ó
èEYc@@sádZd
dl
mZ
d
dlZd
dlmZ
d
dlmZ	
d
dl
mZ
d
dlm
Z
mZ
d
dlmZ
yd
d	lmZ
Wn'ek
rµ


dZd
dlmZ
n
Xd
dlZd
dlZd
dlZd
dlZd
dlmZ
d
dgZeZiej j!ej"6ej j#ej$6Z%e&edƒre
e&ej dƒre
ej j'e%ej(<ne&edƒrœ
e&ej dƒrœ
ej j)e%ej*<ny!e%j+i
ej j,ej-6ƒ

Wne.k
rÐ



n
Xiej j/ej06ej j1ej26ej j1ej j3ej46Z5e6d„e5j7ƒDƒ
ƒ
Z8dZ9ejZ:ej;j<Z=ej>e?ƒ
Z@d„ZAd„ZBd„ZCd„ZDd„ZEdeFf
d„ƒYZGer¯dd„
ZHneZHeHeG_HdeFf
d„ƒYZId „ZJdS(!sb
SSL with SNI_-support for Python 2. Follow these instructions if you would
like to verify SSL certificates in Python 2. Note, the default libraries do
*not* do certificate checking; you need to do additional work to validate
certificates yourself.

This needs the following packages installed:

* pyOpenSSL (tested with 16.0.0)
* cryptography (minimum 1.3.4, from pyopenssl)
* idna (minimum 2.0, from cryptography)

However, pyopenssl depends on cryptography, which depends on idna, so while we
use all three directly here we end up having relatively few packages required.

You can install them with the following command:

    pip install pyopenssl cryptography idna

To activate certificate checking, call
:func:`~urllib3.contrib.pyopenssl.inject_into_urllib3` from your Python code
before you begin making HTTP requests. This can be done in a ``sitecustomize``
module, or at any other time before your application begins using ``urllib3``,
like this::

    try:
        import urllib3.contrib.pyopenssl
        urllib3.contrib.pyopenssl.inject_into_urllib3()
    except ImportError:
        pass

Now you can use :mod:`urllib3` as you normally would, and it will support SNI
when the required modules are installed.

Activating this module also has the positive side effect of disabling SSL/TLS
compression in Python 2 (see `CRIME attack`_).

If you want to configure the default list of supported cipher suites, you can
set the ``urllib3.contrib.pyopenssl.DEFAULT_SSL_CIPHER_LIST`` variable.

.. _sni: https://en.wikipedia.org/wiki/Server_Name_Indication
.. _crime attack: https://en.wikipedia.org/wiki/CRIME_(security_exploit)
i(
tabsolute_importN(
tx509(
tbackend(
t_Certificate(ttimeoutterror(
tBytesIO(
t_fileobjecti(
tbackport_makefile(
tutiltinject_into_urllib3textract_from_urllib3tPROTOCOL_TLSv1_1tTLSv1_1_METHODtPROTOCOL_TLSv1_2tTLSv1_2_METHODc
c@s!|]\}
}||
fV
qdS(
N((t.0t
kt
v((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pys	<genexpr>`si@cC@sAtƒ
t
tj_tt_ttj_tt_ttj_d
S(s7Monkey-patch urllib3 with PyOpenSSL-backed SSL-support.N(t_validate_dependencies_mettPyOpenSSLContextR	tssl_t
SSLContexttHAS_SNItTruetIS_PYOPENSSL(((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR
ms
	

	
cC@s:tt
j_tt
_tt
j_tt
_tt
j_d
S(s4Undo monkey-patching by :func:`inject_into_urllib3`.N(torig_util_SSLContextR	RRtorig_util_HAS_SNIRtFalseR(((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRys

	

	
cC@s{d
dlm
}
t|ddƒdkr7tdƒ
‚
nd
dlm}

|
ƒ}t|ddƒdkrwtdƒ
‚
ndS(	s{
    Verifies that PyOpenSSL's package-level dependencies have been met.
    Throws `ImportError` if they are not met.
    i(
t
Extensionstget_extension_for_classsX'cryptography' module missing required functionality.  Try upgrading to v1.3.4 or newer.(
tX509t_x509sS'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.N(tcryptography.x509.extensionsRtgetattrtNonetImportErrortOpenSSL.cryptoR(RRR
((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRƒs


	

c
C@s:d
„}
|
|ƒ
}tj
dkr6|jdƒ
}n|S(s³

    Converts a dNSName SubjectAlternativeName field to the form used by the
    standard library on the given Python version.

    Cryptography produces a dNSName as a unicode string that was idna-decoded
    from ASCII bytes. We need to idna-encode that string to get it back, and
    then on Python 3 we also need to convert to unicode via UTF-8 (the stdlib
    uses PyUnicode_FromStringAndSize on it, which decodes via UTF-8).
    c
S@sid
dl}
xMddgD]?}|j
|ƒ
r|t|ƒ
}|jdƒ
|
j|ƒ
SqW|
j|ƒ
S(sÒ
        Borrowed wholesale from the Python Cryptography Project. It turns out
        that we can't just safely call `idna.encode`: it can explode for
        wildcard names. This avoids that problem.
        iNu*.u
.tascii(tidnat
startswithtlentencode(tnameR'tprefix((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytidna_encode¡s



iisutf-8(ii(tsystversion_infotdecode(R+R-((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_dnsname_to_stdlib—s

	


c
C@sÖtt
|jƒ}
y|
jjtjƒ
j}WnMtjk
rE


gStj	tj
tjtfk
r}
}
t
jd
|ƒ
gSXg|jtjƒ
D]}dt|ƒ
f^q‘}|jd„|jtjƒ
Dƒ
ƒ

|S(sU
    Given an PyOpenSSL certificate, provides all the subject alternative names.
    s­A problem was encountered with the certificate that prevented urllib3 from finding the SubjectAlternativeName field. This can affect certificate validation. The error was %stDNSc
s@s!|]}
dt|
ƒ
fV
qd
S(s
IP AddressN(
tstr(RR+((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pys	<genexpr>Þs
(Rtopenssl_backendR t
extensionsRR
tSubjectAlternativeNametvaluetExtensionNotFoundtDuplicateExtensiontUnsupportedExtensiontUnsupportedGeneralNameTypetUnicodeErrortlogtwarningtget_values_for_typetDNSNameR1textendt	IPAddress(t	peer_certtcerttextt
eR+tnames((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytget_subj_alt_nameµs$
	




	
.

t
WrappedSocketcB@s‰eZ
dZed
„
Zd„Zd„Zd„Zd„Zd„Z	d„Z
d„Zd	„Zd
„Z
ed„
Zd„Zd
„ZRS(s§API-compatibility wrapper for Python OpenSSL's Connection-class.

    Note: _makefile_refs, _drop() and _reuse() are needed for the garbage
    collector of pypy.
    cC@s1|
|_||_
||_d
|_t|_dS(Ni(t
connectiontsockettsuppress_ragged_eofst_makefile_refsRt_closed(tselfRJRKRL((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt__init__ìs

	
	
	
	
c


C@s
|jj
ƒS(
N(RKtfileno(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRQós
c

C@s;|jd
kr!|jd8_n|j
r7|jƒ
ndS(Nii
(RMRNtclose(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_decref_socketios÷s


	
c
O@sþy|jj
|
|Ž}WnÚtjjk
rb
}
|jrM|jdkrMdStt|ƒ
ƒ
‚
n˜tjj	k
rœ
}
|jj
ƒtjjkr–dS‚n^tjjk
rõ


t
j|j|jjƒƒ}|sâtdƒ
‚
qú|j
|
|ŽSnX|SdS(NiÿÿÿÿsUnexpected EOFtsThe read operation timed out(iÿÿÿÿsUnexpected EOF(RJtrecvtOpenSSLtSSLtSysCallErrorRLtargstSocketErrorR3tZeroReturnErrortget_shutdowntRECEIVED_SHUTDOWNt
WantReadErrorR	t
wait_for_readRKt
gettimeoutR(RORYtkwargstdataRFtrd((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRUýs 











c
O@søy|jj
|
|ŽSWnÚtjjk
r`
}
|jrK|jdkrKdStt|ƒ
ƒ
‚
n”tjj	k
rš
}
|jj
ƒtjjkr”dS‚nZtjjk
ró


t
j|j|jjƒƒ}|sàtdƒ
‚
qô|j
|
|ŽSn
XdS(NiÿÿÿÿsUnexpected EOFisThe read operation timed out(iÿÿÿÿsUnexpected EOF(RJt	recv_intoRVRWRXRLRYRZR3R[R\R]R^R	R_RKR`R(RORYRaRFRc((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRd
s











cC@s|jj
|
ƒ
S(
N(RKt
settimeout(ROR((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRe'
s
cC@sœx•tr—y|j
j|
ƒ
SWqtjjk
ri


tj|j|jj	ƒƒ}|st
ƒ‚
qqqtjjk
r“
}
tt
|ƒ
ƒ
‚
qXqWdS(
N(RRJtsendRVRWtWantWriteErrorR	twait_for_writeRKR`RRXRZR3(RORbtwrRF((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_send_until_done*
s
	








cC@sGd
}x:|t|
ƒ
krB|j
|
||t!ƒ
}||7}q	WdS(Ni(R)RjtSSL_WRITE_BLOCKSIZE(RORbt
total_senttsent((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytsendall6
s



c


C@s|jj
ƒ
dS(
N(RJtshutdown(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRo<
sc

C@sZ|jd
krGyt
|_|jjƒSWqVtjjk
rC


dSXn|jd
8_dS(Ni
(RMRRNRJRRRVRWtError(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRR@
s


	


cC@se|jj
ƒ}|s|S|
r8tjjtjj|ƒSid
|jƒjff
f
d6t|ƒ
d6S(Nt
commonNametsubjecttsubjectAltName(	RJtget_peer_certificateRVtcryptotdump_certificatet
FILETYPE_ASN1tget_subjecttCNRH(ROtbinary_formR
((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytgetpeercertJ
s


	
	
c

C@s|jd
7_dS(Ni
(
RM(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_reuse\
s
c

C@s/|jd
kr|j
ƒ
n|jd
8_dS(Ni
(RMRR(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt_drop_
s


(t__name__t
__module__t__doc__RRPRQRSRURdReRjRnRoRRRR{R|R}(((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRIås									
	iÿÿÿÿcC@s%|jd
7_t
||
|dtƒ
S(Ni
RR(RMRR(ROtmodetbufsize((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytmakefileg
s

RcB@s¡eZ
dZd
„Zed„ƒ
Zejd„ƒ
Zed„ƒ
Zejd„ƒ
Zd„Zd„Z	dddd„Zddd	„Ze
eedd
„ZRS(sÂ
    I am a wrapper class for the PyOpenSSL ``Context`` object. I am responsible
    for translating the interface of the standard library ``SSLContext`` object
    to calls into PyOpenSSL.
    cC@s;t|
|_
tjj|j
ƒ
|_d
|_t|_dS(Ni(	t_openssl_versionstprotocolRVRWtContextt_ctxt_optionsRtcheck_hostname(ROR…((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRPv
s



	
c


C@s|jS(
N(
Rˆ(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytoptions|
scC@s|
|_|j
j|
ƒ

dS(
N(RˆR‡tset_options(ROR7((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRŠ€
s	
c

C@st|j
jƒS(
N(t_openssl_to_stdlib_verifyR‡tget_verify_mode(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytverify_mode…
scC@s|jj
t|
tƒ
dS(
N(R‡t
set_verifyt_stdlib_to_openssl_verifyt_verify_callback(ROR7((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRŽ‰
s	

c


C@s|jj
ƒ
dS(
N(R‡tset_default_verify_paths(
RO((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR’
s
cC@s8t|
t
jƒr$|
jd
ƒ
}
n|jj|
ƒ

dS(Nsutf-8(t
isinstancetsixt	text_typeR*R‡tset_cipher_list(ROtciphers((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytset_ciphers“
s


cC@sx|
dk	r|
j
d
ƒ
}
n|dk	r<|j
d
ƒ
}n|jj|
|ƒ
|dk	rt|jjt|ƒ
ƒ

ndS(Nsutf-8(R#R*R‡tload_verify_locationsR(ROtcafiletcapathtcadata((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR™˜
s






c@sR|jj
|
ƒ

ˆdk	r8|jj‡f
d
†ƒ

n|jj|pJ|
ƒ

dS(Nc
@sˆS(
N((t
max_lengthtprompt_twicetuserdata(
tpassword(sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt<lambda>¤
s(R‡tuse_certificate_fileR#t
set_passwd_cbtuse_privatekey_file(ROtcertfiletkeyfileR ((
R sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytload_cert_chain¡
s



c	C@s
tj
j|j|
ƒ}t|tjƒr<|jd
ƒ
}n|dk	rX|j	|ƒ

n|j
ƒ
xŽtròy|jƒ
Wnrtj
j
k
rÂ


tj|
|
jƒƒ}|setdƒ
‚
qeqen,tj
jk
rí
}
tjd|ƒ
‚
n
XPqeWt||
ƒS(Nsutf-8sselect timed outsbad handshake: %r(RVRWt
ConnectionR‡R“R”R•R*R#tset_tlsext_host_nametset_connect_stateRtdo_handshakeR^R	R_R`RRptssltSSLErrorRI(	ROtsocktserver_sidetdo_handshake_on_connectRLtserver_hostnametcnxRcRF((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pytwrap_socket§
s$


	









N(R~RR€RPtpropertyRŠtsetterRŽR’R˜R#R™R§RRR³(((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyRp
s
				

cC@s
|d
kS(Ni((R²R
terr_not	err_depthtreturn_code((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyR‘Ã
s
(KR€t
__future__RtOpenSSL.SSLRVtcryptographyR
t$cryptography.hazmat.backends.opensslRR4t)cryptography.hazmat.backends.openssl.x509RRKRRRZtioRRR$R#tpackages.backports.makefileRtloggingR¬R”R.RTR	t__all__RRRWt
SSLv23_METHODtPROTOCOL_SSLv23tTLSv1_METHODtPROTOCOL_TLSv1R„thasattrR
RRRtupdatetSSLv3_METHODtPROTOCOL_SSLv3tAttributeErrortVERIFY_NONEt	CERT_NONEtVERIFY_PEERt
CERT_OPTIONALtVERIFY_FAIL_IF_NO_PEER_CERTt
CERT_REQUIREDRtdicttitemsRŒRkRRRRt	getLoggerR~R=R
RRR1RHtobjectRIRƒRR‘(((sN/home/tvault/.virtenv/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.pyt<module>+sh














!
!

!





	
		
			0
	S