krd S|ddd ks|dddkrdSdS)a Looks at the server handshake bytes to try and detect a different protocol :param server_handshake_bytes: A byte string of the handshake data received from the server :return: None, or a unicode string of "ftp", "http", "imap", "pop3", "smtp" rrasHTTP/HTTPrhs220 s ^[^ ]*ftpFTPSMTPs220-s+OK POP3s* OK s * PREAUTHIMAPN)rqrrI)r*s r7rr?sac"h..vac"g-- 8O%;RT B B 56ac"g--uac"g--vac"g--1G!1LP\1\1\v 4r8)) __future__rrrrrqr_asn1r r r _cipher_suitesr errorsr rr__all__rrrrrrrrQrr!r"rrrr rrrrrrrrrr8r7rsRRRRRRRRRRRR 8888888888,,,,,,FFFFFFFFFF   .%%%P*>,lll^>2(((D5558 5 5 5 5 5 5    5 5 5 5 5 5 5 5 5 5 5 5 5558EEEWWW&+++DDD@@@r8