Downgraade urllib3==1.26.16

2025-08-14 18:47:19 -07:00 · 2023-08-23 21:52:33 -07:00 · 2023-08-23 21:52:33 -07:00 · d6b3ed178e
commit d6b3ed178e
parent eac78a3047
40 changed files with 4877 additions and 4445 deletions
--- a/lib/urllib3/contrib/_securetransport/bindings.py
+++ b/lib/urllib3/contrib/_securetransport/bindings.py
@ -1,5 +1,3 @@
-# type: ignore
-
 """
 This module uses ctypes to bind a whole bunch of functions and constants from
 SecureTransport. The goal here is to provide the low-level API to
@ -31,8 +29,7 @@ license and by oscrypto's:
    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
    DEALINGS IN THE SOFTWARE.
 """
-
-from __future__ import annotations
+from __future__ import absolute_import

 import platform
 from ctypes import (
@ -51,6 +48,8 @@ from ctypes import (
 )
 from ctypes.util import find_library

+from ...packages.six import raise_from
+
 if platform.system() != "Darwin":
    raise ImportError("Only macOS is supported")

@ -58,16 +57,16 @@ version = platform.mac_ver()[0]
 version_info = tuple(map(int, version.split(".")))
 if version_info < (10, 8):
    raise OSError(
-        f"Only OS X 10.8 and newer are supported, not {version_info[0]}.{version_info[1]}"
+        "Only OS X 10.8 and newer are supported, not %s.%s"
+        % (version_info[0], version_info[1])
    )


-def load_cdll(name: str, macos10_16_path: str) -> CDLL:
+def load_cdll(name, macos10_16_path):
    """Loads a CDLL by name, falling back to known path on 10.16+"""
    try:
        # Big Sur is technically 11 but we use 10.16 due to the Big Sur
        # beta being labeled as 10.16.
-        path: str | None
        if version_info >= (10, 16):
            path = macos10_16_path
        else:
@ -76,7 +75,7 @@ def load_cdll(name: str, macos10_16_path: str) -> CDLL:
            raise OSError  # Caught and reraised as 'ImportError'
        return CDLL(path, use_errno=True)
    except OSError:
-        raise ImportError(f"The library {name} failed to load") from None
+        raise_from(ImportError("The library %s failed to load" % name), None)


 Security = load_cdll(
@ -417,14 +416,104 @@ try:
    CoreFoundation.CFStringRef = CFStringRef
    CoreFoundation.CFDictionaryRef = CFDictionaryRef

-except AttributeError:
-    raise ImportError("Error initializing ctypes") from None
+except (AttributeError):
+    raise ImportError("Error initializing ctypes")


-class CFConst:
+class CFConst(object):
    """
    A class object that acts as essentially a namespace for CoreFoundation
    constants.
    """

    kCFStringEncodingUTF8 = CFStringEncoding(0x08000100)
+
+
+class SecurityConst(object):
+    """
+    A class object that acts as essentially a namespace for Security constants.
+    """
+
+    kSSLSessionOptionBreakOnServerAuth = 0
+
+    kSSLProtocol2 = 1
+    kSSLProtocol3 = 2
+    kTLSProtocol1 = 4
+    kTLSProtocol11 = 7
+    kTLSProtocol12 = 8
+    # SecureTransport does not support TLS 1.3 even if there's a constant for it
+    kTLSProtocol13 = 10
+    kTLSProtocolMaxSupported = 999
+
+    kSSLClientSide = 1
+    kSSLStreamType = 0
+
+    kSecFormatPEMSequence = 10
+
+    kSecTrustResultInvalid = 0
+    kSecTrustResultProceed = 1
+    # This gap is present on purpose: this was kSecTrustResultConfirm, which
+    # is deprecated.
+    kSecTrustResultDeny = 3
+    kSecTrustResultUnspecified = 4
+    kSecTrustResultRecoverableTrustFailure = 5
+    kSecTrustResultFatalTrustFailure = 6
+    kSecTrustResultOtherError = 7
+
+    errSSLProtocol = -9800
+    errSSLWouldBlock = -9803
+    errSSLClosedGraceful = -9805
+    errSSLClosedNoNotify = -9816
+    errSSLClosedAbort = -9806
+
+    errSSLXCertChainInvalid = -9807
+    errSSLCrypto = -9809
+    errSSLInternal = -9810
+    errSSLCertExpired = -9814
+    errSSLCertNotYetValid = -9815
+    errSSLUnknownRootCert = -9812
+    errSSLNoRootCert = -9813
+    errSSLHostNameMismatch = -9843
+    errSSLPeerHandshakeFail = -9824
+    errSSLPeerUserCancelled = -9839
+    errSSLWeakPeerEphemeralDHKey = -9850
+    errSSLServerAuthCompleted = -9841
+    errSSLRecordOverflow = -9847
+
+    errSecVerifyFailed = -67808
+    errSecNoTrustSettings = -25263
+    errSecItemNotFound = -25300
+    errSecInvalidTrustSettings = -25262
+
+    # Cipher suites. We only pick the ones our default cipher string allows.
+    # Source: https://developer.apple.com/documentation/security/1550981-ssl_cipher_suite_values
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8
+    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F
+    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033
+    TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D
+    TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C
+    TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D
+    TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C
+    TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035
+    TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F
+    TLS_AES_128_GCM_SHA256 = 0x1301
+    TLS_AES_256_GCM_SHA384 = 0x1302
+    TLS_AES_128_CCM_8_SHA256 = 0x1305
+    TLS_AES_128_CCM_SHA256 = 0x1304
--- a/lib/urllib3/contrib/_securetransport/low_level.py
+++ b/lib/urllib3/contrib/_securetransport/low_level.py
@ -7,8 +7,6 @@ CoreFoundation messing about and memory management. The concerns in this module
 are almost entirely about trying to avoid memory leaks and providing
 appropriate and useful assistance to the higher-level code.
 """
-from __future__ import annotations
-
 import base64
 import ctypes
 import itertools
@ -17,20 +15,8 @@ import re
 import ssl
 import struct
 import tempfile
-import typing

-from .bindings import (  # type: ignore[attr-defined]
-    CFArray,
-    CFConst,
-    CFData,
-    CFDictionary,
-    CFMutableArray,
-    CFString,
-    CFTypeRef,
-    CoreFoundation,
-    SecKeychainRef,
-    Security,
-)
+from .bindings import CFConst, CoreFoundation, Security

 # This regular expression is used to grab PEM data out of a PEM bundle.
 _PEM_CERTS_RE = re.compile(
@ -38,7 +24,7 @@ _PEM_CERTS_RE = re.compile(
 )


-def _cf_data_from_bytes(bytestring: bytes) -> CFData:
+def _cf_data_from_bytes(bytestring):
    """
    Given a bytestring, create a CFData object from it. This CFData object must
    be CFReleased by the caller.
@ -48,9 +34,7 @@ def _cf_data_from_bytes(bytestring: bytes) -> CFData:
    )


-def _cf_dictionary_from_tuples(
-    tuples: list[tuple[typing.Any, typing.Any]]
-) -> CFDictionary:
+def _cf_dictionary_from_tuples(tuples):
    """
    Given a list of Python tuples, create an associated CFDictionary.
    """
@ -72,7 +56,7 @@ def _cf_dictionary_from_tuples(
    )


-def _cfstr(py_bstr: bytes) -> CFString:
+def _cfstr(py_bstr):
    """
    Given a Python binary data, create a CFString.
    The string must be CFReleased by the caller.
@ -86,7 +70,7 @@ def _cfstr(py_bstr: bytes) -> CFString:
    return cf_str


-def _create_cfstring_array(lst: list[bytes]) -> CFMutableArray:
+def _create_cfstring_array(lst):
    """
    Given a list of Python binary data, create an associated CFMutableArray.
    The array must be CFReleased by the caller.
@ -113,11 +97,11 @@ def _create_cfstring_array(lst: list[bytes]) -> CFMutableArray:
    except BaseException as e:
        if cf_arr:
            CoreFoundation.CFRelease(cf_arr)
-        raise ssl.SSLError(f"Unable to allocate array: {e}") from None
+        raise ssl.SSLError("Unable to allocate array: %s" % (e,))
    return cf_arr


-def _cf_string_to_unicode(value: CFString) -> str | None:
+def _cf_string_to_unicode(value):
    """
    Creates a Unicode string from a CFString object. Used entirely for error
    reporting.
@ -139,12 +123,10 @@ def _cf_string_to_unicode(value: CFString) -> str | None:
        string = buffer.value
    if string is not None:
        string = string.decode("utf-8")
-    return string  # type: ignore[no-any-return]
+    return string


-def _assert_no_error(
-    error: int, exception_class: type[BaseException] | None = None
-) -> None:
+def _assert_no_error(error, exception_class=None):
    """
    Checks the return code and throws an exception if there is an error to
    report
@ -156,8 +138,8 @@ def _assert_no_error(
    output = _cf_string_to_unicode(cf_error_string)
    CoreFoundation.CFRelease(cf_error_string)

-    if output is None or output == "":
-        output = f"OSStatus {error}"
+    if output is None or output == u"":
+        output = u"OSStatus %s" % error

    if exception_class is None:
        exception_class = ssl.SSLError
@ -165,7 +147,7 @@ def _assert_no_error(
    raise exception_class(output)


-def _cert_array_from_pem(pem_bundle: bytes) -> CFArray:
+def _cert_array_from_pem(pem_bundle):
    """
    Given a bundle of certs in PEM format, turns them into a CFArray of certs
    that can be used to validate a cert chain.
@ -211,23 +193,23 @@ def _cert_array_from_pem(pem_bundle: bytes) -> CFArray:
    return cert_array


-def _is_cert(item: CFTypeRef) -> bool:
+def _is_cert(item):
    """
    Returns True if a given CFTypeRef is a certificate.
    """
    expected = Security.SecCertificateGetTypeID()
-    return CoreFoundation.CFGetTypeID(item) == expected  # type: ignore[no-any-return]
+    return CoreFoundation.CFGetTypeID(item) == expected


-def _is_identity(item: CFTypeRef) -> bool:
+def _is_identity(item):
    """
    Returns True if a given CFTypeRef is an identity.
    """
    expected = Security.SecIdentityGetTypeID()
-    return CoreFoundation.CFGetTypeID(item) == expected  # type: ignore[no-any-return]
+    return CoreFoundation.CFGetTypeID(item) == expected


-def _temporary_keychain() -> tuple[SecKeychainRef, str]:
+def _temporary_keychain():
    """
    This function creates a temporary Mac keychain that we can use to work with
    credentials. This keychain uses a one-time password and a temporary file to
@ -262,9 +244,7 @@ def _temporary_keychain() -> tuple[SecKeychainRef, str]:
    return keychain, tempdirectory


-def _load_items_from_file(
-    keychain: SecKeychainRef, path: str
-) -> tuple[list[CFTypeRef], list[CFTypeRef]]:
+def _load_items_from_file(keychain, path):
    """
    Given a single file, loads all the trust objects from it into arrays and
    the keychain.
@ -319,7 +299,7 @@ def _load_items_from_file(
    return (identities, certificates)


-def _load_client_cert_chain(keychain: SecKeychainRef, *paths: str | None) -> CFArray:
+def _load_client_cert_chain(keychain, *paths):
    """
    Load certificates and maybe keys from a number of files. Has the end goal
    of returning a CFArray containing one SecIdentityRef, and then zero or more
@ -355,10 +335,10 @@ def _load_client_cert_chain(keychain: SecKeychainRef, *paths: str | None) -> CFA
    identities = []

    # Filter out bad paths.
-    filtered_paths = (path for path in paths if path)
+    paths = (path for path in paths if path)

    try:
-        for file_path in filtered_paths:
+        for file_path in paths:
            new_identities, new_certs = _load_items_from_file(keychain, file_path)
            identities.extend(new_identities)
            certificates.extend(new_certs)
@ -403,7 +383,7 @@ TLS_PROTOCOL_VERSIONS = {
 }


-def _build_tls_unknown_ca_alert(version: str) -> bytes:
+def _build_tls_unknown_ca_alert(version):
    """
    Builds a TLS alert record for an unknown CA.
    """
@ -415,60 +395,3 @@ def _build_tls_unknown_ca_alert(version: str) -> bytes:
    record_type_alert = 0x15
    record = struct.pack(">BBBH", record_type_alert, ver_maj, ver_min, msg_len) + msg
    return record
-
-
-class SecurityConst:
-    """
-    A class object that acts as essentially a namespace for Security constants.
-    """
-
-    kSSLSessionOptionBreakOnServerAuth = 0
-
-    kSSLProtocol2 = 1
-    kSSLProtocol3 = 2
-    kTLSProtocol1 = 4
-    kTLSProtocol11 = 7
-    kTLSProtocol12 = 8
-    # SecureTransport does not support TLS 1.3 even if there's a constant for it
-    kTLSProtocol13 = 10
-    kTLSProtocolMaxSupported = 999
-
-    kSSLClientSide = 1
-    kSSLStreamType = 0
-
-    kSecFormatPEMSequence = 10
-
-    kSecTrustResultInvalid = 0
-    kSecTrustResultProceed = 1
-    # This gap is present on purpose: this was kSecTrustResultConfirm, which
-    # is deprecated.
-    kSecTrustResultDeny = 3
-    kSecTrustResultUnspecified = 4
-    kSecTrustResultRecoverableTrustFailure = 5
-    kSecTrustResultFatalTrustFailure = 6
-    kSecTrustResultOtherError = 7
-
-    errSSLProtocol = -9800
-    errSSLWouldBlock = -9803
-    errSSLClosedGraceful = -9805
-    errSSLClosedNoNotify = -9816
-    errSSLClosedAbort = -9806
-
-    errSSLXCertChainInvalid = -9807
-    errSSLCrypto = -9809
-    errSSLInternal = -9810
-    errSSLCertExpired = -9814
-    errSSLCertNotYetValid = -9815
-    errSSLUnknownRootCert = -9812
-    errSSLNoRootCert = -9813
-    errSSLHostNameMismatch = -9843
-    errSSLPeerHandshakeFail = -9824
-    errSSLPeerUserCancelled = -9839
-    errSSLWeakPeerEphemeralDHKey = -9850
-    errSSLServerAuthCompleted = -9841
-    errSSLRecordOverflow = -9847
-
-    errSecVerifyFailed = -67808
-    errSecNoTrustSettings = -25263
-    errSecItemNotFound = -25300
-    errSecInvalidTrustSettings = -25262