diff options
| author | James Taylor <user234683@users.noreply.github.com> | 2019-02-25 20:47:49 -0800 | 
|---|---|---|
| committer | James Taylor <user234683@users.noreply.github.com> | 2019-02-25 20:47:49 -0800 | 
| commit | 1e1f55c9e5d98ba076bc67e7abe9e4d77d84c65b (patch) | |
| tree | 56eeabd9f7f0813c4b02f03f865d7cae35277d29 /python/urllib3/packages/ssl_match_hostname | |
| parent | b32330be4f15dd044e6212f526e52375f0a0f6c2 (diff) | |
| download | yt-local-1e1f55c9e5d98ba076bc67e7abe9e4d77d84c65b.tar.lz yt-local-1e1f55c9e5d98ba076bc67e7abe9e4d77d84c65b.tar.xz yt-local-1e1f55c9e5d98ba076bc67e7abe9e4d77d84c65b.zip | |
Use persistent connections
Diffstat (limited to 'python/urllib3/packages/ssl_match_hostname')
| -rw-r--r-- | python/urllib3/packages/ssl_match_hostname/__init__.py | 19 | ||||
| -rw-r--r-- | python/urllib3/packages/ssl_match_hostname/_implementation.py | 156 | 
2 files changed, 175 insertions, 0 deletions
| diff --git a/python/urllib3/packages/ssl_match_hostname/__init__.py b/python/urllib3/packages/ssl_match_hostname/__init__.py new file mode 100644 index 0000000..d6594eb --- /dev/null +++ b/python/urllib3/packages/ssl_match_hostname/__init__.py @@ -0,0 +1,19 @@ +import sys + +try: +    # Our match_hostname function is the same as 3.5's, so we only want to +    # import the match_hostname function if it's at least that good. +    if sys.version_info < (3, 5): +        raise ImportError("Fallback to vendored code") + +    from ssl import CertificateError, match_hostname +except ImportError: +    try: +        # Backport of the function from a pypi module +        from backports.ssl_match_hostname import CertificateError, match_hostname +    except ImportError: +        # Our vendored copy +        from ._implementation import CertificateError, match_hostname + +# Not needed, but documenting what we provide. +__all__ = ('CertificateError', 'match_hostname') diff --git a/python/urllib3/packages/ssl_match_hostname/_implementation.py b/python/urllib3/packages/ssl_match_hostname/_implementation.py new file mode 100644 index 0000000..d6e66c0 --- /dev/null +++ b/python/urllib3/packages/ssl_match_hostname/_implementation.py @@ -0,0 +1,156 @@ +"""The match_hostname() function from Python 3.3.3, essential when using SSL.""" + +# Note: This file is under the PSF license as the code comes from the python +# stdlib.   http://docs.python.org/3/license.html + +import re +import sys + +# ipaddress has been backported to 2.6+ in pypi.  If it is installed on the +# system, use it to handle IPAddress ServerAltnames (this was added in +# python-3.5) otherwise only do DNS matching.  This allows +# backports.ssl_match_hostname to continue to be used in Python 2.7. +try: +    import ipaddress +except ImportError: +    ipaddress = None + +__version__ = '3.5.0.1' + + +class CertificateError(ValueError): +    pass + + +def _dnsname_match(dn, hostname, max_wildcards=1): +    """Matching according to RFC 6125, section 6.4.3 + +    http://tools.ietf.org/html/rfc6125#section-6.4.3 +    """ +    pats = [] +    if not dn: +        return False + +    # Ported from python3-syntax: +    # leftmost, *remainder = dn.split(r'.') +    parts = dn.split(r'.') +    leftmost = parts[0] +    remainder = parts[1:] + +    wildcards = leftmost.count('*') +    if wildcards > max_wildcards: +        # Issue #17980: avoid denials of service by refusing more +        # than one wildcard per fragment.  A survey of established +        # policy among SSL implementations showed it to be a +        # reasonable choice. +        raise CertificateError( +            "too many wildcards in certificate DNS name: " + repr(dn)) + +    # speed up common case w/o wildcards +    if not wildcards: +        return dn.lower() == hostname.lower() + +    # RFC 6125, section 6.4.3, subitem 1. +    # The client SHOULD NOT attempt to match a presented identifier in which +    # the wildcard character comprises a label other than the left-most label. +    if leftmost == '*': +        # When '*' is a fragment by itself, it matches a non-empty dotless +        # fragment. +        pats.append('[^.]+') +    elif leftmost.startswith('xn--') or hostname.startswith('xn--'): +        # RFC 6125, section 6.4.3, subitem 3. +        # The client SHOULD NOT attempt to match a presented identifier +        # where the wildcard character is embedded within an A-label or +        # U-label of an internationalized domain name. +        pats.append(re.escape(leftmost)) +    else: +        # Otherwise, '*' matches any dotless string, e.g. www* +        pats.append(re.escape(leftmost).replace(r'\*', '[^.]*')) + +    # add the remaining fragments, ignore any wildcards +    for frag in remainder: +        pats.append(re.escape(frag)) + +    pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) +    return pat.match(hostname) + + +def _to_unicode(obj): +    if isinstance(obj, str) and sys.version_info < (3,): +        obj = unicode(obj, encoding='ascii', errors='strict') +    return obj + +def _ipaddress_match(ipname, host_ip): +    """Exact matching of IP addresses. + +    RFC 6125 explicitly doesn't define an algorithm for this +    (section 1.7.2 - "Out of Scope"). +    """ +    # OpenSSL may add a trailing newline to a subjectAltName's IP address +    # Divergence from upstream: ipaddress can't handle byte str +    ip = ipaddress.ip_address(_to_unicode(ipname).rstrip()) +    return ip == host_ip + + +def match_hostname(cert, hostname): +    """Verify that *cert* (in decoded format as returned by +    SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125 +    rules are followed, but IP addresses are not accepted for *hostname*. + +    CertificateError is raised on failure. On success, the function +    returns nothing. +    """ +    if not cert: +        raise ValueError("empty or no certificate, match_hostname needs a " +                         "SSL socket or SSL context with either " +                         "CERT_OPTIONAL or CERT_REQUIRED") +    try: +        # Divergence from upstream: ipaddress can't handle byte str +        host_ip = ipaddress.ip_address(_to_unicode(hostname)) +    except ValueError: +        # Not an IP address (common case) +        host_ip = None +    except UnicodeError: +        # Divergence from upstream: Have to deal with ipaddress not taking +        # byte strings.  addresses should be all ascii, so we consider it not +        # an ipaddress in this case +        host_ip = None +    except AttributeError: +        # Divergence from upstream: Make ipaddress library optional +        if ipaddress is None: +            host_ip = None +        else: +            raise +    dnsnames = [] +    san = cert.get('subjectAltName', ()) +    for key, value in san: +        if key == 'DNS': +            if host_ip is None and _dnsname_match(value, hostname): +                return +            dnsnames.append(value) +        elif key == 'IP Address': +            if host_ip is not None and _ipaddress_match(value, host_ip): +                return +            dnsnames.append(value) +    if not dnsnames: +        # The subject is only checked when there is no dNSName entry +        # in subjectAltName +        for sub in cert.get('subject', ()): +            for key, value in sub: +                # XXX according to RFC 2818, the most specific Common Name +                # must be used. +                if key == 'commonName': +                    if _dnsname_match(value, hostname): +                        return +                    dnsnames.append(value) +    if len(dnsnames) > 1: +        raise CertificateError("hostname %r " +            "doesn't match either of %s" +            % (hostname, ', '.join(map(repr, dnsnames)))) +    elif len(dnsnames) == 1: +        raise CertificateError("hostname %r " +            "doesn't match %r" +            % (hostname, dnsnames[0])) +    else: +        raise CertificateError("no appropriate commonName or " +            "subjectAltName fields were found") | 
