| """ |
| This module uses ctypes to bind a whole bunch of functions and constants from |
| SecureTransport. The goal here is to provide the low-level API to |
| SecureTransport. These are essentially the C-level functions and constants, and |
| they're pretty gross to work with. |
| |
| This code is a bastardised version of the code found in Will Bond's oscrypto |
| library. An enormous debt is owed to him for blazing this trail for us. For |
| that reason, this code should be considered to be covered both by urllib3's |
| license and by oscrypto's: |
| |
| Copyright (c) 2015-2016 Will Bond <will@wbond.net> |
| |
| Permission is hereby granted, free of charge, to any person obtaining a |
| copy of this software and associated documentation files (the "Software"), |
| to deal in the Software without restriction, including without limitation |
| the rights to use, copy, modify, merge, publish, distribute, sublicense, |
| and/or sell copies of the Software, and to permit persons to whom the |
| Software is furnished to do so, subject to the following conditions: |
| |
| The above copyright notice and this permission notice shall be included in |
| all copies or substantial portions of the Software. |
| |
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
| FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER |
| DEALINGS IN THE SOFTWARE. |
| """ |
| from __future__ import absolute_import |
| |
| import platform |
| from ctypes import ( |
| CDLL, |
| CFUNCTYPE, |
| POINTER, |
| c_bool, |
| c_byte, |
| c_char_p, |
| c_int32, |
| c_long, |
| c_size_t, |
| c_uint32, |
| c_ulong, |
| c_void_p, |
| ) |
| from ctypes.util import find_library |
| |
| from ...packages.six import raise_from |
| |
| if platform.system() != "Darwin": |
| raise ImportError("Only macOS is supported") |
| |
| version = platform.mac_ver()[0] |
| version_info = tuple(map(int, version.split("."))) |
| if version_info < (10, 8): |
| raise OSError( |
| "Only OS X 10.8 and newer are supported, not %s.%s" |
| % (version_info[0], version_info[1]) |
| ) |
| |
| |
| def load_cdll(name, macos10_16_path): |
| """Loads a CDLL by name, falling back to known path on 10.16+""" |
| try: |
| # Big Sur is technically 11 but we use 10.16 due to the Big Sur |
| # beta being labeled as 10.16. |
| if version_info >= (10, 16): |
| path = macos10_16_path |
| else: |
| path = find_library(name) |
| if not path: |
| raise OSError # Caught and reraised as 'ImportError' |
| return CDLL(path, use_errno=True) |
| except OSError: |
| raise_from(ImportError("The library %s failed to load" % name), None) |
| |
| |
| Security = load_cdll( |
| "Security", "/System/Library/Frameworks/Security.framework/Security" |
| ) |
| CoreFoundation = load_cdll( |
| "CoreFoundation", |
| "/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", |
| ) |
| |
| |
| Boolean = c_bool |
| CFIndex = c_long |
| CFStringEncoding = c_uint32 |
| CFData = c_void_p |
| CFString = c_void_p |
| CFArray = c_void_p |
| CFMutableArray = c_void_p |
| CFDictionary = c_void_p |
| CFError = c_void_p |
| CFType = c_void_p |
| CFTypeID = c_ulong |
| |
| CFTypeRef = POINTER(CFType) |
| CFAllocatorRef = c_void_p |
| |
| OSStatus = c_int32 |
| |
| CFDataRef = POINTER(CFData) |
| CFStringRef = POINTER(CFString) |
| CFArrayRef = POINTER(CFArray) |
| CFMutableArrayRef = POINTER(CFMutableArray) |
| CFDictionaryRef = POINTER(CFDictionary) |
| CFArrayCallBacks = c_void_p |
| CFDictionaryKeyCallBacks = c_void_p |
| CFDictionaryValueCallBacks = c_void_p |
| |
| SecCertificateRef = POINTER(c_void_p) |
| SecExternalFormat = c_uint32 |
| SecExternalItemType = c_uint32 |
| SecIdentityRef = POINTER(c_void_p) |
| SecItemImportExportFlags = c_uint32 |
| SecItemImportExportKeyParameters = c_void_p |
| SecKeychainRef = POINTER(c_void_p) |
| SSLProtocol = c_uint32 |
| SSLCipherSuite = c_uint32 |
| SSLContextRef = POINTER(c_void_p) |
| SecTrustRef = POINTER(c_void_p) |
| SSLConnectionRef = c_uint32 |
| SecTrustResultType = c_uint32 |
| SecTrustOptionFlags = c_uint32 |
| SSLProtocolSide = c_uint32 |
| SSLConnectionType = c_uint32 |
| SSLSessionOption = c_uint32 |
| |
| |
| try: |
| Security.SecItemImport.argtypes = [ |
| CFDataRef, |
| CFStringRef, |
| POINTER(SecExternalFormat), |
| POINTER(SecExternalItemType), |
| SecItemImportExportFlags, |
| POINTER(SecItemImportExportKeyParameters), |
| SecKeychainRef, |
| POINTER(CFArrayRef), |
| ] |
| Security.SecItemImport.restype = OSStatus |
| |
| Security.SecCertificateGetTypeID.argtypes = [] |
| Security.SecCertificateGetTypeID.restype = CFTypeID |
| |
| Security.SecIdentityGetTypeID.argtypes = [] |
| Security.SecIdentityGetTypeID.restype = CFTypeID |
| |
| Security.SecKeyGetTypeID.argtypes = [] |
| Security.SecKeyGetTypeID.restype = CFTypeID |
| |
| Security.SecCertificateCreateWithData.argtypes = [CFAllocatorRef, CFDataRef] |
| Security.SecCertificateCreateWithData.restype = SecCertificateRef |
| |
| Security.SecCertificateCopyData.argtypes = [SecCertificateRef] |
| Security.SecCertificateCopyData.restype = CFDataRef |
| |
| Security.SecCopyErrorMessageString.argtypes = [OSStatus, c_void_p] |
| Security.SecCopyErrorMessageString.restype = CFStringRef |
| |
| Security.SecIdentityCreateWithCertificate.argtypes = [ |
| CFTypeRef, |
| SecCertificateRef, |
| POINTER(SecIdentityRef), |
| ] |
| Security.SecIdentityCreateWithCertificate.restype = OSStatus |
| |
| Security.SecKeychainCreate.argtypes = [ |
| c_char_p, |
| c_uint32, |
| c_void_p, |
| Boolean, |
| c_void_p, |
| POINTER(SecKeychainRef), |
| ] |
| Security.SecKeychainCreate.restype = OSStatus |
| |
| Security.SecKeychainDelete.argtypes = [SecKeychainRef] |
| Security.SecKeychainDelete.restype = OSStatus |
| |
| Security.SecPKCS12Import.argtypes = [ |
| CFDataRef, |
| CFDictionaryRef, |
| POINTER(CFArrayRef), |
| ] |
| Security.SecPKCS12Import.restype = OSStatus |
| |
| SSLReadFunc = CFUNCTYPE(OSStatus, SSLConnectionRef, c_void_p, POINTER(c_size_t)) |
| SSLWriteFunc = CFUNCTYPE( |
| OSStatus, SSLConnectionRef, POINTER(c_byte), POINTER(c_size_t) |
| ) |
| |
| Security.SSLSetIOFuncs.argtypes = [SSLContextRef, SSLReadFunc, SSLWriteFunc] |
| Security.SSLSetIOFuncs.restype = OSStatus |
| |
| Security.SSLSetPeerID.argtypes = [SSLContextRef, c_char_p, c_size_t] |
| Security.SSLSetPeerID.restype = OSStatus |
| |
| Security.SSLSetCertificate.argtypes = [SSLContextRef, CFArrayRef] |
| Security.SSLSetCertificate.restype = OSStatus |
| |
| Security.SSLSetCertificateAuthorities.argtypes = [SSLContextRef, CFTypeRef, Boolean] |
| Security.SSLSetCertificateAuthorities.restype = OSStatus |
| |
| Security.SSLSetConnection.argtypes = [SSLContextRef, SSLConnectionRef] |
| Security.SSLSetConnection.restype = OSStatus |
| |
| Security.SSLSetPeerDomainName.argtypes = [SSLContextRef, c_char_p, c_size_t] |
| Security.SSLSetPeerDomainName.restype = OSStatus |
| |
| Security.SSLHandshake.argtypes = [SSLContextRef] |
| Security.SSLHandshake.restype = OSStatus |
| |
| Security.SSLRead.argtypes = [SSLContextRef, c_char_p, c_size_t, POINTER(c_size_t)] |
| Security.SSLRead.restype = OSStatus |
| |
| Security.SSLWrite.argtypes = [SSLContextRef, c_char_p, c_size_t, POINTER(c_size_t)] |
| Security.SSLWrite.restype = OSStatus |
| |
| Security.SSLClose.argtypes = [SSLContextRef] |
| Security.SSLClose.restype = OSStatus |
| |
| Security.SSLGetNumberSupportedCiphers.argtypes = [SSLContextRef, POINTER(c_size_t)] |
| Security.SSLGetNumberSupportedCiphers.restype = OSStatus |
| |
| Security.SSLGetSupportedCiphers.argtypes = [ |
| SSLContextRef, |
| POINTER(SSLCipherSuite), |
| POINTER(c_size_t), |
| ] |
| Security.SSLGetSupportedCiphers.restype = OSStatus |
| |
| Security.SSLSetEnabledCiphers.argtypes = [ |
| SSLContextRef, |
| POINTER(SSLCipherSuite), |
| c_size_t, |
| ] |
| Security.SSLSetEnabledCiphers.restype = OSStatus |
| |
| Security.SSLGetNumberEnabledCiphers.argtype = [SSLContextRef, POINTER(c_size_t)] |
| Security.SSLGetNumberEnabledCiphers.restype = OSStatus |
| |
| Security.SSLGetEnabledCiphers.argtypes = [ |
| SSLContextRef, |
| POINTER(SSLCipherSuite), |
| POINTER(c_size_t), |
| ] |
| Security.SSLGetEnabledCiphers.restype = OSStatus |
| |
| Security.SSLGetNegotiatedCipher.argtypes = [SSLContextRef, POINTER(SSLCipherSuite)] |
| Security.SSLGetNegotiatedCipher.restype = OSStatus |
| |
| Security.SSLGetNegotiatedProtocolVersion.argtypes = [ |
| SSLContextRef, |
| POINTER(SSLProtocol), |
| ] |
| Security.SSLGetNegotiatedProtocolVersion.restype = OSStatus |
| |
| Security.SSLCopyPeerTrust.argtypes = [SSLContextRef, POINTER(SecTrustRef)] |
| Security.SSLCopyPeerTrust.restype = OSStatus |
| |
| Security.SecTrustSetAnchorCertificates.argtypes = [SecTrustRef, CFArrayRef] |
| Security.SecTrustSetAnchorCertificates.restype = OSStatus |
| |
| Security.SecTrustSetAnchorCertificatesOnly.argstypes = [SecTrustRef, Boolean] |
| Security.SecTrustSetAnchorCertificatesOnly.restype = OSStatus |
| |
| Security.SecTrustEvaluate.argtypes = [SecTrustRef, POINTER(SecTrustResultType)] |
| Security.SecTrustEvaluate.restype = OSStatus |
| |
| Security.SecTrustGetCertificateCount.argtypes = [SecTrustRef] |
| Security.SecTrustGetCertificateCount.restype = CFIndex |
| |
| Security.SecTrustGetCertificateAtIndex.argtypes = [SecTrustRef, CFIndex] |
| Security.SecTrustGetCertificateAtIndex.restype = SecCertificateRef |
| |
| Security.SSLCreateContext.argtypes = [ |
| CFAllocatorRef, |
| SSLProtocolSide, |
| SSLConnectionType, |
| ] |
| Security.SSLCreateContext.restype = SSLContextRef |
| |
| Security.SSLSetSessionOption.argtypes = [SSLContextRef, SSLSessionOption, Boolean] |
| Security.SSLSetSessionOption.restype = OSStatus |
| |
| Security.SSLSetProtocolVersionMin.argtypes = [SSLContextRef, SSLProtocol] |
| Security.SSLSetProtocolVersionMin.restype = OSStatus |
| |
| Security.SSLSetProtocolVersionMax.argtypes = [SSLContextRef, SSLProtocol] |
| Security.SSLSetProtocolVersionMax.restype = OSStatus |
| |
| try: |
| Security.SSLSetALPNProtocols.argtypes = [SSLContextRef, CFArrayRef] |
| Security.SSLSetALPNProtocols.restype = OSStatus |
| except AttributeError: |
| # Supported only in 10.12+ |
| pass |
| |
| Security.SecCopyErrorMessageString.argtypes = [OSStatus, c_void_p] |
| Security.SecCopyErrorMessageString.restype = CFStringRef |
| |
| Security.SSLReadFunc = SSLReadFunc |
| Security.SSLWriteFunc = SSLWriteFunc |
| Security.SSLContextRef = SSLContextRef |
| Security.SSLProtocol = SSLProtocol |
| Security.SSLCipherSuite = SSLCipherSuite |
| Security.SecIdentityRef = SecIdentityRef |
| Security.SecKeychainRef = SecKeychainRef |
| Security.SecTrustRef = SecTrustRef |
| Security.SecTrustResultType = SecTrustResultType |
| Security.SecExternalFormat = SecExternalFormat |
| Security.OSStatus = OSStatus |
| |
| Security.kSecImportExportPassphrase = CFStringRef.in_dll( |
| Security, "kSecImportExportPassphrase" |
| ) |
| Security.kSecImportItemIdentity = CFStringRef.in_dll( |
| Security, "kSecImportItemIdentity" |
| ) |
| |
| # CoreFoundation time! |
| CoreFoundation.CFRetain.argtypes = [CFTypeRef] |
| CoreFoundation.CFRetain.restype = CFTypeRef |
| |
| CoreFoundation.CFRelease.argtypes = [CFTypeRef] |
| CoreFoundation.CFRelease.restype = None |
| |
| CoreFoundation.CFGetTypeID.argtypes = [CFTypeRef] |
| CoreFoundation.CFGetTypeID.restype = CFTypeID |
| |
| CoreFoundation.CFStringCreateWithCString.argtypes = [ |
| CFAllocatorRef, |
| c_char_p, |
| CFStringEncoding, |
| ] |
| CoreFoundation.CFStringCreateWithCString.restype = CFStringRef |
| |
| CoreFoundation.CFStringGetCStringPtr.argtypes = [CFStringRef, CFStringEncoding] |
| CoreFoundation.CFStringGetCStringPtr.restype = c_char_p |
| |
| CoreFoundation.CFStringGetCString.argtypes = [ |
| CFStringRef, |
| c_char_p, |
| CFIndex, |
| CFStringEncoding, |
| ] |
| CoreFoundation.CFStringGetCString.restype = c_bool |
| |
| CoreFoundation.CFDataCreate.argtypes = [CFAllocatorRef, c_char_p, CFIndex] |
| CoreFoundation.CFDataCreate.restype = CFDataRef |
| |
| CoreFoundation.CFDataGetLength.argtypes = [CFDataRef] |
| CoreFoundation.CFDataGetLength.restype = CFIndex |
| |
| CoreFoundation.CFDataGetBytePtr.argtypes = [CFDataRef] |
| CoreFoundation.CFDataGetBytePtr.restype = c_void_p |
| |
| CoreFoundation.CFDictionaryCreate.argtypes = [ |
| CFAllocatorRef, |
| POINTER(CFTypeRef), |
| POINTER(CFTypeRef), |
| CFIndex, |
| CFDictionaryKeyCallBacks, |
| CFDictionaryValueCallBacks, |
| ] |
| CoreFoundation.CFDictionaryCreate.restype = CFDictionaryRef |
| |
| CoreFoundation.CFDictionaryGetValue.argtypes = [CFDictionaryRef, CFTypeRef] |
| CoreFoundation.CFDictionaryGetValue.restype = CFTypeRef |
| |
| CoreFoundation.CFArrayCreate.argtypes = [ |
| CFAllocatorRef, |
| POINTER(CFTypeRef), |
| CFIndex, |
| CFArrayCallBacks, |
| ] |
| CoreFoundation.CFArrayCreate.restype = CFArrayRef |
| |
| CoreFoundation.CFArrayCreateMutable.argtypes = [ |
| CFAllocatorRef, |
| CFIndex, |
| CFArrayCallBacks, |
| ] |
| CoreFoundation.CFArrayCreateMutable.restype = CFMutableArrayRef |
| |
| CoreFoundation.CFArrayAppendValue.argtypes = [CFMutableArrayRef, c_void_p] |
| CoreFoundation.CFArrayAppendValue.restype = None |
| |
| CoreFoundation.CFArrayGetCount.argtypes = [CFArrayRef] |
| CoreFoundation.CFArrayGetCount.restype = CFIndex |
| |
| CoreFoundation.CFArrayGetValueAtIndex.argtypes = [CFArrayRef, CFIndex] |
| CoreFoundation.CFArrayGetValueAtIndex.restype = c_void_p |
| |
| CoreFoundation.kCFAllocatorDefault = CFAllocatorRef.in_dll( |
| CoreFoundation, "kCFAllocatorDefault" |
| ) |
| CoreFoundation.kCFTypeArrayCallBacks = c_void_p.in_dll( |
| CoreFoundation, "kCFTypeArrayCallBacks" |
| ) |
| CoreFoundation.kCFTypeDictionaryKeyCallBacks = c_void_p.in_dll( |
| CoreFoundation, "kCFTypeDictionaryKeyCallBacks" |
| ) |
| CoreFoundation.kCFTypeDictionaryValueCallBacks = c_void_p.in_dll( |
| CoreFoundation, "kCFTypeDictionaryValueCallBacks" |
| ) |
| |
| CoreFoundation.CFTypeRef = CFTypeRef |
| CoreFoundation.CFArrayRef = CFArrayRef |
| CoreFoundation.CFStringRef = CFStringRef |
| CoreFoundation.CFDictionaryRef = CFDictionaryRef |
| |
| except (AttributeError): |
| raise ImportError("Error initializing ctypes") |
| |
| |
| class CFConst(object): |
| """ |
| A class object that acts as essentially a namespace for CoreFoundation |
| constants. |
| """ |
| |
| kCFStringEncodingUTF8 = CFStringEncoding(0x08000100) |
| |
| |
| class SecurityConst(object): |
| """ |
| A class object that acts as essentially a namespace for Security constants. |
| """ |
| |
| kSSLSessionOptionBreakOnServerAuth = 0 |
| |
| kSSLProtocol2 = 1 |
| kSSLProtocol3 = 2 |
| kTLSProtocol1 = 4 |
| kTLSProtocol11 = 7 |
| kTLSProtocol12 = 8 |
| # SecureTransport does not support TLS 1.3 even if there's a constant for it |
| kTLSProtocol13 = 10 |
| kTLSProtocolMaxSupported = 999 |
| |
| kSSLClientSide = 1 |
| kSSLStreamType = 0 |
| |
| kSecFormatPEMSequence = 10 |
| |
| kSecTrustResultInvalid = 0 |
| kSecTrustResultProceed = 1 |
| # This gap is present on purpose: this was kSecTrustResultConfirm, which |
| # is deprecated. |
| kSecTrustResultDeny = 3 |
| kSecTrustResultUnspecified = 4 |
| kSecTrustResultRecoverableTrustFailure = 5 |
| kSecTrustResultFatalTrustFailure = 6 |
| kSecTrustResultOtherError = 7 |
| |
| errSSLProtocol = -9800 |
| errSSLWouldBlock = -9803 |
| errSSLClosedGraceful = -9805 |
| errSSLClosedNoNotify = -9816 |
| errSSLClosedAbort = -9806 |
| |
| errSSLXCertChainInvalid = -9807 |
| errSSLCrypto = -9809 |
| errSSLInternal = -9810 |
| errSSLCertExpired = -9814 |
| errSSLCertNotYetValid = -9815 |
| errSSLUnknownRootCert = -9812 |
| errSSLNoRootCert = -9813 |
| errSSLHostNameMismatch = -9843 |
| errSSLPeerHandshakeFail = -9824 |
| errSSLPeerUserCancelled = -9839 |
| errSSLWeakPeerEphemeralDHKey = -9850 |
| errSSLServerAuthCompleted = -9841 |
| errSSLRecordOverflow = -9847 |
| |
| errSecVerifyFailed = -67808 |
| errSecNoTrustSettings = -25263 |
| errSecItemNotFound = -25300 |
| errSecInvalidTrustSettings = -25262 |
| |
| # Cipher suites. We only pick the ones our default cipher string allows. |
| # Source: https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9 |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033 |
| TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D |
| TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C |
| TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D |
| TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C |
| TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 |
| TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F |
| TLS_AES_128_GCM_SHA256 = 0x1301 |
| TLS_AES_256_GCM_SHA384 = 0x1302 |
| TLS_AES_128_CCM_8_SHA256 = 0x1305 |
| TLS_AES_128_CCM_SHA256 = 0x1304 |
