o US`c@sddlZddlZddlmZddlZddlm Z m Z ddl m Z ddl mZddlmZmZdZd d ZGd d d eZGd ddZedgdZGddde edZGddde eedZdS)N)Enum)StreamListener)aclose_forcefully)_sync)ConflictDetectorFinali@cCs t|tjpt|dod|jvS)NstrerrorZUNEXPECTED_EOF_WHILE_READING) isinstance _stdlib_ssl SSLEOFErrorhasattrr )excr4/usr/local/lib/python3.10/dist-packages/trio/_ssl.py_is_eofs rc@seZdZdZdS)NeedHandshakeErrorzSome :class:`SSLStream` methods can't return any meaningful data until after the handshake. If you call them before the handshake, they raise this error. N)__name__ __module__ __qualname____doc__rrrrrsrc@s(eZdZddZddZeddZdS)_OncecGs ||_||_d|_t|_dS)NF)_afn_argsstartedrEvent_done)selfZafnargsrrr__init__sz_Once.__init__csT|jsd|_|j|jIdH|jdS|s |jr dS|jIdHdS)NT)rrrrsetis_setwait)r checkpointrrrensuresz _Once.ensurecCs |jSN)rr"rrrrdones z _Once.doneN)rrrr r%propertyr(rrrrrs  r_State)OKBROKENCLOSEDcseZdZdZddddddZhdZhdZd d Zfd d Zfd dZ ddZ dddddZ ddZ ddZ d"ddZddZddZddZd d!ZZS)# SSLStreamaEncrypted communication using SSL/TLS. :class:`SSLStream` wraps an arbitrary :class:`~trio.abc.Stream`, and allows you to perform encrypted communication over it using the usual :class:`~trio.abc.Stream` interface. You pass regular data to :meth:`send_all`, then it encrypts it and sends the encrypted data on the underlying :class:`~trio.abc.Stream`; :meth:`receive_some` takes encrypted data out of the underlying :class:`~trio.abc.Stream` and decrypts it before returning it. You should read the standard library's :mod:`ssl` documentation carefully before attempting to use this class, and probably other general documentation on SSL/TLS as well. SSL/TLS is subtle and quick to anger. Really. I'm not kidding. Args: transport_stream (~trio.abc.Stream): The stream used to transport encrypted data. Required. ssl_context (~ssl.SSLContext): The :class:`~ssl.SSLContext` used for this connection. Required. Usually created by calling :func:`ssl.create_default_context`. server_hostname (str or None): The name of the server being connected to. Used for `SNI `__ and for validating the server's certificate (if hostname checking is enabled). This is effectively mandatory for clients, and actually mandatory if ``ssl_context.check_hostname`` is ``True``. server_side (bool): Whether this stream is acting as a client or server. Defaults to False, i.e. client mode. https_compatible (bool): There are two versions of SSL/TLS commonly encountered in the wild: the standard version, and the version used for HTTPS (HTTP-over-SSL/TLS). Standard-compliant SSL/TLS implementations always send a cryptographically signed ``close_notify`` message before closing the connection. This is important because if the underlying transport were simply closed, then there wouldn't be any way for the other side to know whether the connection was intentionally closed by the peer that they negotiated a cryptographic connection to, or by some `man-in-the-middle `__ attacker who can't manipulate the cryptographic stream, but can manipulate the transport layer (a so-called "truncation attack"). However, this part of the standard is widely ignored by real-world HTTPS implementations, which means that if you want to interoperate with them, then you NEED to ignore it too. Fortunately this isn't as bad as it sounds, because the HTTP protocol already includes its own equivalent of ``close_notify``, so doing this again at the SSL/TLS level is redundant. But not all protocols do! Therefore, by default Trio implements the safer standard-compliant version (``https_compatible=False``). But if you're speaking HTTPS or some other protocol where ``close_notify``\s are commonly skipped, then you should set ``https_compatible=True``; with this setting, Trio will neither expect nor send ``close_notify`` messages. If you have code that was written to use :class:`ssl.SSLSocket` and now you're porting it to Trio, then it may be useful to know that a difference between :class:`SSLStream` and :class:`ssl.SSLSocket` is that :class:`~ssl.SSLSocket` implements the ``https_compatible=True`` behavior by default. Attributes: transport_stream (trio.abc.Stream): The underlying transport stream that was passed to ``__init__``. An example of when this would be useful is if you're using :class:`SSLStream` over a :class:`~trio.SocketStream` and want to call the :class:`~trio.SocketStream`'s :meth:`~trio.SocketStream.setsockopt` method. Internally, this class is implemented using an instance of :class:`ssl.SSLObject`, and all of :class:`~ssl.SSLObject`'s methods and attributes are re-exported as methods and attributes on this class. However, there is one difference: :class:`~ssl.SSLObject` has several methods that return information about the encrypted connection, like :meth:`~ssl.SSLSocket.cipher` or :meth:`~ssl.SSLSocket.selected_alpn_protocol`. If you call them before the handshake, when they can't possibly return useful data, then :class:`ssl.SSLObject` returns None, but :class:`trio.SSLStream` raises :exc:`NeedHandshakeError`. This also means that if you register a SNI callback using `~ssl.SSLContext.sni_callback`, then the first argument your callback receives will be a :class:`ssl.SSLObject`. NF)server_hostname server_sidehttps_compatiblecCs||_tj|_||_t|_d|_t|_ |j |j |j||d|_ t |j |_t|_d|_t|_td|_td|_t|_dS)N)r0r/rz8another task is currently sending data on this SSLStreamz:another task is currently receiving data on this SSLStream)transport_streamr*r+_state_https_compatibler MemoryBIO _outgoing_delayed_outgoing _incomingwrap_bio _ssl_objectr _do_handshake _handshookrZStrictFIFOLock_inner_send_lock_inner_recv_countLock_inner_recv_lockr_outer_send_conflict_detector_outer_recv_conflict_detectorSTARTING_RECEIVE_SIZE_estimated_receive_size)rr2 ssl_contextr/r0r1rrrr Ls.       zSSLStream.__init__>ciphercontextpendingsessionversion compression getpeercertr0session_reusedshared_ciphersr/get_channel_bindingselected_npn_protocolselected_alpn_protocol> rFrJrKrLrMrNrOrPrQcCs>||jvr||jvr|jjstd|t|j|St|)Nz'call do_handshake() before calling {!r}) _forwarded_after_handshaker<r(rformatgetattrr:AttributeError)rnamerrr __getattr__s  zSSLStream.__getattr__cs.||jvrt|j||dSt||dSr&)rRsetattrr:super __setattr__)rrWvalue __class__rrr[s zSSLStream.__setattr__cstt|jSr&)rZ__dir__listrRr'r]rrr_szSSLStream.__dir__cCs8|jtjurdS|jtjurtj|jtjurtjJr&)r3r*r+r,trioBrokenResourceErrorr-ZClosedResourceErrorr'rrr _check_statuss   zSSLStream._check_status)ignore_want_read is_handshakec s tjIdHd}d}|sd}d}z||}Wn#tjy%d}Yntjtjfy<} ztj|_ tj | d} ~ wwd}|rEd}d}|j } |re|se|j jre|j dkre|jdus`J| |_d} | r|j4IdH.d}z|jdur|j| } d|_|j| IdHWntj|_ WdIdHn 1IdHswYnO|r|j} |j4IdH8d}| |jkr|jIdH} | s|jnt|jt| |_|j| |jd7_WdIdHn 1IdHswY|r|stjIdH|S)NFTzTLSv1.3r)ralowlevelZcheckpoint_if_cancelledr SSLWantReadErrorSSLErrorCertificateErrorr*r,r3rbr6readr:r0rJr7r=r2send_allr>r@ receive_somer8 write_eofmaxrDlenwriteZcancel_shielded_checkpoint) rfnrdreryieldedfinishedZ want_readretrto_sendZ recv_countdatarrr_retrys   ;  (      (%zSSLStream._retrycs2z|j|jjddIdHWdStj|_)NT)re)rxr: do_handshaker*r,r3r'rrrr;`s zSSLStream._do_handshakecs"||jjddIdHdS)uEnsure that the initial handshake has completed. The SSL protocol requires an initial handshake to exchange certificates, select cryptographic keys, and so forth, before any actual data can be sent or received. You don't have to call this method; if you don't, then :class:`SSLStream` will automatically perform the handshake as needed, the first time you try to send or receive data. But if you want to trigger it manually – for example, because you want to look at the peer's certificate before you start talking to them – then you can call this method. If the initial handshake is already in progress in another task, this waits for it to complete and then returns. If the initial handshake has already completed, this returns immediately without doing anything (except executing a checkpoint). .. warning:: If this method is cancelled, then it may leave the :class:`SSLStream` in an unusable state. If this happens then any future attempt to use the object will raise :exc:`trio.BrokenResourceError`. Tr$N)rcr<r%r'rrrrygszSSLStream.do_handshakec sV|j|z |jjddIdHWn2tjyG}z%|jrBt|jt j s-t |jrBtj IdHWYd}~WddSd}~ww|durUt|j|jj}n t|}|dkrbtdz||jj|IdHWWdStjy}z|jrt |jrtj IdHWYd}~WddSd}~ww1swYdS)aRead some data from the underlying transport, decrypt it, and return it. See :meth:`trio.abc.ReceiveStream.receive_some` for details. .. warning:: If this method is cancelled while the initial handshake or a renegotiation are in progress, then it may leave the :class:`SSLStream` in an unusable state. If this happens then any future attempt to use the object will raise :exc:`trio.BrokenResourceError`. FrzNrfrzmax_bytes must be >= 1)rBrcr<r%rarbr4r __cause__r SSLSyscallErrorrrgr$rorDr8rH _operatorindex ValueErrorrxr:rk)rZ max_bytesrrrrrmsD      &zSSLStream.receive_somecs|j5||jjddIdH|s&tjIdH WddS||jj |IdHWddS1sSee :meth:`trio.abc.SendStream.wait_send_all_might_not_block`.N)rArcr=r2wait_send_all_might_not_blockr'rrrrEs*"z'SSLStream.wait_send_all_might_not_blockr&)rrrrr rRrSrXr[r_rcrxr;ryrmrlrrr __classcell__rrr]rr.s*d ) - #5Wr.) metaclassc@s.eZdZdZddddZddZdd Zd S) SSLListeneraA :class:`~trio.abc.Listener` for SSL/TLS-encrypted servers. :class:`SSLListener` wraps around another Listener, and converts all incoming connections to encrypted connections by wrapping them in a :class:`SSLStream`. Args: transport_listener (~trio.abc.Listener): The listener whose incoming connections will be wrapped in :class:`SSLStream`. ssl_context (~ssl.SSLContext): The :class:`~ssl.SSLContext` that will be used for incoming connections. https_compatible (bool): Passed on to :class:`SSLStream`. Attributes: transport_listener (trio.abc.Listener): The underlying listener that was passed to ``__init__``. F)r1cCs||_||_||_dSr&)transport_listener _ssl_contextr4)rrrEr1rrrr s zSSLListener.__init__cs&|jIdH}t||jd|jdS)zAccept the next connection and wrap it in an :class:`SSLStream`. See :meth:`trio.abc.Listener.accept` for details. NT)r0r1)racceptr.rr4rrrrrszSSLListener.acceptcs|jIdHdS)zClose the transport listener.N)rrr'rrrrszSSLListener.acloseN)rrrrr rrrrrrrns   r)operatorr}sslr enumr_EnumraabcrrZ_highlevel_genericrrZ_utilrr rCr Exceptionrrr*r.rrrrrs*