Gfz* UddlZddlZddlZddlZddlZddlZddlmZddlm Z m Z ddl m Z m Z ddlmZddlmZmZmZmZmZmZmZmZmZmZmZddlZddlZddlmZddl m!Z!dd l"m#Z#dd l$m%Z%m&Z&m'Z'dd l(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0dd l1m2Z2m3Z3dd l4m5Z5ddl6m7Z7m8Z8ddl9m:Z:ddl;mdZ?dZ@dZAdZBdZCdZDedZEdejfdZFGdde ZGGddeHZIGd d!eIZJGd"d#eIZKGd$d%eIZLGd&d'eIZMGd(d)eIZNGd*d+eIZOGd,d-eIZPGd.d/eIZQGd0d1eIZRGd2d3e ZSGd4d5e ZTGd6d7e ZUd8eVd9eVd:eWdeVfd;ZXdZZdeaj@e%j:iZeed<ehjFde%j:fehjHde%j>fehjJde%jLfehjNe-jPe%jRfehjTe-jPe%j:fehjVe-jPe%j>fehjXe-jPe%jLfehjZe-j\e%j:fehj^e-j\e%j>fehj`e-j\e%jLfi Zeed<edjde*jdedjfe*jfedjhe*jhiZeed<edejoDZdeade%jfdZdesdee*jte0jve/jxdffdZdee*jte0jve/jxfdesfdZ ddeeEdeeedeeIdeEfdZdeWdefdZedeeefd]e >ux?O P QR r4 certificatechain server_namecadatacafilecapathc *t}||jkr td||jkDr td|\ t j |d} |r!tjj||n tjj||t%j&} |'|%|#| j)t+j,|>t/|D]0} | j1t$j2j5| 2||| j)||t%j6| t$j2j5||D cgc]!} t$j2j5| #c} } |j9y#t $rd}YVwxYw#tjtjf$r}tjj|} t| dk(r t|} n:t| dk(r d|d| d} n d j!d | D} d|d | } t#| |d}~wwxYwcc} w#t$j:$r}t#|j<dd}~wwxYw) NzCertificate is not valid yetzCertificate is no longer validTFrr(z hostname z doesn't match z, c32K|]}t|ywr.)repr).0patterns r5 z%verify_certificate..s)PG$w-)Psz doesn't match either of )r6not_valid_before_utcrxnot_valid_after_utc ipaddress ip_address ValueErrorservice_identity cryptographyverify_certificate_ip_addressverify_certificate_hostnameCertificateErrorVerificationErrorextract_patternsrstrjoinrvr' X509Storeload_locationscertifiwhereradd_certX509from_cryptographyX509StoreContextverify_certificateX509StoreContextErrorargs)rrrrrrr0is_ipexcpatternserrmsg patterns_reprstorecert store_ctxs r5rrsq (C [ - --%&DEE [ , ,,%&FGG    -E 7 --KK!--II.    E ~&.V^ W]]_- .v6 @D NN6;;88> ? @V/ VV,''  %%k29>? & &t ,?I /$$&m E   - -  . .  7(44EEkRH8}!SX!#$[O?8A;/R $ )Px)P P  /!!.1 &f-3 6! 7H @  ' '/!#((1+../sJF!AF3"&I I"! F0/F03#IA?II"J5J  JceZdZdZdZdZdZy) CipherSuiteiiiN)rSrTrUAES_128_GCM_SHA256AES_256_GCM_SHA384CHACHA20_POLY1305_SHA256EMPTY_RENEGOTIATION_INFO_SCSVr3r4r5rr*s%$*!r4rceZdZdZy)CompressionMethodrN)rSrTrUNULLr3r4r5rr1s Dr4rcHeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZy) ExtensionTyperrr9 )r=r>r?r@rF9iiN)rSrTrU SERVER_NAMESTATUS_REQUESTSUPPORTED_GROUPSSIGNATURE_ALGORITHMSALPNCOMPRESS_CERTIFICATEPRE_SHARED_KEY EARLY_DATASUPPORTED_VERSIONSCOOKIEPSK_KEY_EXCHANGE_MODES KEY_SHAREQUIC_TRANSPORT_PARAMETERSQUIC_TRANSPORT_PARAMETERS_DRAFTENCRYPTED_SERVER_NAMEr3r4r5rr5sUKN DNJ FI &&,#!r4rc$eZdZdZdZdZdZdZdZy)GroupiN) rSrTrU SECP256R1 SECP384R1 SECP521R1X25519X448GREASEr3r4r5rrGs III F D Fr4rc<eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zy ) HandshakeTyper(rrrrrrr:rr N)rSrTrU CLIENT_HELLO SERVER_HELLONEW_SESSION_TICKETEND_OF_EARLY_DATAENCRYPTED_EXTENSIONS CERTIFICATECERTIFICATE_REQUESTCERTIFICATE_VERIFYFINISHED KEY_UPDATECOMPRESSED_CERTIFICATE MESSAGE_HASHr3r4r5r*r*PsDLLKHJLr4r*ceZdZdZy)NameTyperN)rSrTrU HOST_NAMEr3r4r5r:r:_sIr4r:ceZdZdZdZy)PskKeyExchangeModerr(N)rSrTrUPSK_KE PSK_DHE_KEr3r4r5r=r=cs FJr4r=cPeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZy)SignatureAlgorithmiiiiiiiii i i iiiiiiN)rSrTrUECDSA_SECP256R1_SHA256ECDSA_SECP384R1_SHA384ECDSA_SECP521R1_SHA512ED25519ED448RSA_PKCS1_SHA256RSA_PKCS1_SHA384RSA_PKCS1_SHA512RSA_PSS_PSS_SHA256RSA_PSS_PSS_SHA384RSA_PSS_PSS_SHA512RSA_PSS_RSAE_SHA256RSA_PSS_RSAE_SHA384RSA_PSS_RSAE_SHA512RSA_PKCS1_SHA1SHA1_DSA ECDSA_SHA1r3r4r5rArAhse###G E   NHJr4rAbufcapacityc#Ktj|j|d}|j|z}||j|k7r t dyw)Nbig byteorderz!extra bytes at the end of a block)int from_bytes pull_bytestellrz)rSrTrends r5 pull_blockr^sU ^^CNN84^ FF ((*v C L xxzSBCCsAAc#K|j|z}|j|d|j}||z }|j||z |j|j|d|j|yw)zi Context manager to push a variable-length block, with `capacity` bytes to write the length. NrVrW)r\seek push_bytesto_bytes)rSrTstartr]rs r5 push_blockrdso HHJ !EHHUO ((*C 5[FHHUX NN6??8u?=>HHSMsBBceZdZdZy)SkipItemzDThere is nothing to append for this invocation of a pull_list() funcN)rSrTrU__doc__r3r4r5rfrfsJr4rffunccg}t||5}|j|z}|j|kr+ |j||j|kr+ddd|S#t$rY)wxYw#1swY|SxYw)z Pull a list of items. If the callable raises SkipItem, then iteration continues but nothing is added to the list. N)r^r\rrf)rSrTrhitemsrr]s r5 pull_listrks E C "fhhj6!hhj3  TV$hhj3 L    Ls.'A:A+ A:+ A74A:6A77A::Bvaluescft||5|D] }||  dddy#1swYyxYw)z Push a list of items. N)rd)rSrTrhrlvalues r5 push_listros9 C " E K s'0cht||5}|j|cdddS#1swYyxYw)z4 Pull an opaque value prefixed by a length. N)r^r[)rSrTrs r5 pull_opaquerqs1 C "&f~~f%&&&s(1rncht||5|j|dddy#1swYyxYw)z2 Push an opaque value prefix by a length. N)rdra)rSrTrns r5 push_opaquerss/ C " us(1extension_typec#xK|j|t|d5ddddy#1swYyxYwwNr) push_uint16rd)rSrts r5push_extensionrxs3OON# C  s:. :7:ct|d5|j}|tjk7rt d|t |dj dcdddS#1swYyxYw)Nrz$ServerName has an unknown name type ascii)r^ pull_uint8r:r;rrqdecode)rS name_types r5pull_server_namer~si C 3NN$ ** *'6ykB 3"))'2333s A A##A,ct|d5|jtjt |d|j ddddy#1swYyxYw)Nrrz)rd push_uint8r:r;rsencode)rSrs r5push_server_namersJ C 9 x))*CK..w78999s %DE#q'/3"?@ r4pre_shared_keyct|dtt||jt|dtt||j yrv)rorrrrr)rSrs r5push_offered_psksr1sG   !3'!!    % r4c6eZdZUeed<eed<eeed<eeed<dZeee ed<dZ e ed<dZ eee ed <dZeeed <dZeeeed <dZee ed <dZeeeed <dZeeeed<dZeeeed<eeZeeed<y) ClientHellorandomlegacy_session_id cipher_suiteslegacy_compression_methodsNalpn_protocolsF early_data key_sharerpsk_key_exchange_modesrsignature_algorithmssupported_groupssupported_versionsdefault_factoryother_extensions)rSrTrUrrtr rYrrrrboolr KeyShareEntryrrrrrrrrlistr Extensionr3r4r5rrEs M9 $S )+/NHT#Y'.J/3Ix]+,3,0NH[)026HT#Y/6!%K#%04(49-4,0htCy)0.2c+2(-d(Cd9oCr4r expected_typec2|j}||k(sJy)zr Pull the message type and assert it is the expected one. If it is not, we have a programming error. N)r{)rSr message_types r5pull_handshake_typerZs >>#L = (( (r4c ttjtd5j t k7r t dtjdtdtdjtdjdd fd }td|dddS#1swYSxYw) NrzClientHello version is not 1.2 r(r)rrrrFcr tdj}j}|tjk(r!t dt t _y|tjk(rt dj_ y|tjk(rt dj_ y|tjk(rt dj_ y|tjk(rt dj_y|tj"k(rt%_y|tj(k(r!t dt t*_y|tj.k(rd_y|tj2k(rt5_dyj8j;|j=|fy)Nz&PreSharedKey is not the last extensionrr(T)rrrrrkrrrrrrrrrrr{rr r~rrrrrrrrrrrr[)rtextension_length after_pskrShellos r5pull_extensionz)pull_client_hello..pull_extensionts+,TUU __.N"0 !8!88"+CGNC4P"Q=#C#CC+4S!S__+M(=#E#EE-6sAs-O*=#A#AA)233??)K&=#G#GG/8a/P,=#<#<<$4S$9!=#5#55'0G$6<($ =#;#;;#' =#?#??'8'=$ &&--#S^^4D%EFr4r,N) rr*r-r^rTLS_VERSION_1_2rzrr[rqrkr{)rSrrrs` @@r5pull_client_hellords]778 C 1* ??  /"#CD D>>"%)#q1#CCOO<'0a'H   ! F #q.)c1*f Lg1*f Ls B CC rc @|jtjt|d5|j t |j |jt|d|jt|d|j|jt|d|j|jt|d5t|tj5t|dt!t"||j$dddt|tj&5t|d|j|j(dddt|tj*5t|d|j|j,dddt|tj.5t|d|j|j0ddd|j2Et|tj45t|d|j|j2ddd|j69t|tj85t;||j6ddd|j<It|tj>5t|dt!t@||j<ddd|jBD]+\}}t||5|j |ddd-|jDr$t|tjF5 ddd|jH9t|tjJ5tM||jHdddddddddy#1swYxYw#1swYLxYw#1swYxYw#1swYxYw#1swYxYw#1swY`xYw#1swYxYw#1swYxYw#1swYxYw#1swYxYw#1swYxYw#1swYyxYwNrr(r)'rr*r-rdrwrrarrsrrorrrxrrrrrrrrrrrrrrr rrrrrrrrrrrSrrtextension_values r5push_client_hellorswNN=--. C .A ( u||$CE334#q#//5+>+>?#q#..%*J*JKQ & A]%<%<= Q#q'.#">P Q ]%E%EF M#q#//53K3KL M ]%G%GH O#q#//53M3MN O ]%C%CD K#q#//53I3IJ K++7#C)M)MNTc1cnne6R6RST  ,#C)B)BC=$S%*;*;<=##/#C););<Q(:C @%BVBV 493I3I 4/#C84NN?344 4#C)A)AB##/#C)E)EFA%c5+?+?@AK& A.A.A Q Q M M O O K KTT== 44 AAK& A& A.A.AsBPP'N"P(#N "P-#N""P2#N/.P#N<&.PO +.P'O&P&O# 80P(O0*.PO</P7PN PN P"N, 'P/N9 4P<O P O PO P#O- (P0O9 5P<P PP PPceZdZUeed<eed<eed<eed<dZeeed<dZ eeed<dZ eeed<e e Z eeeefed <y) ServerHellorr cipher_suitecompression_methodNrrsupported_versionrr)rSrTrUrrtrYrrrrrrrrr rr3r4r5rrse M*.Ix &-$(NHSM('+x}+05d0Kd5e,-Kr4rcvttjtd5j t k7r t dtjdtdj jdfd }td|dddS#1swYSxYw) NrzServerHello version is not 1.2rr()rrrrcj}j}|tjk(rj_y|tjk(rt _y|tjk(rj_yjj|j|fyr.) rrrrrrrrrrrr[)rtrrSrs r5rz)pull_server_hello..pull_extensions __.N"0 !A!AA*-//*;'=#:#::"0"5=#?#??'*'8$&&--#S^^4D%EFr4rr) rr*r.r^rrrzrr[rqr{rk)rSrrs` @r5pull_server_hellors]778 C * ??  /"#CD D>>"%)#q1*"~~/    #q.)5*8 L9*8 Ls A;B..B8c H|jtjt|d5|j t |j |jt|d|j|j |j|j|jt|d5|j>t|tj5|j |jddd|j 9t|tj"5t%||j ddd|j&>t|tj(5|j |j&ddd|j*D]+\}}t||5|j |ddd- ddddddy#1swYxYw#1swYxYw#1swYmxYw#1swYmxYw#1swYBxYw#1swYyxYwr)rr*r.rdrwrrarrsrrrrrxrrrrrrrrrs r5push_server_hellorsNN=--. C 4 ( u||$CE334 **+ u//0Q  4&&2#C)I)IJ=OOE$;$;<=*#C)@)@A9"389##/#C)E)EF:OOE$8$89:493I3I 4/#C84NN?344 4 444==99::44 4 444sB H6'H G9.H 'G(>.H ,G4&H .H H  HG% !H (G1 -H 4G= 9H H H  H HH!ceZdZUdZeed<dZeed<dZeed<dZ eed<dZ e eed<e e Zeeeefed <y) NewSessionTicketrticket_lifetimeticket_age_addr4 ticket_nonceticketNmax_early_data_sizerr)rSrTrUrrYrtrrrrrrrrrr rr3r4r5rrsYOSNCL%FE*.#-05d0Kd5e,-Kr4rcVtttjt d5j _j _td_ td_ dfd }td|dddS#1swYSxYw)Nrr(rcj}j}|tjk(rj_yj j |j|fyr.)rrrrrrrr[)rtrrSnew_session_tickets r5rz/pull_new_session_ticket..pull_extension1s` __.N"0 !9!999<9J"6"33::#S^^4D%EFr4r) rrr*r/r^rrrrqrrrk)rSrrs` @r5pull_new_session_ticketr's)+]==> C *-0__->*,/OO,=)*5c1*='$/Q$7!  #q.)!*$ %*$ s A!BB(rc |jtjt|d5|j |j |j |j t|d|jt|d|jt|d5|j>t|tj5|j |jddd|jD]+\}}t||5|j|ddd- ddddddy#1swYUxYw#1swYUxYw#1swY*xYw#1swYyxYwr)rr*r/rdrrrrsrrrrxrrrra)rSrrtrs r5push_new_session_ticketr@s8NN=334 C  4 *::; *99:C.;;<C.556 Q  4!55A#C)A)ABLOO$6$J$JKL4F3V3V 4/#C84NN?344 4  4 4 4LL44  4 4 4 4sTA1E'E D4 &E E  E #E4D= 9E E E  E EE!c\eZdZUdZeeed<dZeed<e e Z e e eefed<y)EncryptedExtensionsN alpn_protocolFrrr)rSrTrUrrrrtrrrrrr rrYrr3r4r5rrRs8#'M8C='J05d0Kd5e,-Kr4rctttjt d5dfd }t d|dddS#1swYSxYw)NrcBj}j}|tjk(r$tdt t d_y|tjk(rd_yjj|j|fy)NrrT) rrrrkrrrrrrrr[)rtrrS extensionss r5rz1pull_encrypted_extensions..pull_extension`s __.N"0 !3!33+4G$6<,, ( =#;#;;(, %++22#S^^4D%EFr4rr)rrr*r1r^rk)rSrrs` @r5pull_encrypted_extensionsrZsX$&J]??@ C *  #q.)!*$ %*$ s AArc |jtjt|d5t|d5|jJt |t j5t|dtt||jgddd|jr$t |t j5 ddd|jD]+\}}t ||5|j|ddd- ddddddy#1swYxYw#1swYaxYw#1swYaxYw#1swY6xYw#1swYyxYwNrr)rr*r1rdrrxrrrorrrrrra)rSrrtrs r5push_encrypted_extensionsrss,NN=556 C 4 Q  4''3#C););< 2C8#112 $$#C)A)AB4>3N3N 4/#C84NN?344 4 44444 4 444sj D<'D0 (D .D06D8&D0D$ 0 D0;D< D D0D! D0$D- )D00D9 5D<<Ec>eZdZUdZeed<eeZe e ed<y) Certificater4request_contextrrN) rSrTrUrrrtrrrr CertificateEntryr3r4r5rrs! OU +0+FL$'(Fr4rc  t}t|tjt |d5t |d|_dtdtfd}t|dt|||_ ddd|S#1swY|SxYw)Nrr(rSr,c:t|d}t|d}||fSrr)rSrrs r5pull_certificate_entryz0pull_certificate..pull_certificate_entrys%sA&D$S!,J*% %r4) rrr*r2r^rqrr)rrkrr)rSrrs r5pull_certificaters-K]667 C   &1#q&9 # & &3C & $- G2C8$        s >A99Bc |jtjt|d5t |d|j dt dtddfd}t|dt|||jdddy#1swYyxYw)Nrr(rSrr,cDt|d|dt|d|dy)Nrrrr(rrs r5push_certificate_entryz0push_certificate..push_certificate_entrys" Qa ) Qa )r4) rr*r2rdrsrr)rrorr)rSrrs r5push_certificatersNN=,,- C   CK778 * *7G *D *  G2C8+:R:R     s A BB cbeZdZUdZeed<dZeee ed<e e Z ee e efed<y)CertificateRequestr4rNrrr)rSrTrUrrrtrrr rYrrrrr3r4r5rrs> OU 04(49-405d0Kd5e,-Kr4rctttjt d5t d_dfd }td|dddS#1swYSxYw)Nrr(cj}j}|tjk(rtdj_yj j |j|fyrv)rrrrkrrrr[)rtrrScertificate_requests r5rz0pull_certificate_request..pull_extensionsk __.N"0 !C!CC;DCOO<#8$44;;#S^^4D%EFr4rr)rrr*r3r^rqrrk)rSrrs` @r5pull_certificate_requestrsi,.]>>? C *.9#q.A+  #q.)*" #*" s &A##A-rc $|jtjt|d5t |d|j t|d5t |tj5t|d|j|jddd|jD]+\}}t ||5|j|ddd- ddddddy#1swYUxYw#1swYUxYw#1swY*xYw#1swYyxYwr)rr*r3rdrsrrxrrrorwrrra)rSrrtrs r5push_certificate_requestr sNN=445 C  4C/??@ Q  4]%G%GH COO-@-U-U  4G3W3W 4/#C84NN?344 4  4 4 4   44 4 4 4 4sS$DC:+#C"&C:4C.  C:D"C+ 'C:.C7 3C::D ?DDc"eZdZUeed<eed<y)CertificateVerifyr signatureN)rSrTrUrYrtrr3r4r5r r s Nr4r ct|tjt|d5|j }t |d}dddt S#1swYxYw)Nrrrr )rr*r4r^rrqr )rSrr s r5pull_certificate_verifyrsX]==> C (OO% Q' ( yI FF ((s AA"verifyc|jtjt|d5|j |j t |d|jdddy#1swYyxYwr)rr*r4rdrwrrsr )rSrs r5push_certificate_verifyrsWNN=334 C . (()CF,,-...s 3A((A1ceZdZUdZeed<y)Finishedr4 verify_dataN)rSrTrUrrrtr3r4r5rrs Kr4rcpt}t|tjt |d|_|SNr)rrr*r5rqrrSfinisheds r5 pull_finishedrs-zH]334&sA.H Or4rcp|jtjt|d|jyr)rr*r5rsrrs r5 push_finishedrs&NN=))*Q,,-r4cpeZdZdefdZdedefdZdedefdZdedefd Zdd e edd fd Z d edd fdZ y ) KeySchedulerc*t||_||_d|_t j |j|_|j jj|_ t|jj|_ y)Nr) cipher_suite_hashrr generationrHashhashcopyrhash_empty_valuer digest_sizerselfrs r5__init__zKeySchedule.__init__sc*<8(KK/ $  0 9 9 ;DNN667 r4context_stringr,cdd|zdz|jjjzS)Ns@ )r$r%r)r)r+s r5certificate_verify_dataz#KeySchedule.certificate_verify_datas+>)G3diinn6F6O6O6QQQr4rc.t|j|dd|jj}tj||j}|j |j jj|jS)Nsfinishedr4r)r) rrr'rrrr$r%r)r)rhmac_keyrs r5finished_verify_dataz KeySchedule.finished_verify_datask$nn>>--   IIh$.. 9 !**,-zz|r4rct|j|j||jj j |jj S)Nr)rrrr$r%rr')r)rs r5 derive_secretzKeySchedule.derive_secret)sD nn;;yy~~'002>>--   r4Nrcd|t|jj}|jrGt |j|j d|j |jj|_|xjdz c_t|j|j ||_y)Nsderivedrr()rrr)rrr'r"rrr&r)r)rs r5extractzKeySchedule.extract2s   !;!;z+KeyScheduleProxy.__init__..Jsq+a..Ar4)dictmap_KeyScheduleProxy__schedules)r)rs r5r*zKeyScheduleProxy.__init__Is$A= QRr4Nrr,cd|jjD]}|j|yr.)r@rlr5)r)rks r5r5zKeyScheduleProxy.extractLs,!!((* $A IIl # $r4rc |j|Sr.)r@r(s r5selectzKeyScheduleProxy.selectPs --r4rcd|jjD]}|j|yr.)r@rlr7)r)rrBs r5r7zKeyScheduleProxy.update_hashSs,!!((* A MM$  r4r.) rSrTrUr rr*rrr5rrDr7r3r4r5r9r9HsRSd;&7S$HUO$t$.;.;.  $ r4r9 CIPHER_SUITESrGROUP_TO_CURVEc#*K|] \}}||f ywr.r3)rrBvs r5rrps@Aq!f@srct|Sr.)rF)rs r5r!r!ss  & ((r4rc\|dtjk(r"tjj |dS|dtj k(r"t jj |dS|dtvr1tjjt|d|dSyNrr() rr&r!X25519PublicKeyfrom_public_bytesr'r X448PublicKeyrGrEllipticCurvePublicKeyfrom_encoded_point)rs r5decode_public_keyrRws|u||#%%77 ! EE 1 #!!33IaLAA 1 '((;; 9Q< ( *IaL  r4 public_keyct|tjr>tj|j t jtjfSt|tjr>tj|j t jtjfSt|jj|j t jtj fSr.) isinstancer!rMrr& public_bytesr%Rawr&r rOr'CURVE_TO_GROUPcurve __class__X962UncompressedPoint)rSs r5encode_public_keyr]s *f445 j55hllLDTDTUVV J 2 2 3 J33HLL,BRBRSTTz''112 |/M/MN r4 supportedofferedrc.||D] }||vs|cS||yr.r3)r^r_rr<s r5 negotiateras4 AG|   r4signature_algorithmcB|tjtjfvr tSt|\}}|}|t j |fS|tjk(r+|tj||j}||fS|}||fS)N)mgf salt_length) rArErFtuplerrECDSArPSSMGF1r')rb padding_cls algorithm_clsr padding_objs r5signature_algorithm_paramsrms199;M;S;STTw!56I!JKI#%%  #! Y'Y5J5J  !!"m  !!r4 key_schedulec#K|j}d|j|j||jywr.)r\r7 data_slice)rnrS hash_starts r5 push_messagerrs5J S^^J CDsAAceZdZUdZeed<eed<ejed<ejed<eed<e ed<eed<d Z e eed <e e Zeeeefed <ed efdZed efdZy ) SessionTicketz6 A TLS session ticket for session resumption. age_addrnot_valid_afternot_valid_beforeresumption_secretrrNrrrr,cVt}||jk\xr||jkSr.)r6rwrv)r)r0s r5is_validzSessionTicket.is_valids*hd+++Kt7K7K0KKr4ctt|jz jdz}||jzdzS)Nil)rYr6rw total_secondsru)r)ages r5obfuscated_agezSessionTicket.obfuscated_ages;68d333BBDtKLdll"w//r4)rSrTrUrgrYrtrr/rrrrrrrr rpropertyrrzr~r3r4r5rtrtsL&&&''' M)-#-05d0Kd5e,-K L$LL000r4rtczeZdZ d3dedeeedeedeedeedeeedee e je jfd ee d eed ee fd Zed efdZdedeeefd dfdZde dedeeefd dfdZdedeed efdZded dfdZded dfdZdeded dfdZded dfdZded dfdZded dfdZ ded dfdZ!deded dfd Z"ded dfd!Z#d"efd#Z$ded$ed%ed"ed df d&Z%deded dfd'Z&deded dfd(Z'deded dfd)Z(d*e)d+ed,ed dfd-Z*d.e+d dfd/Z,d0e-d dfd1Z.d ee/fd2Z0y)4ContextN is_clientrrrrrloggermax_early_datar verify_modec 6||_||_||_||_d|_g|_d|_g|_||_||_ d|_ d|_ | |_ | | |_ n'|rtjntj |_ d|_d|_d|_d|_|||_n4t,j.t,j0t,j2g|_t4j6g|_t:j<g|_t@jBt@jDt@jFt@jHt@jJt@jLt@jNg|_(tSjUr)|jPjWt@jXtSj[r)|jPjWt@j\t^j`t^jbg|_2tSjgr)|jdjWt^jhtSjkr)|jdjWt^jltng|_8d|_9d|_:d|_;d|_<d|_=d|_>d|_?d|_@d|_Ag|_Bd|_Cd|_Dd|_Ed|_Fd|_G||_Hg|_Id|_Jd|_K|r7tjd|_Nd|_Otj|_Ryd|_Nd|_Otj|_Ry)NFcyr.r3)der<ss r5r=z"Context.__init__.. sr4r4r)T_alpn_protocols_cadata_cafile_capathrcertificate_chaincertificate_private_keyhandshake_extensions _is_client_max_early_datasession_ticket_request_client_certificate _server_name _verify_modessl CERT_REQUIRED CERT_NONEalpn_cbget_session_ticket_cbnew_session_ticket_cbupdate_traffic_key_cb_cipher_suitesrrrrrr_legacy_compression_methodsr=r?_psk_key_exchange_modesrArBrMrGrCrNrHrP_signature_algorithmsred25519_supportedrrEed448_supportedrFrr#r$_supported_groupsx25519_supportedr&x448_supportedr'TLS_VERSION_1_3_supported_versionsalpn_negotiatedearly_data_acceptedrnreceived_extensions_certificate_request_key_schedule_psk_key_schedule_proxy_new_session_ticket_peer_certificate_peer_certificate_chain_psk_key_exchange_mode_receive_buffer_session_resumed_enc_key_dec_key_Context__logger_ec_private_keys_x25519_private_key_x448_private_keyosurandom client_randomrrrstater) r)rrrrrrrrrrs r5r*zContext.__init__s .   7;9;  $68!#-7;+0('  " +D 5> 1 1CMMD /3 EI"EI" $ "  $"/D ....44#D  8I7M7M6N(3E3P3P2Q$  5 5  2 2  / /  5 5  2 2  / /  - -1 "   . . 0  & & - -.@.H.H I   , , .  & & - -.@.F.F G"'//5??!C   - - /  " " ) )%,, 7   + + -  " " ) )%** 5$3#4 /3#( 37>B BF!8<?C ?C =A?A$59#" %)- )-  BDFJ @D !#BD %(D "55DJ!%D %)D "99DJr4r,c|jS)zK Returns True if session resumption was successfully used. )r)r)s r5session_resumedzContext.session_resumedIs $$$r4 input_data output_bufcd|jtjk(r#|j|tj y|xj |z c_t|j dk\r|j d}dtj|j dddz}t|j |kry|j d|}|j |d|_ |j|t||t|j dk\ryy#t$r tdwxYw) Nrrr(rVrW)r)r input_bufrzCould not parse TLS message)rrr_client_send_hellorrrrrYrZ_handle_reassembled_messager)r*rz)r)rrrmessage_lengthmessages r5handle_messagezContext.handle_messagePs* ::55 5  # #Ju}}$= >   *$&&'1,//2L$$Qq)U"0"N 4''(>9**?N;G#'#7#7#HD  F00!-$'2)1$&&'1,(# F&'DEE Fs !DD/rrc|jtjk(r>|tjk(r%|j ||t jnt|jtjk(r,|tjk(r|j|n[t|jtjk(rR|tjk(r|j|n|tjk(r|j!|nt|jtj"k(r,|tjk(r|j|nt|jtj$k(r,|tj&k(r|j)|nZt|jtj*k(r>|tj,k(r%|j/||t j0nt|jtj2k(r,|tj4k(r|j7|nt|jtj8k(rb|tj:k(rI|j=||t j|t j0|t j>n7t|jtj@k(r=|tjk(r$|jC||t j>nt|jtjDk(r=|tj&k(r$|jG||t j>nt|jtjHk(r=|tj,k(r$|jK||t j>n)t|jtjLk(rt|jOsJyr.)(rrrr*r._client_handle_hellorrrrr1#_client_handle_encrypted_extensionsrr2_client_handle_certificater3"_client_handle_certificate_requestrrr4!_client_handle_certificate_verifyrr5_client_handle_finishedrrr/!_client_handle_new_session_ticketrr-_server_handle_hellorr_server_handle_certificater!_server_handle_certificate_verifyr_server_handle_finishedreof)r)rrrs r5rz#Context._handle_reassembled_messageos ::99 9}999)))Z 5NO,, ZZ5CC C}AAA88C,, ZZ5QQ Q}888// :!B!BB77 B,, ZZ5:: :}888// :,, ZZ5AA A}???66yA,, ZZ577 7}555,,Y 5??8ST,, ZZ566 6}???66yA,,ZZ5;; ;}999))u}}-u/u}}- -, ZZ5:: :}888// :emm;TU,, ZZ5AA A}???66z%--8-, ZZ577 7}555,,Y 5==8QR,, ZZ566 6( ( }}r4rrc |jjd}t|jj|d|j|jjj }t }t|j|jj|j|tj|jz||||j|j S)Ns res masters resumptionr)seconds) rurrrvrwrrxrr)rnr3rrrr'r6rtrrrr/ timedeltarrr)r)rrresumption_master_secretrx timestamps r5_build_session_ticketzContext._build_session_tickets$(#4#4#B#B=#Q -''11+)66$$..::  H &55**77 2 F F%  );)K)KLM&-/))%,,  r4rc|j|jvr td tt|j j }|j|j|jj|jrtntgt|jy#t$rtwxYw)Nz@CertificateVerify has a signature algorithm we did not advertise)rrr|rr"rrSrr rnr.rSERVER_CONTEXT_STRINGCLIENT_CONTEXT_STRINGrmr)r)rrSs r5#_check_certificate_verify_signaturez+Context._check_certificate_verify_signatures   4#=#= =#R  $/1G1G1R1R1TJ J    !!99-1__)BW  ,F,<,<=    $# # $s BB..B>c| g}g}|jD]}|tjk(rutjj |_|jt|j j|jtj|tjk(rvtjj |_ |jt|jj|jtj|tjk(rB|jtjdf|jtjj|tvstt!j"t|}|j$j||jt|j|j|t'|sJd t)j*|j,d}t1|j2|j4|j6Dcgc] }t9|c}|j:|j<||j>s |j@ |jBnd||jD||jF|jH }|j>r2|j>jJrtM|j>jN|_(|jPjS|j>jT|jPjWd} |jPjXjZ} |j>j\d|_/ta|j>jb|j>jdfgtg| g|_4tkd} tm| || jo| z d z } |jPjq| jsd | |jPju| } | |jhjvd <|jPjq| js| | d z| z|j^r_|jPjWd }|jytzj|t~j|jPjN|t|j6|_B|jjSdt|j|5tm||ddd|jtjy#t.$r|j,}YywxYwcc}w#1swYJxYw) Nr-zno key share entries) rrrrrrrrrrrr res binderTrirTrr c e traffic)Grrr&r!X25519PrivateKeygeneraterrr]rSr'r X448PrivateKeyrr(rGrgenerate_private_keyrrrrrrrrrrrYrrrrrrrrrzrrrr5rxr3rr'rrrrr~rrr)rr\r7rpr1rrrrrrr9rrr _set_staterr)r)rrrrec_private_keyrxr binder_key binder_lengthtmp_buf hash_offsetr early_keys r5rzContext._client_send_hellos)+ &(++ /E $+1+B+B+K+K+M(  %d&>&>&I&I&KL!'' 5%**$)-)<)<)E)E)G&  !243I3I3T3T3V!WX '' 3%,,&  %,,!89 '' 5.(!#!8!89N9P!Q%%,,^<  !2>3L3L3N!OP ''.% /(9~555~   !2!2 3K%%"44+/+>+>?a3q6?'+'G'G//''4+E+E+Q,,#!%!;!;-#77!66! (   4#6#6#?#?%01D1D1Q1Q%RD "  " " * *4+>+>+P+P Q//==mLJ 22<<HHM""66B#' #.((//1D1D1S1ST}-. $E d+G gu -",,.=81|j<j>k(s?|j-t5j@|}d|J|jjC|jD|jjG||jItJjLtNjPd|jStTjVy)NzUnsupported cipher suitez9ServerHello has a compression method we did not advertisez.ServerHello has a version we did not advertiserT s hs traffic),rrarrr~rrrrrrrrnrrrDrRrrUr!rMrexchanger rOrrrPrrSrYrZECDHr7rr5_setup_traffic_protectionrrrrrrr)r)rr peer_hellorpeer_public_key shared_keyrs r5rzContext._client_handle_helloYsV&y1      $ $ % !"< =  ( (0P0P P'K   ' 't/G/G G'@   $ $ 0&&.,,14#9#9#F#FF++ $ 6 6D $(D ! $ 8 8 ? ? MD !%#' ,J,@,@A&* (>(> ?((411::?KJ (:(: ;&&2//88IJ )B)B C"&"7"7 U"--/55??&,,667"0!8!8O!TJ  U %%% %%inn5 !!*- &&   u  @@Ar4c t|}|j|_|j|_|j |_|jr|j|j|jtjtjd|jj|j|j r |j#t$j&y|j#t$j(y)N c hs traffic)rrrrrrrrrrrrrrnr7rrrrrr)r)rencrypted_extensionss r5rz+Context._client_handle_encrypted_extensionss8C3AA#7#B#B #7#H#H  << LL-- . &&   u  %%inn5  OOE88 9 OOERR Sr4ct||_|jj|j|j t jyr.)rrrnr7rrrr)r)rs r5rz*Context._client_handle_certificate_requests9$>?r4ct|}|j||jtjk7rMt |j |j|j|j|j|j|jj|j|jt j"y)N)rrrrrr)rrrrrrrrrrrrrnr7rrrr)r)rrs r5rz)Context._client_handle_certificate_verifys(3 008    - |||||| 2222 --   %%inn5 445r4c t|}|jj|j}|j|k7rt |jj |j|jjdk(sJ|jjd|jtjtjd|jjd}|j W|j";|j$/t'|j)|j j*}nd}t-|j|5t/|t1|j j2|rG|j"g|j4zDcgc]#}|j7t8j:df%c}ngddd|ry|j$j<|jj?t@gtC|}t-|j|5tE|tG||dddt-|j|5tI|tK|jj|jLddd||_&|jOtjPtj|jjR|jL|jUtVjXycc}w#1swYWxYw#1swYxYw#1swYxYw)Nr s ap traffic c ap trafficr4rrrr)-rrnr1rrr|r7rr"r5rrrrrr3rrrra%_signature_algorithms_for_private_keyrrrrrrrrVr%DERsignr.rrmrr rrrrrrrrr) r)rrrexpected_verify_data next_enc_keyrbrr s r5rzContext._client_handle_finisheds + $00EEdmmT   #7 7# # %%inn5  ++q000 !!$' &&   u}}o ((66G  $ $ 0  ,00<&/>>@--BB'# '+#d//<  (,(A(A(Q(Q 3+/*:*:);d>T>T)T$%"# !=s C "$   "#=D88==%%==>ST/0CD "$"3"3Z@+")&9Y$++Z 8   $ 1 1 F Ft}} U  %  ""    MM    * * MM   334U   ,  s6?L!(L>L!/L.%:L:L!!L+.L7:Mct|}|j.|j||j}|j|yyr.)rrrr)r)rrrs r5rz)Context._client_handle_new_session_ticketsK4Y?  % % 1//"D$<$<F  & &v . 2r4 onertt_bufc |jj|j|_t d}t |t |j|jj|j|j|jtdtjdtjdddtjd|j |_t%||j"|j'|j"|j(}|j||j+t,j.y) N@rriQIrrr4)rrrrr)rnr1r_expected_verify_datar)rrr7rrrrrunpackrrrrrrrrrr)r)r rSrs r5_server_expect_finishedzContext._server_expect_finished)s%)%6%6%K%K MM& "b!c80J0JKL %%chh/  & & 2++7'7 %%}}S"**Q-@C zz"~$($8$8 (D $ $J0H0H I//(($*C*CF  & &v . 445r4 initial_buf handshake_bufc Rt|}t|j|jt d}t|j |j t d}t|j|j}t|j|jt d} t|j|jtd} |j/t|j|jt d|_|j"|_t'j(d|_|j,|_|j.|_|j2r|j3|j d} |j4F|C|j66t9|j6j:dk(rt9|j6j<dk(r|j6j:d} |j5| d} | | j>r| j@|k(rtC||_"|jDjG| jH|jDjKd }|jDjLjN}|jQ|z d z }|jS|d z|d z|z}|jDjU|jSd||jDjW|}||k7r t d |jDjU|jS||d z|zd |_,|jZrf|jDjKd }d |_.|j_t`jbtdjf|jDj@|d} | PtC||_"|jDjGd|jDjU|jhd}|jjD]}tm|}to|tpjrr[tpjtjw|_<|jxj{}|jxj}|}nto|t~jrZt~jjw|_B|jj{}|jj}|}nto|tjstjt|d}|jj||j{}|j}tj|}n|Jt|j*|j,||t| | }t|jD|5t||ddd|jDjG||jt`jtdjd|jt`jbtdjdt|jD|5t|t|j |j\|jddd| @|jr@t|jD|5t|td|jdddt|jD|5t|td|jg|jzDcgc]#}|jtjdf%c}ddd|jj|jDjtgt| }t|jD|5t|t| |dddt|jD|5t|t|jDjW|jddd|jDjdk(sJ|jDjGd|jt`jtdjd|jDjKd|_k||_l|jr |jtjy|j|y#1swY=xYw#1swY|xYw#1swY:xYwcc}w#1swYxYw#1swYexYw#1swYxYw)NzNo supported cipher suitezNo supported compression methodz No supported signature algorithmzNo supported protocol versionzNo common ALPN protocolsrr(rrrzPSK validation failedTr)rrrrrrrrr)rrrr4)rrrrrrrr)qrrarrr~rrrrrrrrrrrrrrrr server_randomrrrrrrrrrrzrrrnr5rxr3rr'r\rpr7r1rrrrrrrrrrrRrUr!rMrrrrSrr rOrrrrPrrGrrrrr]rrrrrrrrrrr rrrrrrrVr%rrrr.rrmrr rrrr"r _next_dec_keyrrrrr)r)rrrr rrrpsk_key_exchange_moderbrrrrrrrrexpected_binderrrrrrSrrrr s r5rzContext._server_handle_helloJs>'y1 !     $ $ !"= > '  , ,  1 1 !"C D  !*  ( (**K*K! (  6 6 8  + + !"D E  &  $ $  ) ) !@ A     +#,$$))%&@A$D (..ZZ^!+!=!=#-#>#>  << LL-- .  & & 2%1))5J--889Q>J--556!;"00;;A>H!77 DN*"++"//<?$/ $=!!!)).*J*JK!..<<]K $ 1 1 ; ; G G 'nn.>B "--!O[1_}%D!!--i.B.B1k.RS"&"3"3"H"H"T_,/0GHH!!--((kAo 6UV)-%(( $ 1 1 ? ? OI/3D,..!))))66! "#  ! +L 9D     % %d +    ) )).. 9 '+ #-- I/ :O/6+A+AB+1+B+B+K+K+M(!55@@B !55>>O OT-?-?@)-)<)<)E)E)G&!33>>@ !33<<_M OR-F-FG!#!8!8 RS 9U9W!X%%,,^<+668 +44RWWYP # $%%%%%"44%1' 3)/ $++[ 9 2 k5 1 2 !!*- &&   u  &&   u $++] ;  %#"&"6"6#77%)%>%>    !//!$"3"3]C,%*,/151K1Kd//?  !(+'+&6&6%7$:P:P%P& !^^HLL93?&  :4499!!99:OP+,?@Id//? '!%"5 $++] ;   $ 1 1 F Ft}} U    ++q000 !!$' &&   u}}o "..<<_M&;#  + + OOE;; <  ( ( 4c 2 2  &  "    sZ e27e#"e0)f?(e=' ff :fe #e-0e:=ff ff&ct|}|jj|j|jr1|j ||j tjy|j|yr.) rrnr7rrrrrrr)r)rrrs r5rz"Context._server_handle_certificate/s[&y1  %%inn5  # #  & &{ 3 OOEBB C  ( ( 4r4ct|}|j||jj|j|j |yr.)rrrnr7rr)r)rrrs r5rz)Context._server_handle_certificate_verify9sD)3 008 %%inn5 $$Z0r4cbt|}|j|jk7rt|j|_d|_|j tjtj|jj|j |jtjyr.)rrrr|rrrrrrrrnrrrr)r)rrrs r5rzContext._server_handle_finishedDs +   4#=#= =# #** ! ""    MM    * * MM   334r4 directionepochrc|jj|}|tjk(r||_n||_|j |||jj|yr.)rnr3rrrrrr)r)rrrkeys r5rz!Context._setup_traffic_protectionWsY--e4  )) )DMDM "" ud//< %s)rdebugr)r)rs r5rzContext._set_statens* == MM   E B r4c\g}t|jtjrOtj tj tjtjtjg}|St|jtjrAt|jjtjrtjg}|St|jtjrAt|jjtjrtj g}|St|jt"j$rtj&g}|St|jt(j*rtj,g}|Sr.)rUrr RSAPrivateKeyrArMrGrNrHrPrEllipticCurvePrivateKeyrYr#rBr$rCrEd25519PrivateKeyrErEd448PrivateKeyrF)r)rs r5rz-Context._signature_algorithms_for_private_keyssO9; d22C4E4E F"66"33"66"33"11 $ &$#  ( ("*D*D 55;;R\\J$6$M$M#N $#  ( ("*D*D 55;;R\\J$6$M$M#N $# 44g6O6O P$6$>$>#? $#44e6K6K L$6$<$<#= ##r4) NNNNNNNNN)1rSrTrUrrr rrrrloggingLogger LoggerAdapterrYr*rrr rr)rrrrrtrr rrrrrrrrrrrrrrrrrrrrrArr3r4r5rrs9/3"& $ $59IM(,%)%)f:f:!c+f: f:  f:  f: [ 12f:w~~w/D/DDEFf:! f:c]f:c]f:P%%% FF-1%--@F F>NN,2N@DUF]@SN N` "2 FJ9o  4$:K$PT$4d:Vd:d:L=Bf=B&=BT=B~TVTT,9F9t9 @F@t@666d6(O5O5VO5PTO5b/6/d/6&6Bc5c5c5 c5  c5  c5J5F55SW5 1 1-3 1  155V5PT5&  "  +0  9>       $ $trjrXr!rPrMrOrRr]rarmrrrt AlpnHandlerSessionTicketFetcherSessionTicketHandlerrr3r4r5rJs3  %(    48FF   ?O+!!!<< CL8!!8"w"<"I"3%37e70u0115E55E5224546U6 DD"e ##          ##+0@E .2G G#E?GG U tD4D4D/E %'!%"  K/!!K/   !K/#K/ UO K/ SM K/ SM K/ K/\+'+  "G"$G G w 2DFDcDiDD F c i  $KyK6SQDG$ &.sDy&9CKA; &V&s&u&Vs5T 3&3S39&9s9t9c5j! = ""}""Fs2F2c2d2 E3J    -6-k- 6+$ E   4 6k 6 ; 4 " #u*   DD D()V)M)d)565k5p0A60A+0A$0Af  L L  L6kB464+4$4: LL L,<244=M4RV4$ LL L6.A24647J4t4,& GG G &[&  &  {  t   LL L &-?04 4&84 4$   GG,=G..1B.t.  v(.v..d.55p   """FMM""FMM((&-- t--fmm/D--fmm/D--fmm/D%%(8(8&++'F'''*:*:FMM)J'''*:*:FMM)J'''*:*:FMM)J**W[[&--,H**W[[&--,H**W[[&--,H d  OOR\\ OOR\\ OOR\\ @)=)=)?@@)K)F4H4H)   2 $ $f&<&P>PRV VW   !!6#9#94;M;MM   NR Aw !)$s)!4 ;CE?  "C"E""E %556E=CEEE 00 06ud{# -)@ @A 56i$i$r4