a

�,�h���@sdd
lm
Z
mZmZmZ
ddlZddlZddlZddl	Z	ddl
Z
ddlmZ

ddlmZ
ddlmZmZmZmZmZmZmZmZmZmZmZmZmZmZ
ddlm Z m!Z!m"Z"
dd	l#m$Z$m%Z%m"Z&
dd
l'm(Z(
ddl)m*Z*m+Z+m,Z,m-Z-
ddl.m/Z/m0Z0m1Z1m2Z2
dd
l3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;m<Z<m=Z=m>Z>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZF
ddlGmHZHmZ
ddlImJZJ
ejKdk�
r�eLZMejNZOnePZOejKdk�
r�ejQZRnejRZRddgZSe�Td�
ZUe�V�ZWeWdeWdfZXGdd�de0�ZYGdd�de/�ZZGdd�de[�Z\Gdd�de[�Z]dS)�)�unicode_literals�division�absolute_import�print_functionN�)
�Certificate)
�pretty_message)�buffer_from_bytes�buffer_from_unicode�bytes_from_buffer�cast�deref�is_null�native�new�null�ref�sizeof�struct�unwrap�write_to_buffer�
)�secur32�Secur32Const�handle_error)�crypt32�Crypt32Constr)
�kernel32)�	type_name�str_cls�byte_cls�	int_types)�TLSError�TLSVerificationError�TLSDisconnectError�TLSGracefulDisconnectError)�detect_client_auth_request�detect_other_protocol�
extract_chain�get_dh_params_length�parse_alert�parse_session_info�raise_client_auth�raise_dh_params�raise_disconnection�raise_expired_not_yet_valid�raise_handshake�raise_hostname�raise_no_issuer�raise_protocol_error�raise_protocol_version�
raise_revoked�raise_self_signed�raise_verification�raise_weak_signature)�load_certificater)
�parse_certificate)
�)r;��
TLSSession�	TLSSockets(
|
|
)c
@seZ
dZd
S)�_TLSDowngradeErrorN)�__name__�
__module__�__qualname__�rCrC�B/opt/nydus/tmp/pip-target-wkfpz8uv/lib/python/oscrypto/_win/tls.pyr?Qsr?c
@seZ
dZd
ZdS)�_TLSRetryErrorz�
    TLSv1.2 on Windows 7 and 8 seems to have isuses with some DHE_RSA
    ServerKeyExchange messages due to variable length integer encoding. This
    exception is used to trigger a reconnection to attempt the handshake again.
    N)r@rArB�__doc__rCrCrCrDrEVsrEc@s>eZ
dZd
ZdZdZdZdZdZd
dd�
Z	dd�Z
dd	�ZdS)r=zj
    A TLS session object that multiple TLSSocket objects can share for the
    sake of session reuse
    NFc	CsL
t|t
�sttd
t|�
��
�
||_|
dur6tgd�
�
}
t|
t�rLt|
g
�
}
nt|
t�shttdt|
�
��
�
|
tgd�
�
}|r�ttdt	|�
��
�
|
|_
g|_|�
r@|D]�}t|t�r�|j
}nxt|t�r�t|�
}ndt|t��
rt|d��}t|���
}Wd�
n1�
s0


Y
nt|t��
s2ttdt|�
��
�
|j�|�

q�|��
dS)	a]
        :param protocol:
            A unicode string or set of unicode strings representing allowable
            protocols to negotiate with the server:

             - "TLSv1.2"
             - "TLSv1.1"
             - "TLSv1"
             - "SSLv3"

            Default is: {"TLSv1", "TLSv1.1", "TLSv1.2"}

        :param manual_validation:
            If certificate and certificate path validation should be skipped
            and left to the developer to implement

        :param extra_trust_roots:
            A list containing one or more certificates to be treated as trust
            roots, in one of the following formats:
             - A byte string of the DER encoded certificate
             - A unicode string of the certificate filename
             - An asn1crypto.x509.Certificate object
             - An oscrypto.asymmetric.Certificate object

        :raises:
            ValueError - when any of the parameters contain an invalid value
            TypeError - when any of the parameters are of the wrong type
            OSError - when an error is returned by the OS crypto library
        zM
                manual_validation must be a boolean, not %s
                N)�TLSv1�TLSv1.1�TLSv1.2zu
                protocol must be a unicode string or set of unicode strings,
                not %s
                ��SSLv3rGrHrIz�
                protocol must contain only the unicode strings "SSLv3", "TLSv1",
                "TLSv1.1", "TLSv1.2", not %s
                �rbz�
                        extra_trust_roots must be a list of byte strings, unicode
                        strings, asn1crypto.x509.Certificate objects or
                        oscrypto.asymmetric.Certificate objects, not %s
                        )�
isinstance�bool�	TypeErrorrr�_manual_validation�setr�
ValueError�repr�
_protocols�_extra_trust_rootsrZasn1r r:�open�read�Asn1Certificate�append�_obtain_credentials)�self�protocolZmanual_validationZextra_trust_rootsZunsupported_protocolsZextra_trust_root�
frCrCrD�__init__msN


�






�


�











.


�zTLSSession.__init__c
Cs�
tj
tjtjtjd
�}
d}|
��D]\}}||jvr"||O}q"tjtjtj	tj
tjtjtj
tjtjtjg
}d|jvr�|�tjtjtjg�

ttdt|�
�}t|�
D]\}}|||<q�tjtjB}	|js�|js�|	tjO}	n
|	tjO}	ttd�}
t |
�
}tj!|_"d|_#t$�|_%t$�|_&d|_'t$�|_(t|�
|_)||_*||_+d|_,d|_-d|_.|	|_/d|_0ttd�}t�1t$�tj2tj3t$�|
t$�t$�|t$��	}
t4|
�

||_5dS)zU
        Obtains a credentials handle from secur32.dll for use with SChannel
        rJr
rIz
ALG_ID[%s]Z
SCHANNEL_CREDzCredHandle *N)6r�SP_PROT_SSL3_CLIENT�SP_PROT_TLS1_CLIENT�SP_PROT_TLS1_1_CLIENT�SP_PROT_TLS1_2_CLIENT�itemsrTZCALG_AES_128ZCALG_AES_256Z	CALG_3DESZ	CALG_SHA1Z
CALG_ECDHEZ
CALG_DH_EPHEMZ
CALG_RSA_KEYXZ
CALG_RSA_SIGNZ
CALG_ECDSAZ
CALG_DSS_SIGN�extendZCALG_SHA512ZCALG_SHA384ZCALG_SHA256rr�len�	enumerateZSCH_USE_STRONG_CRYPTOZSCH_CRED_NO_DEFAULT_CREDSrPrUZSCH_CRED_AUTO_CRED_VALIDATIONZSCH_CRED_MANUAL_CRED_VALIDATIONrrZSCHANNEL_CRED_VERSIONZ	dwVersionZcCredsrZpaCredZ
hRootStoreZcMappersZ
aphMappersZcSupportedAlgsZpalgSupportedAlgsZgrbitEnabledProtocolsZdwMinimumCipherStrengthZdwMaximumCipherStrengthZdwSessionLifespan�dwFlagsZdwCredFormatZAcquireCredentialsHandleWZ
UNISP_NAMEZSECPKG_CRED_OUTBOUNDr�_credentials_handle)r[Zprotocol_valuesZprotocol_bit_mask�key�valueZalgsZ	alg_array�index�alg�flagsZschannel_cred_pointerZ
schannel_credZcred_handle_pointer�resultrCrCrDrZ�s~


�













�




�






























�zTLSSession._obtain_credentialsc
Cs$|jr t
�|j�
}
t|
�

d|_dS�
N)rhrZFreeCredentialsHandler)r[rnrCrCrD�__del__
s



zTLSSession.__del__)NFN)r@rArBrFrTZ_ciphersrPrUrhr^rZrprCrCrCrDr=as





ZQc@s�
eZ
dZd
ZdZdZdZdZdZdZ	dZ
dZdZdZ
dZdZdZdZdZdZdZdZdZdZdZdZdZdZed=dd�
�
Zd>dd�
Zd	d
�Zdd�Z d?d
d�
Z!dd�Z"d@dd�
Z#dd�Z$dd�Z%dd�Z&dd�Z'dAdd�
Z(dd�Z)dd �Z*d!d"�Z+d#d$�Z,e-d%d&��
Z.e-d'd(��
Z/e-d)d*��
Z0e-d+d,��
Z1e-d-d.��
Z2e-d/d0��
Z3e-d1d2��
Z4e-d3d4��
Z5e-d5d6��
Z6e-d7d8��
Z7e-d9d:��
Z8d;d<�Z9dS)Br>z8
    A wrapper around a socket.socket that adds TLS
    NFc
Cs�t|
t
j�sttd
t|
�
��
�
t|t�s:ttdt|�
��
�
|du
r^t|t�s^ttdt|�
��
�
|dd|d�}|
|_||_	z|�
�
Wnfty�
}
zt|j
|j�}|�
WYd}~n:d}~0ty�
}
zt|j
�
}|�
WYd}~n
d}~00|S)az
        Takes an existing socket and adds TLS

        :param socket:
            A socket.socket object to wrap with TLS

        :param hostname:
            A unicode string of the hostname or IP the socket is connected to

        :param session:
            An existing TLSSession object to allow for session reuse, specific
            protocol or manual certificate validation

        :raises:
            ValueError - when any of the parameters contain an invalid value
            TypeError - when any of the parameters are of the wrong type
            OSError - when an error is returned by the OS crypto library
        zU
                socket must be an instance of socket.socket, not %s
                zK
                hostname must be a unicode string, not %s
                N�`
                session must be an instance of oscrypto.tls.TLSSession, not %s
                )
�session)rM�socket_�socketrOrrrr=�_socket�	_hostname�
_handshaker?r#�message�certificaterEr")�clsrt�hostnamerrZ
new_socket�
eZnew_erCrCrD�wrapE
s6

�


�

�









zTLSSocket.wrap�
cCs�
d
|_d
|_
|
dur$|dur$d|_n|t|
t�s@ttdt|
�
��
�
t|t�s\ttdt|�
��
�
|du
r�t|t	j
�s�ttdt|�
��
�
t�|
|f|�|_|j�
|�

|dur�t�}nt|t�s�ttdt|�
��
�
||_|j�
r�|
|_z|��
Wn�t�
y^


|��
t|jtdg
�
|j|j�}|��
d
|_||_t�|
|f|�|_|j�
|�

|��
Yn@t�
y�


d
|_t�|
|f|�|_|j�
|�

|��
Yn0dS)a�

        :param address:
            A unicode string of the domain name or IP address to connect to

        :param port:
            An integer of the port number to connect to

        :param timeout:
            An integer timeout to use for the socket

        :param session:
            An oscrypto.tls.TLSSession object to allow for session reuse and
            controlling the protocols and validation performed
        �NzR
                    address must be a unicode string, not %s
                    zI
                    port must be an integer, not %s
                    zJ
                    timeout must be a number, not %s
                    rqrI)�_received_bytes�_decrypted_bytesrurMrrOrrr!�numbers�Numberrs�create_connection�
settimeoutr=�_sessionrvrwr?�closerTrQrPrUrprE)r[�address�port�timeoutrrZnew_sessionrCrCrDr^�
sf




�


�

�




�







�









zTLSSocket.__init__cCsntt
d
|
�}td|
�D]&}d||_tj||_t�||_qt	t
d�}t
|�
}tj|_|
|_
||_||fS)z�
        Creates a SecBufferDesc struct and contained SecBuffer structs

        :param number:
            The number of contains SecBuffer objects to create

        :return:
            A tuple of (SecBufferDesc pointer, SecBuffer array)
        z
SecBuffer[%d]r
�
SecBufferDesc)rr�range�cbBufferr�SECBUFFER_EMPTY�
BufferTyper�pvBufferrr�SECBUFFER_VERSION�	ulVersion�cBuffers�pBuffers)r[�number�buffersrk�sec_buffer_desc_pointer�sec_buffer_descrCrCrD�_create_buffers�
s







zTLSSocket._create_buffersc
(
Cs2d
}
d
}�z�t�
tjtjt�dt��}
t|
�
r6td�

t�}|j	j
D]B}|��}t�|
tj|t
|�
tjt��}|sztd�

|�|j�

qDttd�}t�|jtj|�}t|�

t|�
}ttd|�}ttd�}	t�|	�

ttd|	�}
ttd�}ttdtj�|d<ttdtj�|d<ttdtj�|d	<ttd
�}t|�
}
d|
_ ttd|�|
_!ttd
�}t|�
}tj"|_#|
|_$ttd�}t|�
}||_%t&t|�}||_'ttd�}t�(t�||
|
|tj)tj*Bt�|�}t|�

tj+}t|�
}t|�
}t,t-|j.�}|dk�rbt|j/�
}t|�
}t,t-|j0�}|j1|d}t|�
}t|j2�
}t3|j4t,t-|j5��}t6�7|�
}|j|v�rb|tj8O}ttd�}t|�
} t&t| �| _'tj9| _:d| _;ttdt<|j=�
�| _>ttd�}!t|!�
}"t&t|"�|"_'||"_?ttd|�|"_@ttd�}#t|#�
}$t&t|$�|$_'t�AtjB||!|#�}t|�

t|�
}%t3|%j4t,t-|%j5��}t6�7|�
}|$jC}&|&�r�|&tjDk�rRtE|�

|&tjFk�r�tG|�
}'|'jH�rxtI|�

ntJ|�

|&tjKk�r�tL||j=�
|&tjMk�r�tN|�

|&tjOk�r�tP|�

tQ|�

|jRtddg�
v�r�tN|�

W|
�r�t�S|
d�
|�r.t�T|�

n$|
�rt�S|
d�
|�r,t�T|�

0d
S)z�
        Manually invoked windows certificate chain builder and verification
        step when there are extra trust roots to include in the search process
        Nr
zPCERT_CONTEXT *Z
PCERT_CONTEXTz
FILETIME *z	char *[3]zchar *rrZCERT_ENHKEY_USAGEr;zchar **ZCERT_USAGE_MATCHZCERT_CHAIN_PARAzPCERT_CHAIN_CONTEXT *Z SSL_EXTRA_CERT_CHAIN_POLICY_PARAz	wchar_t *ZCERT_CHAIN_POLICY_PARAzvoid *ZCERT_CHAIN_POLICY_STATUS�md5Zmd2)UrZ
CertOpenStorerZCERT_STORE_PROV_MEMORYZX509_ASN_ENCODINGrr�handle_crypt32_errorrQr�rU�dumpZ CertAddEncodedCertificateToStorereZCERT_STORE_ADD_USE_EXISTING�add�sha256rr�QueryContextAttributesW�_context_handle_pointerr�SECPKG_ATTR_REMOTE_CERT_CONTEXTrrrrZGetSystemTimeAsFileTimeZPKIX_KP_SERVER_AUTHZSERVER_GATED_CRYPTOZSGC_NETSCAPErZcUsageIdentifierZrgpszUsageIdentifierZUSAGE_MATCH_TYPE_ORZdwType�UsageZRequestedUsagerZcbSizeZCertGetCertificateChainZCERT_CHAIN_CACHE_END_CERTZ&CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLYZ.CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGSr�intZcChainZrgpChainZcElementZ
rgpElementZpCertContextr�
pbCertEncoded�
cbCertEncodedrX�loadZ'CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAGZAUTHTYPE_SERVERZ
dwAuthTypeZ	fdwChecksr
rvZpwszServerNamergZpvExtraPolicyParaZ CertVerifyCertificateChainPolicyZCERT_CHAIN_POLICY_SSLZdwErrorZCERT_E_EXPIREDr/ZCERT_E_UNTRUSTEDROOTr9�self_signedr6r2ZCERT_E_CN_NO_MATCHr1�TRUST_E_CERT_SIGNATUREr8ZCRYPT_E_REVOKEDr5r7Z	hash_algo�CertCloseStoreZCertFreeCertificateChain)(r[�storeZcert_chain_context_pointerZcert_hashes�cert�	cert_datarn�cert_context_pointer_pointer�cert_context_pointerZorig_now_pointerZnow_pointerZusage_identifiersZcert_enhkey_usage_pointerZcert_enhkey_usageZcert_usage_match_pointerZcert_usage_matchZcert_chain_para_pointerZcert_chain_paraZcert_chain_para_sizeZ"cert_chain_context_pointer_pointerZcert_chain_policy_para_flagsZcert_chain_contextZ
num_chainsZfirst_simple_chain_pointerZfirst_simple_chainZnum_elementsZlast_element_pointerZlast_elementZlast_element_certZlast_element_cert_dataZ	last_certZ(ssl_extra_cert_chain_policy_para_pointerZ ssl_extra_cert_chain_policy_paraZcert_chain_policy_para_pointerZcert_chain_policy_paraZ cert_chain_policy_status_pointerZcert_chain_policy_status�cert_context�error�
oscrypto_certrCrCrD�_extra_trust_root_validation�
s






�









�






�

































�















�












�











�



















�


z&TLSSocket._extra_trust_root_validationc!CsLd
}d
}d
}�z�z^|
r |j}nt
td�}|}tjdtjdtjdtjdtjdtj	dtj
d	i}d
|_|D]}|j|O_qf|�d�
\}}tj
|d
_|�d�
\}	}tj
|d
_tj|d_t
td
�}
|
r�|}t�}n
t�}|}t�|jj||j|jd
d
t�d
||	|
t��}
|
ttjtjg�
v
�
r*t|
t�
|
�
s6|}n|}d}d}|d
jd
k�
r�t|d
j|d
j�}||7}|j�|�

d
|d
_t�|d
j�

t�|d
_t d�
}t!td|�|d
_d}|
tjk�rz$d}|j�"d�
}|dk�
r�t#�
Wnt$�y


d}Yn0||7}|j%|7_%t&|j%�
|d
_t'||j%�
t�|jj||j|jd
d
|d
t�|	|
t��}
|
tj(k�r�tj
|d
_|djtj)k�r�tj)|d_d
|d_t*|dj�
�s�t�|dj�

t�|d_|�
r�t#�
�
q�|
tj+k�r$t,|�
�rt-�
t.|�
}|�r|dk�rt/�
t0�
|
tj1k�rHt2|�
}t3|d
|j�
|
tj4k�rht2|�
}t5|d
�

|
tj6k�r�t2|�
}|d
}t7|�
}|j8�s�t9|�

t:|�

|
tj;k�r�t<|�
dk�r�t=�
|
tj>k�r�t-�
|
t?j@k�r�tA|�

|
tjBk�r�|djd
k�rzt|dj|dj�}||7}|dd�}|dk�sD|dk�rzd|jjCv�rzt&|jjC�
dk�rzt2|�
}tDd|d
��
t,|�
�r�t-�
tE|�
�r�tF|�

t0�
|
tjGk�s�|
tjHk�r�d|jjCv�r�tId�
�
|�r�t#�
|
tjJk�r�t<|�
dk�r�t=�
|
ttjtjg�
v
�rt|
t�
|d
jd
k�r|t|d
j|d
j�}||7}|j�|�

d
|d
_t�|d
j�

t�|d
_|djtjKk�r�|dj}|j%|d
�|_%tj)|d_d
|d_t�|dj�

t�|d_|
tjk�r�||d
�}nd|_%�
q�tLtd�}t�M|tjN|�}
t|
t�
tO|�
}tjPdtjQdtjRd tjSd!tjTdi�UtVtW|jX�tY|jX�
�|_Z|jZtgd"�
�
v�r�t[||�}|d#|_\|d$|_]|d%|_^|d&|__t`|
�
}|D]&}||Bd
k�r�tatbd'||��
�
�q�|
�s\||_d
}tLtd(�}t�M|jtjc|�}
t|
�

tO|�
} tVtW| jd�|_etVtW| jf�|_gtVtW| jh�|_i|je|jg|ji|_j|jjk�rn|�l�
Wn$tatmjnf�y�


|�o�
�Yn0W|�r�t*|d
j�
�s�t�|d
j�

t*|dj�
�s�t�|dj�

|�rHt�p|�

nX|�r6t*|d
j�
�st�|d
j�

t*|dj�
�s6t�|dj�

|�rFt�p|�

0d
S))z�
        Perform an initial TLS handshake, or a renegotiation

        :param renegotiate:
            If the handshake is for a renegotiation
        NzCtxtHandle *zreplay detectionzsequence detectionZconfidentialityzmemory allocationZ	integrityzstream orientationzdisable automatic client authr
rr�ULONG *ri��BYTE *F� T)r�Fi�r<�
(�
+rIzMServer certificate verification failed - weak certificate signature algorithmzTLS handshake failedZSecPkgContext_ConnectionInfoZSSLv2rKrGrHrJ�cipher_suite�compression�
session_id�session_ticketzl
                        Unable to obtain a credential context with the property %s
                        ZSecPkgContext_StreamSizes)qr�rrrZISC_REQ_REPLAY_DETECTZISC_REQ_SEQUENCE_DETECTZISC_REQ_CONFIDENTIALITYZISC_REQ_ALLOCATE_MEMORYZISC_REQ_INTEGRITYZISC_REQ_STREAMZISC_REQ_USE_SUPPLIED_CREDS�_context_flagsr��SECBUFFER_TOKENr��SECBUFFER_ALERTr�InitializeSecurityContextWr�rhrvrQ�SEC_E_OK�SEC_I_CONTINUE_NEEDEDrr"r�rr�ru�send�FreeContextBufferr	r�recvr.�socket_error_clsr�rer�SEC_E_INCOMPLETE_MESSAGEr�rZSEC_E_ILLEGAL_MESSAGEr&r,r*r4r0ZSEC_E_WRONG_PRINCIPALr(r1ZSEC_E_CERT_EXPIREDr/ZSEC_E_UNTRUSTED_ROOTr9r�r2r6ZSEC_E_INTERNAL_ERRORr)r-ZSEC_I_INCOMPLETE_CREDENTIALSrr�r8ZSEC_E_INVALID_TOKENrTr?r'r3ZSEC_E_BUFFER_TOO_SMALLZSEC_E_MESSAGE_ALTEREDrEZSEC_E_INVALID_PARAMETER�SECBUFFER_EXTRArr�ZSECPKG_ATTR_CONNECTION_INFOrZSP_PROT_SSL2_CLIENTr_r`rarb�getrr�Z
dwProtocolr�	_protocolr+�
_cipher_suite�_compression�_session_id�_session_ticketr
�OSErrorrZSECPKG_ATTR_STREAM_SIZESZcbHeader�_header_sizeZcbMaximumMessage�
_message_sizeZ	cbTrailer�
_trailer_size�_buffer_sizerUr�rsr�r��DeleteSecurityContext)!r[�renegotiateZ
in_buffers�out_buffersZnew_context_handle_pointerZtemp_context_handle_pointerZrequested_flags�flagZin_sec_buffer_desc_pointer�out_sec_buffer_desc_pointer�output_context_flags_pointerZfirst_handleZ
second_handlernZhandshake_server_bytesZhandshake_client_bytes�tokenZin_data_buffer�
bytes_readZ	fail_lateZ
alert_info�chainr�r�Zalert_bytesZalert_number�extra_amountZconnection_info_pointerZconnection_infoZsession_infoZoutput_context_flagsZstream_sizes_pointerZstream_sizesrCrCrDrw�s�












�





















�





































�

































 



�


































�




��












�







�













�





zTLSSocket._handshakec
sXt|
t
�sttd
t|
�
��
�
�jdurZ�jdkrR�jd|
�}�j|
d��_|S���
�js�t	�j
�
�_��d�
\�_�_
tj�j
d_ttd�j��j
d_t|
�j
�}t���j
d��j
d�
�j
d��j
d	���
����fd
d�}�j}t|�
}d�_|dk�
r&��d�
�
s&d�_|St�j�
dk}||
k�r,|�
rp�j�j�|�
7_t�j�
dk�
rpt�
tt�j�
�j
�}|dk�
r��q,|�j
d_t�j�jd|��
t��j�jdt��}d}|tj k�
r�|�
d
}�
q4nX|tj!k�rd
�_"��#�
�q,n8|tj$k�r*�j%d
d�

��&|
�
S|tj'k�r@t(|t)�
t*tj+tj,tj-g�
}	d}
��
��fD]f}|j}|tjk�r�|t.|j|j�7}t|�
}n2|tj/k�r�t0t1|j�}
n||	v
�rdt2td|��
�
�qd|
�r�j||
d��_n�j|d��_|�
��d�
�rd
}|�
s4t�j�
dk�
r4�q,�
q4t|�
|
k�rT||
d��_|d|
�}|S)a0
        Reads data from the TLS-wrapped socket

        :param max_length:
            The number of bytes to read

        :raises:
            socket.socket - when a non-TLS socket error occurs
            oscrypto.errors.TLSError - when a TLS-related error occurs
            ValueError - when any of the parameters contain an invalid value
            TypeError - when any of the parameters are of the wrong type
            OSError - when an error is returned by the OS crypto library

        :return:
            A byte string of the data read
        zG
                max_length must be an integer, not %s
                Nrr
�r�rrr;cs^tj
�_ttd
�j��_d�_tj�
_��
_d�
_tj�_��_d�_tj�_��_d�_dS)Nr�r
)	r�SECBUFFER_DATAr�rr�_decrypt_data_bufferr�r�r�rC�Zbuf0Zbuf1�buf2Zbuf3Z
null_valuer[rCrD�_reset_bufferss








z&TLSSocket.read.<locals>._reset_buffersFT)
r�z]
                        Unexpected decrypt output buffer of type %s
                        )3rMr!rOrrr�r��
_raise_closedr�r	r�r��
_decrypt_desc�_decrypt_buffersrr�r�rrr��maxrre�select_readr�rur�r.�minr�rZDecryptMessager�ZSEC_I_CONTEXT_EXPIRED�_remote_closed�shutdownZSEC_I_RENEGOTIATErwrWr�rr"rQr��SECBUFFER_STREAM_HEADER�SECBUFFER_STREAM_TRAILERrr�rr�r�)
r[�
max_length�outputZto_recvr�Z
output_lenZdo_read�data_lenrnZvalid_buffer_typesr��bufZbuffer_typerCr�rDrW�s�


�

































�













�











�





zTLSSocket.readcCs8t|j
�
d
krdSt�|jg
gg|
�\}}}t|�
d
kS)aZ

        Blocks until the socket is ready to be read from, or the timeout is hit

        :param timeout:
            A float - the period of time to wait for data to be read. None for
            no time limit.

        :return:
            A boolean - if data is ready to be read. Will only be False if
            timeout is not None.
        r
T)rer��selectru)r[r�Z
read_ready�
_rCrCrDr��s

zTLSSocket.select_readc	Cs�t|
t
�s&t|
t�s&ttd
t|
�
��
�
d}t|
t�}t|j�
dkrP|j}d|_n
|�d�
}t|�
}||7}|r�|
�	|�
}|du
r�|�
�}q�q4td|t|
�
d�}|�|
|�}|dkr4|t|
�
}q�q4||d�|j|_|d|�S)a�

        Reads data from the socket until a marker is found. Data read may
        include data beyond the marker.

        :param marker:
            A byte string or regex object from re.compile(). Used to determine
            when to stop reading. Regex objects are more inefficient since
            they must scan the entire byte string of read data each time data
            is read off the socket.

        :return:
            A byte string of the data read
        z_
                marker must be a byte string or compiled regex object, not %s
                rr
r�Nr���)
rMr �PatternrOrrrer�rW�search�endr��find)	r[�markerr��is_regex�chunk�offset�matchr��startrCrCrD�
read_until�s2

�














zTLSSocket.read_untilc

Cs
|�t
�
S)
z�
        Reads a line from the socket, including the line ending of "\r\n", "\r",
        or "\n"

        :return:
            A byte string of the next line from the socket
        )r
�_line_regex�
r[rCrCrD�	read_line�s	zTLSSocket.read_linecCs0d
}|
}|dkr,||�|�
7}|
t
|�
}q|S)z�
        Reads exactly the specified number of bytes from the socket

        :param num_bytes:
            An integer - the exact number of bytes to read

        :return:
            A byte string of the data that was read
        rr
)rWre)r[�	num_bytesr��	remainingrCrCrD�read_exactly�s



zTLSSocket.read_exactlyc
Cs�
|jd
ur|�
�
|js�t|j|j|j�
|_|�d�
\|_|_	t
j|j	d_|j|j	d_
ttd|j�|j	d_t
j|j	d_t|j|j�|j	d_t
j|j	d_|j|j	d_
t|j|j|j�|j	d_t|
�
dk�
r�tt|
�
|j�}t|j|
d|�|j�
||j	d_
t|j|j|�|j	d_t�|jd|jd�}|t
jk�
rVt|t�
tt|j	dj
�}|tt|j	dj
�7}|tt|j	dj
�7}z|j�t|j|��

Wn<t j!�
y�
}
z |j"dk�
r�t#�
�WYd
}~n
d
}~00|
|d
�}
q�d
S)a�

        Writes data to the TLS-wrapped socket

        :param data:
            A byte string to write to the socket

        :raises:
            socket.socket - when a non-TLS socket error occurs
            oscrypto.errors.TLSError - when a TLS-related error occurs
            ValueError - when any of the parameters contain an invalid value
            TypeError - when any of the parameters are of the wrong type
            OSError - when an error is returned by the OS crypto library
        Nr�r
r�rriE')$r�r��_encrypt_data_bufferr	r�r�r�r��
_encrypt_desc�_encrypt_buffersrr�r�r�rrr�r�rr�rer�rZEncryptMessager�rr"rr�rur�rrsr��errnor.)r[�dataZto_writern�to_sendr|rCrCrD�write�sH















�









zTLSSocket.writecCs&t�g|j
g
g|
�\}}}t|�
d
kS)aw

        Blocks until the socket is ready to be written to, or the timeout is hit

        :param timeout:
            A float - the period of time to wait for the socket to be ready to
            written to. None for no time limit.

        :return:
            A boolean - if the socket is ready for writing. Will only be False
            if timeout is not None.
        r
)r�rure)r[r�r�Zwrite_readyrCrCrD�select_write's

zTLSSocket.select_writec

Csf|jd
urd
Sd
}
�
z�t
dkr�ttd�}d|d_tj|d_ttdt	d�
�|d_
ttd�}t|�
}tj
|_d	|_||_t�|j|�}t|t�
|�d
�
\}}
tj|
d_tj|
d	_ttd�}t�|jj|j|j|jddt�dt�||t��}ttjtjtjg�
}||v
�
rt|t�
t |
dj
|
dj�}	z|j!�"|	�

Wnt#j$�
yV


Yn0W|
�
r�t%|
dj
�
�
s�t�&|
dj
�

t%|
d	j
�
�
s�t�&|
d	j
�

t�'|j�

d
|_z|j!�(t#j)�

Wnt#j$�
y�


Yn0n�|
�r$t%|
dj
�
�st�&|
dj
�

t%|
d	j
�
�s$t�&|
d	j
�

t�'|j�

d
|_z|j!�(t#j)�

Wnt#j$�y^


Yn00d
S)z�
        Shuts down the TLS session and then shuts down the underlying socket

        :raises:
            OSError - when an error is returned by the OS crypto library
        N)r�rzSecBuffer[1]r�r
r�s
r�rrr�)*r��_win_version_inforrr�rr�r�rr	r�rrr�r�r�r�ZApplyControlTokenrr"r�r�r�r�rhrvr�rrQr�ZSEC_E_CONTEXT_EXPIREDr�rrur�rsr�rr�r�r��	SHUT_RDWR)
r[r�r�r�r�rnr�r�Zacceptable_resultsr�rCrCrDr�7s�




























�


�













�







zTLSSocket.shutdownc

Cstz<|��
W|j
rpz|j
��
Wntjy4


Yn0d
|_
n2|j
rnz|j
��
Wntjyf


Yn0d
|_
0d
S)zN
        Shuts down the TLS session and socket and forcibly closes it
        N)r�rur�rsr�r
rCrCrDr��s






�




zTLSSocket.closec


Cs�tt
d
�}
t�|jtj|
�}t|t�
t	|
�
}t
t
d|�}t	|�
}t|jt
t|j��}t�|�
|_g|_d}zt|j}t
�|t��}t|�
s�t	|�
}t|jt
t|j��}	|	|kr�|j�t�|	�
�

t
�||�}q�W|r�t
�|d�
n|r�t
�|d�
0dS)zh
        Reads end-entity and intermediate certificate information from the
        TLS session
        zCERT_CONTEXT **zCERT_CONTEXT *Nr
)rrrr�r�rr�rr"rrrr�rr�r�rXr��_certificate�_intermediatesZ
hCertStoreZCertEnumCertificatesInStorerrrYr�)
r[r�rnr�r�r�Zstore_handleZcontext_pointer�contextr
rCrCrD�_read_certificates�s6




�












�
zTLSSocket._read_certificatesc

Cs|jrt
d
�
�
ntd�
�
dS)zi
        Raises an exception describing if the local or remote end closed the
        connection
        z$The remote end closed the connectionz!The connection was already closedN)r�r%r$r
rCrCrDr��s

zTLSSocket._raise_closedc

Cs*|jd
ur|�
�
|jd
ur$|��
|jS)zu
        An asn1crypto.x509.Certificate object of the end-entity certificate
        presented by the server
        N)r�r�r
r
r
rCrCrDry�s




zTLSSocket.certificatec

Cs*|jd
ur|�
�
|jd
ur$|��
|jS)zz
        A list of asn1crypto.x509.Certificate objects that were presented as
        intermediates by the server
        N)r�r�r
r
r
r
rCrCrD�
intermediates�s




zTLSSocket.intermediatesc


Cs|jS)
zg
        A unicode string of the IANA cipher suite name of the negotiated
        cipher suite
        )
r�r
rCrCrDr��szTLSSocket.cipher_suitec


Cs|jS)
zM
        A unicode string of: "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"
        )
r�r
rCrCrDr\�szTLSSocket.protocolc


Cs|jS)
z5
        A boolean if compression is enabled
        )
r�r
rCrCrDr��szTLSSocket.compressionc


Cs|jS�
zM
        A unicode string of "new" or "reused" or None for no ticket
        )
r�r
rCrCrDr�szTLSSocket.session_idc


Cs|jSr
)
r�r
rCrCrDr�
szTLSSocket.session_ticketc


Cs|jS)
zM
        The oscrypto.tls.TLSSession object used for this connection
        )
r�r
rCrCrDrrszTLSSocket.sessionc


Cs|jS)
zN
        A unicode string of the TLS server domain name or IP address
        )
rvr
rCrCrDr{szTLSSocket.hostnamec

Cs|j�
�d
S)zJ
        An integer of the port number the socket is connected to
        r)rt�getpeernamer
rCrCrDr�%szTLSSocket.portc

Cs|jd
ur|�
�
|jS)z9
        The underlying socket.socket connection
        N)r�r�rur
rCrCrDrt-s

zTLSSocket.socketc

Cs|��
dSro)
r�r
rCrCrDrp8s
zTLSSocket.__del__)
N)r~N)
F)
N)
N):r@rArBrFrur�r�r�rvr�r�r�r�r�r
r	
r
r�r�r�r
r
r�r�r�r�r�r��classmethodr}r^r�r�rwrWr�r
r
r
r

r
r�r�r
r��propertyryr
r�r\r�r�r�rrr{r�rtrprCrCrCrDr>
s�
















>
W3
0+
7>
T(






















)^�
__future__rrrr�sys�rertrsr�r�Z_asn1rrX�_errorsrZ_ffir	r
rrr
rrrrrrrrrZ_secur32rrrZ_crypt32rrr�Z	_kernel32r�_typesrrr r!�errorsr"r#r$r%�_tlsr&r'r(r)r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8Z
asymmetricr9�keysr:�version_info�xranger�r�r�ZWindowsErrorZ
_pattern_typer��__all__�compiler

�getwindowsversionZ_gwvr
r?rE�objectr=r>rCrCrCrD�<module>sD





@




T




�

?