ó z\Vc@sãdZdddddgZddlmZmZmZddlZddlZdefd „ƒYZ de fd „ƒYZ de fd „ƒYZ de fd „ƒYZ ddd „ƒYZ edkrßddlZejƒndS(s± SSL peer certificate checking routines Copyright (c) 2004-2007 Open Source Applications Foundation. All rights reserved. Copyright 2008 Heikki Toivonen. All rights reserved. tSSLVerificationErrort NoCertificatetWrongCertificatet WrongHosttCheckeriÿÿÿÿ(tutiltEVPtm2NcBseZRS((t__name__t __module__(((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyRscBseZRS((RR (((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyRscBseZRS((RR (((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyRscBseZdd„Zd„ZRS(t commonNamecCsG|dkrtdƒ‚ntj|ƒ||_||_||_dS(sz This exception will be raised if the certificate returned by the peer was issued for a different host than we tried to connect to. This could be due to a server misconfiguration or an active attack. @param expectedHost: The name of the host we expected to find in the certificate. @param actualHost: The name of the host we actually found in the certificate. @param fieldName: The field name where we noticed the error. This should be either 'commonName' or 'subjectAltName'. R tsubjectAltNames@Unknown fieldName, should be either commonName or subjectAltNameN(s commonNamessubjectAltName(t ValueErrorRt__init__t expectedHostt actualHostt fieldName(tselfRRR((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyR s    cCsAd|j|j|jf}t|tƒr=|jdƒ}n|S(Ns<Peer certificate %s does not match host, expected %s, got %stutf8(RRRt isinstancetunicodetencode(Rts((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyt__str__0s (RR R R(((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyRs cBsPeZejdƒZdddd„Zdd„Zd„Zd„Z d„Z RS(s^[0-9]+(\.[0-9]+)*$tsha1cCs||_||_||_dS(N(thostt fingerprinttdigest(RRt peerCertHashtpeerCertDigest((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyR <s  c Cs~|dkrtdƒ‚n|dk r3||_n|jr"|jdkratd|jƒ‚n|jdkr…t|jƒdks©|jdkr¸t|jƒdkr¸tdƒ‚n|jƒ}t j |jƒ}|j |ƒ|j ƒ}t j|ƒt|jdƒkr"td ƒ‚q"n|jrzt}t|_ya|jd ƒjƒ}|j|j|ƒrpt}n*|jrštd |jd |d d ƒ‚nWntk r®nX|szt}d} xt|jƒjtjƒD]Z} t}| jƒjƒ} | s| } n| d| 7} |j|j| ƒrÚt}PqÚqÚW|sMtdƒ‚n|swtd |jd | d dƒ‚qwqzntS(Nspeer did not return certificateRtmd5sunsupported digest "%s"i(i s2peer certificate fingerprint length does not matchis+peer certificate fingerprint does not matchR RRRtt,s!no commonName in peer certificateR (RR(tNoneRRRRR tlenRtas_derRt MessageDigesttupdatetfinalRt octx_to_numtinttFalsetuseSubjectAltNameOnlytget_extt get_valuet_splitSubjectAltNametTrueRt LookupErrort get_subjecttget_entries_by_nidRtNID_commonNametget_datatas_textt_match( RtpeerCertRtdertmdRthostValidationPassedR t hasCommonNamet commonNamestentryR ((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyt__call__As`    $$   !      cCs¥t|_x•|jdƒD]„}|jƒjƒ}|d dkrgt|_|j||dƒrtSq|d dkrt|_|j||dƒrtSqqWtS(sg >>> check = Checker() >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:my.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:*.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com') False >>> check.useSubjectAltNameOnly True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, othername:') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, DNS:my.example.org') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:m*ample.com, DNS:my.example.com') True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='DNS:my.example.com, DNS:my.example.org') True >>> check.useSubjectAltNameOnly True >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='') False >>> check._splitSubjectAltName(host='my.example.com', subjectAltName='othername:') False >>> check.useSubjectAltNameOnly False R isdns:i s ip address:(R)R*tsplittlowertstripR.R5t_matchIPAddress(RRR tcertHost((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyR-€s    cCsÖ|jƒ}|jƒ}||kr(tS|jdƒdkrAtS|jj|ƒsq|jj|jddƒƒrutS|jdƒdkrŽtS|jddƒ}|jddƒ}tj d |ƒj|ƒrÒtStS( s >>> check = Checker() >>> check._match(host='my.example.com', certHost='my.example.com') True >>> check._match(host='my.example.com', certHost='*.example.com') True >>> check._match(host='my.example.com', certHost='m*.example.com') True >>> check._match(host='my.example.com', certHost='m*.EXAMPLE.com') True >>> check._match(host='my.example.com', certHost='m*ample.com') False >>> check._match(host='my.example.com', certHost='*.*.com') False >>> check._match(host='1.2.3.4', certHost='1.2.3.4') True >>> check._match(host='1.2.3.4', certHost='*.2.3.4') False >>> check._match(host='1234', certHost='1234') True t*iRs\iÿÿÿÿt.s\.s[^\.]*s^%s$( R?R.tcountR)tnumericIpMatchtmatchtreplacetfindtretcompile(RRRB((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyR5¬s    cCsayLtj|ddtjdtjƒ}tj|ddtjdtjƒ}WntSX||kS(ss >>> check = Checker() >>> check._matchIPAddress(host='my.example.com', certHost='my.example.com') False >>> check._matchIPAddress(host='1.2.3.4', certHost='1.2.3.4') True >>> check._matchIPAddress(host='1.2.3.4', certHost='*.2.3.4') False >>> check._matchIPAddress(host='1.2.3.4', certHost='1.2.3.40') False >>> check._matchIPAddress(host='::1', certHost='::1') True >>> check._matchIPAddress(host='::1', certHost='0:0:0:0:0:0:0:1') True >>> check._matchIPAddress(host='::1', certHost='::2') False i(tsockett getaddrinfot SOCK_STREAMtAI_NUMERICHOSTR)(RRRBt canonicalt certCanonical((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyRAâs  N( RR RJRKRFR!R R=R-R5RA(((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyR8s  ? , 6t__main__((t__doc__t__all__tM2CryptoRRRRLRJt ExceptionRRRRRRtdoctestttestmod(((s:/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Checker.pyts    Ç