import datetime import ipaddress import logging import os import ssl import struct from contextlib import contextmanager from dataclasses import dataclass, field from enum import Enum, IntEnum from functools import partial from typing import ( Any, Callable, Dict, Generator, List, Optional, Sequence, Tuple, TypeVar, Union, cast, ) import certifi import service_identity from cryptography import x509 from cryptography.exceptions import InvalidSignature from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, hmac, serialization from cryptography.hazmat.primitives.asymmetric import ( dsa, ec, ed448, ed25519, padding, rsa, x448, x25519, ) from cryptography.hazmat.primitives.asymmetric.types import ( CertificateIssuerPublicKeyTypes, PrivateKeyTypes, ) from cryptography.hazmat.primitives.kdf.hkdf import HKDFExpand from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat from OpenSSL import crypto from .buffer import Buffer, BufferReadError TLS_VERSION_1_2 = 0x0303 TLS_VERSION_1_3 = 0x0304 TLS_VERSION_1_3_DRAFT_28 = 0x7F1C TLS_VERSION_1_3_DRAFT_27 = 0x7F1B TLS_VERSION_1_3_DRAFT_26 = 0x7F1A CLIENT_CONTEXT_STRING = b"TLS 1.3, client CertificateVerify" SERVER_CONTEXT_STRING = b"TLS 1.3, server CertificateVerify" T = TypeVar("T") # facilitate mocking for the test suite def utcnow() -> datetime.datetime: return datetime.datetime.now(datetime.timezone.utc) class AlertDescription(IntEnum): close_notify = 0 unexpected_message = 10 bad_record_mac = 20 record_overflow = 22 handshake_failure = 40 bad_certificate = 42 unsupported_certificate = 43 certificate_revoked = 44 certificate_expired = 45 certificate_unknown = 46 illegal_parameter = 47 unknown_ca = 48 access_denied = 49 decode_error = 50 decrypt_error = 51 protocol_version = 70 insufficient_security = 71 internal_error = 80 inappropriate_fallback = 86 user_canceled = 90 missing_extension = 109 unsupported_extension = 110 unrecognized_name = 112 bad_certificate_status_response = 113 unknown_psk_identity = 115 certificate_required = 116 no_application_protocol = 120 class Alert(Exception): description: AlertDescription class AlertBadCertificate(Alert): description = AlertDescription.bad_certificate class AlertCertificateExpired(Alert): description = AlertDescription.certificate_expired class AlertDecodeError(Alert): description = AlertDescription.decode_error class AlertDecryptError(Alert): description = AlertDescription.decrypt_error class AlertHandshakeFailure(Alert): description = AlertDescription.handshake_failure class AlertIllegalParameter(Alert): description = AlertDescription.illegal_parameter class AlertInternalError(Alert): description = AlertDescription.internal_error class AlertProtocolVersion(Alert): description = AlertDescription.protocol_version class AlertUnexpectedMessage(Alert): description = AlertDescription.unexpected_message class Direction(Enum): DECRYPT = 0 ENCRYPT = 1 class Epoch(Enum): INITIAL = 0 ZERO_RTT = 1 HANDSHAKE = 2 ONE_RTT = 3 class State(Enum): CLIENT_HANDSHAKE_START = 0 CLIENT_EXPECT_SERVER_HELLO = 1 CLIENT_EXPECT_ENCRYPTED_EXTENSIONS = 2 CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE = 3 CLIENT_EXPECT_CERTIFICATE = 4 CLIENT_EXPECT_CERTIFICATE_VERIFY = 5 CLIENT_EXPECT_FINISHED = 6 CLIENT_POST_HANDSHAKE = 7 SERVER_EXPECT_CLIENT_HELLO = 8 SERVER_EXPECT_CERTIFICATE = 9 SERVER_EXPECT_CERTIFICATE_VERIFY = 10 SERVER_EXPECT_FINISHED = 11 SERVER_POST_HANDSHAKE = 12 def hkdf_label(label: bytes, hash_value: bytes, length: int) -> bytes: full_label = b"tls13 " + label return ( struct.pack("!HB", length, len(full_label)) + full_label + struct.pack("!B", len(hash_value)) + hash_value ) def hkdf_expand_label( algorithm: hashes.HashAlgorithm, secret: bytes, label: bytes, hash_value: bytes, length: int, ) -> bytes: return HKDFExpand( algorithm=algorithm, length=length, info=hkdf_label(label, hash_value, length), ).derive(secret) def hkdf_extract( algorithm: hashes.HashAlgorithm, salt: bytes, key_material: bytes ) -> bytes: h = hmac.HMAC(salt, algorithm) h.update(key_material) return h.finalize() def load_pem_private_key( data: bytes, password: Optional[bytes] = None ) -> PrivateKeyTypes: """ Load a PEM-encoded private key. """ return serialization.load_pem_private_key(data, password=password) def load_pem_x509_certificates(data: bytes) -> List[x509.Certificate]: """ Load a chain of PEM-encoded X509 certificates. """ boundary = b"-----END CERTIFICATE-----\n" certificates = [] for chunk in data.split(boundary): if chunk: certificates.append(x509.load_pem_x509_certificate(chunk + boundary)) return certificates def verify_certificate( certificate: x509.Certificate, chain: List[x509.Certificate] = [], server_name: Optional[str] = None, cadata: Optional[bytes] = None, cafile: Optional[str] = None, capath: Optional[str] = None, ) -> None: # verify dates now = utcnow() if now < certificate.not_valid_before_utc: raise AlertCertificateExpired("Certificate is not valid yet") if now > certificate.not_valid_after_utc: raise AlertCertificateExpired("Certificate is no longer valid") # verify subject if server_name is not None: try: ipaddress.ip_address(server_name) except ValueError: is_ip = False else: is_ip = True try: if is_ip: service_identity.cryptography.verify_certificate_ip_address( certificate, server_name ) else: service_identity.cryptography.verify_certificate_hostname( certificate, server_name ) except ( service_identity.CertificateError, service_identity.VerificationError, ) as exc: patterns = service_identity.cryptography.extract_patterns(certificate) if len(patterns) == 0: errmsg = str(exc) elif len(patterns) == 1: errmsg = f"hostname {server_name!r} doesn't match {patterns[0]!r}" else: patterns_repr = ", ".join(repr(pattern) for pattern in patterns) errmsg = ( f"hostname {server_name!r} doesn't match " f"either of {patterns_repr}" ) raise AlertBadCertificate(errmsg) from exc # load CAs store = crypto.X509Store() if cadata is None and cafile is None and capath is None: # Load defaults from certifi. store.load_locations(certifi.where()) if cadata is not None: for cert in load_pem_x509_certificates(cadata): store.add_cert(crypto.X509.from_cryptography(cert)) if cafile is not None or capath is not None: store.load_locations(cafile, capath) # verify certificate chain store_ctx = crypto.X509StoreContext( store, crypto.X509.from_cryptography(certificate), [crypto.X509.from_cryptography(cert) for cert in chain], ) try: store_ctx.verify_certificate() except crypto.X509StoreContextError as exc: raise AlertBadCertificate(exc.args[0]) class CipherSuite(IntEnum): AES_128_GCM_SHA256 = 0x1301 AES_256_GCM_SHA384 = 0x1302 CHACHA20_POLY1305_SHA256 = 0x1303 EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF class CompressionMethod(IntEnum): NULL = 0 class ExtensionType(IntEnum): SERVER_NAME = 0 STATUS_REQUEST = 5 SUPPORTED_GROUPS = 10 SIGNATURE_ALGORITHMS = 13 ALPN = 16 COMPRESS_CERTIFICATE = 27 PRE_SHARED_KEY = 41 EARLY_DATA = 42 SUPPORTED_VERSIONS = 43 COOKIE = 44 PSK_KEY_EXCHANGE_MODES = 45 KEY_SHARE = 51 QUIC_TRANSPORT_PARAMETERS = 0x0039 QUIC_TRANSPORT_PARAMETERS_DRAFT = 0xFFA5 ENCRYPTED_SERVER_NAME = 65486 class Group(IntEnum): SECP256R1 = 0x0017 SECP384R1 = 0x0018 SECP521R1 = 0x0019 X25519 = 0x001D X448 = 0x001E GREASE = 0xAAAA class HandshakeType(IntEnum): CLIENT_HELLO = 1 SERVER_HELLO = 2 NEW_SESSION_TICKET = 4 END_OF_EARLY_DATA = 5 ENCRYPTED_EXTENSIONS = 8 CERTIFICATE = 11 CERTIFICATE_REQUEST = 13 CERTIFICATE_VERIFY = 15 FINISHED = 20 KEY_UPDATE = 24 COMPRESSED_CERTIFICATE = 25 MESSAGE_HASH = 254 class NameType(IntEnum): HOST_NAME = 0 class PskKeyExchangeMode(IntEnum): PSK_KE = 0 PSK_DHE_KE = 1 class SignatureAlgorithm(IntEnum): ECDSA_SECP256R1_SHA256 = 0x0403 ECDSA_SECP384R1_SHA384 = 0x0503 ECDSA_SECP521R1_SHA512 = 0x0603 ED25519 = 0x0807 ED448 = 0x0808 RSA_PKCS1_SHA256 = 0x0401 RSA_PKCS1_SHA384 = 0x0501 RSA_PKCS1_SHA512 = 0x0601 RSA_PSS_PSS_SHA256 = 0x0809 RSA_PSS_PSS_SHA384 = 0x080A RSA_PSS_PSS_SHA512 = 0x080B RSA_PSS_RSAE_SHA256 = 0x0804 RSA_PSS_RSAE_SHA384 = 0x0805 RSA_PSS_RSAE_SHA512 = 0x0806 # legacy RSA_PKCS1_SHA1 = 0x0201 SHA1_DSA = 0x0202 ECDSA_SHA1 = 0x0203 # BLOCKS @contextmanager def pull_block(buf: Buffer, capacity: int) -> Generator: length = int.from_bytes(buf.pull_bytes(capacity), byteorder="big") end = buf.tell() + length yield length if buf.tell() != end: # There was trailing garbage or our parsing was bad. raise AlertDecodeError("extra bytes at the end of a block") @contextmanager def push_block(buf: Buffer, capacity: int) -> Generator: """ Context manager to push a variable-length block, with `capacity` bytes to write the length. """ start = buf.tell() + capacity buf.seek(start) yield end = buf.tell() length = end - start buf.seek(start - capacity) buf.push_bytes(length.to_bytes(capacity, byteorder="big")) buf.seek(end) # LISTS class SkipItem(Exception): "There is nothing to append for this invocation of a pull_list() func" def pull_list(buf: Buffer, capacity: int, func: Callable[[], T]) -> List[T]: """ Pull a list of items. If the callable raises SkipItem, then iteration continues but nothing is added to the list. """ items = [] with pull_block(buf, capacity) as length: end = buf.tell() + length while buf.tell() < end: try: items.append(func()) except SkipItem: pass return items def push_list( buf: Buffer, capacity: int, func: Callable[[T], None], values: Sequence[T] ) -> None: """ Push a list of items. """ with push_block(buf, capacity): for value in values: func(value) def pull_opaque(buf: Buffer, capacity: int) -> bytes: """ Pull an opaque value prefixed by a length. """ with pull_block(buf, capacity) as length: return buf.pull_bytes(length) def push_opaque(buf: Buffer, capacity: int, value: bytes) -> None: """ Push an opaque value prefix by a length. """ with push_block(buf, capacity): buf.push_bytes(value) @contextmanager def push_extension(buf: Buffer, extension_type: int) -> Generator: buf.push_uint16(extension_type) with push_block(buf, 2): yield # ServerName def pull_server_name(buf: Buffer) -> str: with pull_block(buf, 2): name_type = buf.pull_uint8() if name_type != NameType.HOST_NAME: # We don't know this name_type. raise AlertIllegalParameter( f"ServerName has an unknown name type {name_type}" ) return pull_opaque(buf, 2).decode("ascii") def push_server_name(buf: Buffer, server_name: str) -> None: with push_block(buf, 2): buf.push_uint8(NameType.HOST_NAME) push_opaque(buf, 2, server_name.encode("ascii")) # KeyShareEntry KeyShareEntry = Tuple[int, bytes] def pull_key_share(buf: Buffer) -> KeyShareEntry: group = buf.pull_uint16() data = pull_opaque(buf, 2) return (group, data) def push_key_share(buf: Buffer, value: KeyShareEntry) -> None: buf.push_uint16(value[0]) push_opaque(buf, 2, value[1]) # ALPN def pull_alpn_protocol(buf: Buffer) -> str: try: return pull_opaque(buf, 1).decode("ascii") except UnicodeDecodeError: # We can get arbitrary bytes values for alpns from greasing, # but we expect them to be strings in the rest of the API, so # we ignore them if they don't decode as ASCII. raise SkipItem def push_alpn_protocol(buf: Buffer, protocol: str) -> None: push_opaque(buf, 1, protocol.encode("ascii")) # PRE SHARED KEY PskIdentity = Tuple[bytes, int] @dataclass class OfferedPsks: identities: List[PskIdentity] binders: List[bytes] def pull_psk_identity(buf: Buffer) -> PskIdentity: identity = pull_opaque(buf, 2) obfuscated_ticket_age = buf.pull_uint32() return (identity, obfuscated_ticket_age) def push_psk_identity(buf: Buffer, entry: PskIdentity) -> None: push_opaque(buf, 2, entry[0]) buf.push_uint32(entry[1]) def pull_psk_binder(buf: Buffer) -> bytes: return pull_opaque(buf, 1) def push_psk_binder(buf: Buffer, binder: bytes) -> None: push_opaque(buf, 1, binder) def pull_offered_psks(buf: Buffer) -> OfferedPsks: return OfferedPsks( identities=pull_list(buf, 2, partial(pull_psk_identity, buf)), binders=pull_list(buf, 2, partial(pull_psk_binder, buf)), ) def push_offered_psks(buf: Buffer, pre_shared_key: OfferedPsks) -> None: push_list( buf, 2, partial(push_psk_identity, buf), pre_shared_key.identities, ) push_list( buf, 2, partial(push_psk_binder, buf), pre_shared_key.binders, ) # MESSAGES Extension = Tuple[int, bytes] @dataclass class ClientHello: random: bytes legacy_session_id: bytes cipher_suites: List[int] legacy_compression_methods: List[int] # extensions alpn_protocols: Optional[List[str]] = None early_data: bool = False key_share: Optional[List[KeyShareEntry]] = None pre_shared_key: Optional[OfferedPsks] = None psk_key_exchange_modes: Optional[List[int]] = None server_name: Optional[str] = None signature_algorithms: Optional[List[int]] = None supported_groups: Optional[List[int]] = None supported_versions: Optional[List[int]] = None other_extensions: List[Extension] = field(default_factory=list) def pull_handshake_type(buf: Buffer, expected_type: HandshakeType) -> None: """ Pull the message type and assert it is the expected one. If it is not, we have a programming error. """ message_type = buf.pull_uint8() assert message_type == expected_type def pull_client_hello(buf: Buffer) -> ClientHello: pull_handshake_type(buf, HandshakeType.CLIENT_HELLO) with pull_block(buf, 3): if buf.pull_uint16() != TLS_VERSION_1_2: raise AlertDecodeError("ClientHello version is not 1.2") hello = ClientHello( random=buf.pull_bytes(32), legacy_session_id=pull_opaque(buf, 1), cipher_suites=pull_list(buf, 2, buf.pull_uint16), legacy_compression_methods=pull_list(buf, 1, buf.pull_uint8), ) # extensions after_psk = False def pull_extension() -> None: # pre_shared_key MUST be last nonlocal after_psk if after_psk: # the alert is Illegal Parameter per RFC 8446 section 4.2.11. raise AlertIllegalParameter("PreSharedKey is not the last extension") extension_type = buf.pull_uint16() extension_length = buf.pull_uint16() if extension_type == ExtensionType.KEY_SHARE: hello.key_share = pull_list(buf, 2, partial(pull_key_share, buf)) elif extension_type == ExtensionType.SUPPORTED_VERSIONS: hello.supported_versions = pull_list(buf, 1, buf.pull_uint16) elif extension_type == ExtensionType.SIGNATURE_ALGORITHMS: hello.signature_algorithms = pull_list(buf, 2, buf.pull_uint16) elif extension_type == ExtensionType.SUPPORTED_GROUPS: hello.supported_groups = pull_list(buf, 2, buf.pull_uint16) elif extension_type == ExtensionType.PSK_KEY_EXCHANGE_MODES: hello.psk_key_exchange_modes = pull_list(buf, 1, buf.pull_uint8) elif extension_type == ExtensionType.SERVER_NAME: hello.server_name = pull_server_name(buf) elif extension_type == ExtensionType.ALPN: hello.alpn_protocols = pull_list( buf, 2, partial(pull_alpn_protocol, buf) ) elif extension_type == ExtensionType.EARLY_DATA: hello.early_data = True elif extension_type == ExtensionType.PRE_SHARED_KEY: hello.pre_shared_key = pull_offered_psks(buf) after_psk = True else: hello.other_extensions.append( (extension_type, buf.pull_bytes(extension_length)) ) pull_list(buf, 2, pull_extension) return hello def push_client_hello(buf: Buffer, hello: ClientHello) -> None: buf.push_uint8(HandshakeType.CLIENT_HELLO) with push_block(buf, 3): buf.push_uint16(TLS_VERSION_1_2) buf.push_bytes(hello.random) push_opaque(buf, 1, hello.legacy_session_id) push_list(buf, 2, buf.push_uint16, hello.cipher_suites) push_list(buf, 1, buf.push_uint8, hello.legacy_compression_methods) # extensions with push_block(buf, 2): with push_extension(buf, ExtensionType.KEY_SHARE): push_list(buf, 2, partial(push_key_share, buf), hello.key_share) with push_extension(buf, ExtensionType.SUPPORTED_VERSIONS): push_list(buf, 1, buf.push_uint16, hello.supported_versions) with push_extension(buf, ExtensionType.SIGNATURE_ALGORITHMS): push_list(buf, 2, buf.push_uint16, hello.signature_algorithms) with push_extension(buf, ExtensionType.SUPPORTED_GROUPS): push_list(buf, 2, buf.push_uint16, hello.supported_groups) if hello.psk_key_exchange_modes is not None: with push_extension(buf, ExtensionType.PSK_KEY_EXCHANGE_MODES): push_list(buf, 1, buf.push_uint8, hello.psk_key_exchange_modes) if hello.server_name is not None: with push_extension(buf, ExtensionType.SERVER_NAME): push_server_name(buf, hello.server_name) if hello.alpn_protocols is not None: with push_extension(buf, ExtensionType.ALPN): push_list( buf, 2, partial(push_alpn_protocol, buf), hello.alpn_protocols ) for extension_type, extension_value in hello.other_extensions: with push_extension(buf, extension_type): buf.push_bytes(extension_value) if hello.early_data: with push_extension(buf, ExtensionType.EARLY_DATA): pass # pre_shared_key MUST be last if hello.pre_shared_key is not None: with push_extension(buf, ExtensionType.PRE_SHARED_KEY): push_offered_psks(buf, hello.pre_shared_key) @dataclass class ServerHello: random: bytes legacy_session_id: bytes cipher_suite: int compression_method: int # extensions key_share: Optional[KeyShareEntry] = None pre_shared_key: Optional[int] = None supported_version: Optional[int] = None other_extensions: List[Tuple[int, bytes]] = field(default_factory=list) def pull_server_hello(buf: Buffer) -> ServerHello: pull_handshake_type(buf, HandshakeType.SERVER_HELLO) with pull_block(buf, 3): if buf.pull_uint16() != TLS_VERSION_1_2: raise AlertDecodeError("ServerHello version is not 1.2") hello = ServerHello( random=buf.pull_bytes(32), legacy_session_id=pull_opaque(buf, 1), cipher_suite=buf.pull_uint16(), compression_method=buf.pull_uint8(), ) # extensions def pull_extension() -> None: extension_type = buf.pull_uint16() extension_length = buf.pull_uint16() if extension_type == ExtensionType.SUPPORTED_VERSIONS: hello.supported_version = buf.pull_uint16() elif extension_type == ExtensionType.KEY_SHARE: hello.key_share = pull_key_share(buf) elif extension_type == ExtensionType.PRE_SHARED_KEY: hello.pre_shared_key = buf.pull_uint16() else: hello.other_extensions.append( (extension_type, buf.pull_bytes(extension_length)) ) pull_list(buf, 2, pull_extension) return hello def push_server_hello(buf: Buffer, hello: ServerHello) -> None: buf.push_uint8(HandshakeType.SERVER_HELLO) with push_block(buf, 3): buf.push_uint16(TLS_VERSION_1_2) buf.push_bytes(hello.random) push_opaque(buf, 1, hello.legacy_session_id) buf.push_uint16(hello.cipher_suite) buf.push_uint8(hello.compression_method) # extensions with push_block(buf, 2): if hello.supported_version is not None: with push_extension(buf, ExtensionType.SUPPORTED_VERSIONS): buf.push_uint16(hello.supported_version) if hello.key_share is not None: with push_extension(buf, ExtensionType.KEY_SHARE): push_key_share(buf, hello.key_share) if hello.pre_shared_key is not None: with push_extension(buf, ExtensionType.PRE_SHARED_KEY): buf.push_uint16(hello.pre_shared_key) for extension_type, extension_value in hello.other_extensions: with push_extension(buf, extension_type): buf.push_bytes(extension_value) @dataclass class NewSessionTicket: ticket_lifetime: int = 0 ticket_age_add: int = 0 ticket_nonce: bytes = b"" ticket: bytes = b"" # extensions max_early_data_size: Optional[int] = None other_extensions: List[Tuple[int, bytes]] = field(default_factory=list) def pull_new_session_ticket(buf: Buffer) -> NewSessionTicket: new_session_ticket = NewSessionTicket() pull_handshake_type(buf, HandshakeType.NEW_SESSION_TICKET) with pull_block(buf, 3): new_session_ticket.ticket_lifetime = buf.pull_uint32() new_session_ticket.ticket_age_add = buf.pull_uint32() new_session_ticket.ticket_nonce = pull_opaque(buf, 1) new_session_ticket.ticket = pull_opaque(buf, 2) def pull_extension() -> None: extension_type = buf.pull_uint16() extension_length = buf.pull_uint16() if extension_type == ExtensionType.EARLY_DATA: new_session_ticket.max_early_data_size = buf.pull_uint32() else: new_session_ticket.other_extensions.append( (extension_type, buf.pull_bytes(extension_length)) ) pull_list(buf, 2, pull_extension) return new_session_ticket def push_new_session_ticket(buf: Buffer, new_session_ticket: NewSessionTicket) -> None: buf.push_uint8(HandshakeType.NEW_SESSION_TICKET) with push_block(buf, 3): buf.push_uint32(new_session_ticket.ticket_lifetime) buf.push_uint32(new_session_ticket.ticket_age_add) push_opaque(buf, 1, new_session_ticket.ticket_nonce) push_opaque(buf, 2, new_session_ticket.ticket) with push_block(buf, 2): if new_session_ticket.max_early_data_size is not None: with push_extension(buf, ExtensionType.EARLY_DATA): buf.push_uint32(new_session_ticket.max_early_data_size) for extension_type, extension_value in new_session_ticket.other_extensions: with push_extension(buf, extension_type): buf.push_bytes(extension_value) @dataclass class EncryptedExtensions: alpn_protocol: Optional[str] = None early_data: bool = False other_extensions: List[Tuple[int, bytes]] = field(default_factory=list) def pull_encrypted_extensions(buf: Buffer) -> EncryptedExtensions: extensions = EncryptedExtensions() pull_handshake_type(buf, HandshakeType.ENCRYPTED_EXTENSIONS) with pull_block(buf, 3): def pull_extension() -> None: extension_type = buf.pull_uint16() extension_length = buf.pull_uint16() if extension_type == ExtensionType.ALPN: extensions.alpn_protocol = pull_list( buf, 2, partial(pull_alpn_protocol, buf) )[0] elif extension_type == ExtensionType.EARLY_DATA: extensions.early_data = True else: extensions.other_extensions.append( (extension_type, buf.pull_bytes(extension_length)) ) pull_list(buf, 2, pull_extension) return extensions def push_encrypted_extensions(buf: Buffer, extensions: EncryptedExtensions) -> None: buf.push_uint8(HandshakeType.ENCRYPTED_EXTENSIONS) with push_block(buf, 3): with push_block(buf, 2): if extensions.alpn_protocol is not None: with push_extension(buf, ExtensionType.ALPN): push_list( buf, 2, partial(push_alpn_protocol, buf), [extensions.alpn_protocol], ) if extensions.early_data: with push_extension(buf, ExtensionType.EARLY_DATA): pass for extension_type, extension_value in extensions.other_extensions: with push_extension(buf, extension_type): buf.push_bytes(extension_value) CertificateEntry = Tuple[bytes, bytes] @dataclass class Certificate: request_context: bytes = b"" certificates: List[CertificateEntry] = field(default_factory=list) def pull_certificate(buf: Buffer) -> Certificate: certificate = Certificate() pull_handshake_type(buf, HandshakeType.CERTIFICATE) with pull_block(buf, 3): certificate.request_context = pull_opaque(buf, 1) def pull_certificate_entry(buf: Buffer) -> CertificateEntry: data = pull_opaque(buf, 3) extensions = pull_opaque(buf, 2) return (data, extensions) certificate.certificates = pull_list( buf, 3, partial(pull_certificate_entry, buf) ) return certificate def push_certificate(buf: Buffer, certificate: Certificate) -> None: buf.push_uint8(HandshakeType.CERTIFICATE) with push_block(buf, 3): push_opaque(buf, 1, certificate.request_context) def push_certificate_entry(buf: Buffer, entry: CertificateEntry) -> None: push_opaque(buf, 3, entry[0]) push_opaque(buf, 2, entry[1]) push_list( buf, 3, partial(push_certificate_entry, buf), certificate.certificates ) @dataclass class CertificateRequest: request_context: bytes = b"" signature_algorithms: Optional[List[int]] = None other_extensions: List[Tuple[int, bytes]] = field(default_factory=list) def pull_certificate_request(buf: Buffer) -> CertificateRequest: certificate_request = CertificateRequest() pull_handshake_type(buf, HandshakeType.CERTIFICATE_REQUEST) with pull_block(buf, 3): certificate_request.request_context = pull_opaque(buf, 1) def pull_extension() -> None: extension_type = buf.pull_uint16() extension_length = buf.pull_uint16() if extension_type == ExtensionType.SIGNATURE_ALGORITHMS: certificate_request.signature_algorithms = pull_list( buf, 2, buf.pull_uint16 ) else: certificate_request.other_extensions.append( (extension_type, buf.pull_bytes(extension_length)) ) pull_list(buf, 2, pull_extension) return certificate_request def push_certificate_request( buf: Buffer, certificate_request: CertificateRequest ) -> None: buf.push_uint8(HandshakeType.CERTIFICATE_REQUEST) with push_block(buf, 3): push_opaque(buf, 1, certificate_request.request_context) with push_block(buf, 2): with push_extension(buf, ExtensionType.SIGNATURE_ALGORITHMS): push_list( buf, 2, buf.push_uint16, certificate_request.signature_algorithms ) for extension_type, extension_value in certificate_request.other_extensions: with push_extension(buf, extension_type): buf.push_bytes(extension_value) @dataclass class CertificateVerify: algorithm: int signature: bytes def pull_certificate_verify(buf: Buffer) -> CertificateVerify: pull_handshake_type(buf, HandshakeType.CERTIFICATE_VERIFY) with pull_block(buf, 3): algorithm = buf.pull_uint16() signature = pull_opaque(buf, 2) return CertificateVerify(algorithm=algorithm, signature=signature) def push_certificate_verify(buf: Buffer, verify: CertificateVerify) -> None: buf.push_uint8(HandshakeType.CERTIFICATE_VERIFY) with push_block(buf, 3): buf.push_uint16(verify.algorithm) push_opaque(buf, 2, verify.signature) @dataclass class Finished: verify_data: bytes = b"" def pull_finished(buf: Buffer) -> Finished: finished = Finished() pull_handshake_type(buf, HandshakeType.FINISHED) finished.verify_data = pull_opaque(buf, 3) return finished def push_finished(buf: Buffer, finished: Finished) -> None: buf.push_uint8(HandshakeType.FINISHED) push_opaque(buf, 3, finished.verify_data) # CONTEXT class KeySchedule: def __init__(self, cipher_suite: CipherSuite): self.algorithm = cipher_suite_hash(cipher_suite) self.cipher_suite = cipher_suite self.generation = 0 self.hash = hashes.Hash(self.algorithm) self.hash_empty_value = self.hash.copy().finalize() self.secret = bytes(self.algorithm.digest_size) def certificate_verify_data(self, context_string: bytes) -> bytes: return b" " * 64 + context_string + b"\x00" + self.hash.copy().finalize() def finished_verify_data(self, secret: bytes) -> bytes: hmac_key = hkdf_expand_label( algorithm=self.algorithm, secret=secret, label=b"finished", hash_value=b"", length=self.algorithm.digest_size, ) h = hmac.HMAC(hmac_key, algorithm=self.algorithm) h.update(self.hash.copy().finalize()) return h.finalize() def derive_secret(self, label: bytes) -> bytes: return hkdf_expand_label( algorithm=self.algorithm, secret=self.secret, label=label, hash_value=self.hash.copy().finalize(), length=self.algorithm.digest_size, ) def extract(self, key_material: Optional[bytes] = None) -> None: if key_material is None: key_material = bytes(self.algorithm.digest_size) if self.generation: self.secret = hkdf_expand_label( algorithm=self.algorithm, secret=self.secret, label=b"derived", hash_value=self.hash_empty_value, length=self.algorithm.digest_size, ) self.generation += 1 self.secret = hkdf_extract( algorithm=self.algorithm, salt=self.secret, key_material=key_material ) def update_hash(self, data: bytes) -> None: self.hash.update(data) class KeyScheduleProxy: def __init__(self, cipher_suites: List[CipherSuite]): self.__schedules = dict(map(lambda c: (c, KeySchedule(c)), cipher_suites)) def extract(self, key_material: Optional[bytes] = None) -> None: for k in self.__schedules.values(): k.extract(key_material) def select(self, cipher_suite: CipherSuite) -> KeySchedule: return self.__schedules[cipher_suite] def update_hash(self, data: bytes) -> None: for k in self.__schedules.values(): k.update_hash(data) CIPHER_SUITES: Dict = { CipherSuite.AES_128_GCM_SHA256: hashes.SHA256, CipherSuite.AES_256_GCM_SHA384: hashes.SHA384, CipherSuite.CHACHA20_POLY1305_SHA256: hashes.SHA256, } SIGNATURE_ALGORITHMS: Dict = { SignatureAlgorithm.ECDSA_SECP256R1_SHA256: (None, hashes.SHA256), SignatureAlgorithm.ECDSA_SECP384R1_SHA384: (None, hashes.SHA384), SignatureAlgorithm.ECDSA_SECP521R1_SHA512: (None, hashes.SHA512), SignatureAlgorithm.RSA_PKCS1_SHA1: (padding.PKCS1v15, hashes.SHA1), SignatureAlgorithm.RSA_PKCS1_SHA256: (padding.PKCS1v15, hashes.SHA256), SignatureAlgorithm.RSA_PKCS1_SHA384: (padding.PKCS1v15, hashes.SHA384), SignatureAlgorithm.RSA_PKCS1_SHA512: (padding.PKCS1v15, hashes.SHA512), SignatureAlgorithm.RSA_PSS_RSAE_SHA256: (padding.PSS, hashes.SHA256), SignatureAlgorithm.RSA_PSS_RSAE_SHA384: (padding.PSS, hashes.SHA384), SignatureAlgorithm.RSA_PSS_RSAE_SHA512: (padding.PSS, hashes.SHA512), } GROUP_TO_CURVE: Dict = { Group.SECP256R1: ec.SECP256R1, Group.SECP384R1: ec.SECP384R1, Group.SECP521R1: ec.SECP521R1, } CURVE_TO_GROUP = dict((v, k) for k, v in GROUP_TO_CURVE.items()) def cipher_suite_hash(cipher_suite: CipherSuite) -> hashes.HashAlgorithm: return CIPHER_SUITES[cipher_suite]() def decode_public_key( key_share: KeyShareEntry, ) -> Union[ec.EllipticCurvePublicKey, x25519.X25519PublicKey, x448.X448PublicKey, None]: if key_share[0] == Group.X25519: return x25519.X25519PublicKey.from_public_bytes(key_share[1]) elif key_share[0] == Group.X448: return x448.X448PublicKey.from_public_bytes(key_share[1]) elif key_share[0] in GROUP_TO_CURVE: return ec.EllipticCurvePublicKey.from_encoded_point( GROUP_TO_CURVE[key_share[0]](), key_share[1] ) else: return None def encode_public_key( public_key: Union[ ec.EllipticCurvePublicKey, x25519.X25519PublicKey, x448.X448PublicKey ], ) -> KeyShareEntry: if isinstance(public_key, x25519.X25519PublicKey): return (Group.X25519, public_key.public_bytes(Encoding.Raw, PublicFormat.Raw)) elif isinstance(public_key, x448.X448PublicKey): return (Group.X448, public_key.public_bytes(Encoding.Raw, PublicFormat.Raw)) return ( CURVE_TO_GROUP[public_key.curve.__class__], public_key.public_bytes(Encoding.X962, PublicFormat.UncompressedPoint), ) def negotiate( supported: List[T], offered: Optional[List[Any]], exc: Optional[Alert] = None ) -> T: if offered is not None: for c in supported: if c in offered: return c if exc is not None: raise exc return None def signature_algorithm_params(signature_algorithm: int) -> Tuple: if signature_algorithm in (SignatureAlgorithm.ED25519, SignatureAlgorithm.ED448): return tuple() padding_cls, algorithm_cls = SIGNATURE_ALGORITHMS[signature_algorithm] algorithm = algorithm_cls() if padding_cls is None: return (ec.ECDSA(algorithm),) elif padding_cls == padding.PSS: padding_obj = padding_cls( mgf=padding.MGF1(algorithm), salt_length=algorithm.digest_size ) else: padding_obj = padding_cls() return padding_obj, algorithm @contextmanager def push_message( key_schedule: Union[KeySchedule, KeyScheduleProxy], buf: Buffer ) -> Generator: hash_start = buf.tell() yield key_schedule.update_hash(buf.data_slice(hash_start, buf.tell())) # callback types @dataclass class SessionTicket: """ A TLS session ticket for session resumption. """ age_add: int cipher_suite: CipherSuite not_valid_after: datetime.datetime not_valid_before: datetime.datetime resumption_secret: bytes server_name: str ticket: bytes max_early_data_size: Optional[int] = None other_extensions: List[Tuple[int, bytes]] = field(default_factory=list) @property def is_valid(self) -> bool: now = utcnow() return now >= self.not_valid_before and now <= self.not_valid_after @property def obfuscated_age(self) -> int: age = int((utcnow() - self.not_valid_before).total_seconds() * 1000) return (age + self.age_add) % (1 << 32) AlpnHandler = Callable[[str], None] SessionTicketFetcher = Callable[[bytes], Optional[SessionTicket]] SessionTicketHandler = Callable[[SessionTicket], None] class Context: def __init__( self, is_client: bool, alpn_protocols: Optional[List[str]] = None, cadata: Optional[bytes] = None, cafile: Optional[str] = None, capath: Optional[str] = None, cipher_suites: Optional[List[CipherSuite]] = None, logger: Optional[Union[logging.Logger, logging.LoggerAdapter]] = None, max_early_data: Optional[int] = None, server_name: Optional[str] = None, verify_mode: Optional[int] = None, ): # configuration self._alpn_protocols = alpn_protocols self._cadata = cadata self._cafile = cafile self._capath = capath self.certificate: Optional[x509.Certificate] = None self.certificate_chain: List[x509.Certificate] = [] self.certificate_private_key: Optional[ Union[dsa.DSAPrivateKey, ec.EllipticCurvePrivateKey, rsa.RSAPrivateKey] ] = None self.handshake_extensions: List[Extension] = [] self._is_client = is_client self._max_early_data = max_early_data self.session_ticket: Optional[SessionTicket] = None self._request_client_certificate = False # For test purposes only self._server_name = server_name if verify_mode is not None: self._verify_mode = verify_mode else: self._verify_mode = ssl.CERT_REQUIRED if is_client else ssl.CERT_NONE # callbacks self.alpn_cb: Optional[AlpnHandler] = None self.get_session_ticket_cb: Optional[SessionTicketFetcher] = None self.new_session_ticket_cb: Optional[SessionTicketHandler] = None self.update_traffic_key_cb: Callable[ [Direction, Epoch, CipherSuite, bytes], None ] = lambda d, e, c, s: None # supported parameters if cipher_suites is not None: self._cipher_suites = cipher_suites else: self._cipher_suites = [ CipherSuite.AES_256_GCM_SHA384, CipherSuite.AES_128_GCM_SHA256, CipherSuite.CHACHA20_POLY1305_SHA256, ] self._legacy_compression_methods: List[int] = [CompressionMethod.NULL] self._psk_key_exchange_modes: List[int] = [PskKeyExchangeMode.PSK_DHE_KE] self._signature_algorithms: List[int] = [ SignatureAlgorithm.RSA_PSS_RSAE_SHA256, SignatureAlgorithm.ECDSA_SECP256R1_SHA256, SignatureAlgorithm.RSA_PKCS1_SHA256, SignatureAlgorithm.RSA_PKCS1_SHA1, ] if default_backend().ed25519_supported(): self._signature_algorithms.append(SignatureAlgorithm.ED25519) if default_backend().ed448_supported(): self._signature_algorithms.append(SignatureAlgorithm.ED448) self._supported_groups = [Group.SECP256R1] if default_backend().x25519_supported(): self._supported_groups.append(Group.X25519) if default_backend().x448_supported(): self._supported_groups.append(Group.X448) self._supported_versions = [TLS_VERSION_1_3] # state self.alpn_negotiated: Optional[str] = None self.early_data_accepted = False self.key_schedule: Optional[KeySchedule] = None self.received_extensions: Optional[List[Extension]] = None self._certificate_request: Optional[CertificateRequest] = None self._key_schedule_psk: Optional[KeySchedule] = None self._key_schedule_proxy: Optional[KeyScheduleProxy] = None self._new_session_ticket: Optional[NewSessionTicket] = None self._peer_certificate: Optional[x509.Certificate] = None self._peer_certificate_chain: List[x509.Certificate] = [] self._psk_key_exchange_mode: Optional[int] = None self._receive_buffer = b"" self._session_resumed = False self._enc_key: Optional[bytes] = None self._dec_key: Optional[bytes] = None self.__logger = logger self._ec_private_key: Optional[ec.EllipticCurvePrivateKey] = None self._x25519_private_key: Optional[x25519.X25519PrivateKey] = None self._x448_private_key: Optional[x448.X448PrivateKey] = None if is_client: self.client_random = os.urandom(32) self.legacy_session_id = b"" self.state = State.CLIENT_HANDSHAKE_START else: self.client_random = None self.legacy_session_id = None self.state = State.SERVER_EXPECT_CLIENT_HELLO @property def session_resumed(self) -> bool: """ Returns True if session resumption was successfully used. """ return self._session_resumed def handle_message( self, input_data: bytes, output_buf: Dict[Epoch, Buffer] ) -> None: if self.state == State.CLIENT_HANDSHAKE_START: self._client_send_hello(output_buf[Epoch.INITIAL]) return self._receive_buffer += input_data while len(self._receive_buffer) >= 4: # determine message length message_type = self._receive_buffer[0] message_length = 4 + int.from_bytes( self._receive_buffer[1:4], byteorder="big" ) # check message is complete if len(self._receive_buffer) < message_length: break message = self._receive_buffer[:message_length] self._receive_buffer = self._receive_buffer[message_length:] # process the message try: self._handle_reassembled_message( message_type=message_type, input_buf=Buffer(data=message), output_buf=output_buf, ) except BufferReadError: raise AlertDecodeError("Could not parse TLS message") def _handle_reassembled_message( self, message_type: int, input_buf: Buffer, output_buf: Dict[Epoch, Buffer] ) -> None: # client states if self.state == State.CLIENT_EXPECT_SERVER_HELLO: if message_type == HandshakeType.SERVER_HELLO: self._client_handle_hello(input_buf, output_buf[Epoch.INITIAL]) else: raise AlertUnexpectedMessage elif self.state == State.CLIENT_EXPECT_ENCRYPTED_EXTENSIONS: if message_type == HandshakeType.ENCRYPTED_EXTENSIONS: self._client_handle_encrypted_extensions(input_buf) else: raise AlertUnexpectedMessage elif self.state == State.CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE: if message_type == HandshakeType.CERTIFICATE: self._client_handle_certificate(input_buf) elif message_type == HandshakeType.CERTIFICATE_REQUEST: self._client_handle_certificate_request(input_buf) else: raise AlertUnexpectedMessage elif self.state == State.CLIENT_EXPECT_CERTIFICATE: if message_type == HandshakeType.CERTIFICATE: self._client_handle_certificate(input_buf) else: raise AlertUnexpectedMessage elif self.state == State.CLIENT_EXPECT_CERTIFICATE_VERIFY: if message_type == HandshakeType.CERTIFICATE_VERIFY: self._client_handle_certificate_verify(input_buf) else: raise AlertUnexpectedMessage elif self.state == State.CLIENT_EXPECT_FINISHED: if message_type == HandshakeType.FINISHED: self._client_handle_finished(input_buf, output_buf[Epoch.HANDSHAKE]) else: raise AlertUnexpectedMessage elif self.state == State.CLIENT_POST_HANDSHAKE: if message_type == HandshakeType.NEW_SESSION_TICKET: self._client_handle_new_session_ticket(input_buf) else: raise AlertUnexpectedMessage # server states elif self.state == State.SERVER_EXPECT_CLIENT_HELLO: if message_type == HandshakeType.CLIENT_HELLO: self._server_handle_hello( input_buf, output_buf[Epoch.INITIAL], output_buf[Epoch.HANDSHAKE], output_buf[Epoch.ONE_RTT], ) else: raise AlertUnexpectedMessage elif self.state == State.SERVER_EXPECT_CERTIFICATE: if message_type == HandshakeType.CERTIFICATE: self._server_handle_certificate(input_buf, output_buf[Epoch.ONE_RTT]) else: raise AlertUnexpectedMessage elif self.state == State.SERVER_EXPECT_CERTIFICATE_VERIFY: if message_type == HandshakeType.CERTIFICATE_VERIFY: self._server_handle_certificate_verify( input_buf, output_buf[Epoch.ONE_RTT] ) else: raise AlertUnexpectedMessage elif self.state == State.SERVER_EXPECT_FINISHED: if message_type == HandshakeType.FINISHED: self._server_handle_finished(input_buf, output_buf[Epoch.ONE_RTT]) else: raise AlertUnexpectedMessage elif self.state == State.SERVER_POST_HANDSHAKE: raise AlertUnexpectedMessage # This condition should never be reached, because if the message # contains any extra bytes, the `pull_block` inside the message # parser will raise `AlertDecodeError`. assert input_buf.eof() def _build_session_ticket( self, new_session_ticket: NewSessionTicket, other_extensions: List[Extension] ) -> SessionTicket: resumption_master_secret = self.key_schedule.derive_secret(b"res master") resumption_secret = hkdf_expand_label( algorithm=self.key_schedule.algorithm, secret=resumption_master_secret, label=b"resumption", hash_value=new_session_ticket.ticket_nonce, length=self.key_schedule.algorithm.digest_size, ) timestamp = utcnow() return SessionTicket( age_add=new_session_ticket.ticket_age_add, cipher_suite=self.key_schedule.cipher_suite, max_early_data_size=new_session_ticket.max_early_data_size, not_valid_after=timestamp + datetime.timedelta(seconds=new_session_ticket.ticket_lifetime), not_valid_before=timestamp, other_extensions=other_extensions, resumption_secret=resumption_secret, server_name=self._server_name, ticket=new_session_ticket.ticket, ) def _check_certificate_verify_signature(self, verify: CertificateVerify) -> None: if verify.algorithm not in self._signature_algorithms: raise AlertDecryptError( "CertificateVerify has a signature algorithm we did not advertise" ) try: # The type of public_key() is CertificatePublicKeyTypes, but along with # ed25519 and ed448, which are fine, this type includes # x25519 and x448 which can be public keys but can't sign. We know # we won't get x25519 and x448 as they are not on our list of # signature algorithms, so we can cast public key to # CertificateIssuerPublicKeyTypes safely and make mypy happy. public_key = cast( CertificateIssuerPublicKeyTypes, self._peer_certificate.public_key() ) public_key.verify( verify.signature, self.key_schedule.certificate_verify_data( SERVER_CONTEXT_STRING if self._is_client else CLIENT_CONTEXT_STRING ), *signature_algorithm_params(verify.algorithm), ) except InvalidSignature: raise AlertDecryptError def _client_send_hello(self, output_buf: Buffer) -> None: key_share: List[KeyShareEntry] = [] supported_groups: List[int] = [] for group in self._supported_groups: if group == Group.SECP256R1: self._ec_private_key = ec.generate_private_key( GROUP_TO_CURVE[Group.SECP256R1]() ) key_share.append(encode_public_key(self._ec_private_key.public_key())) supported_groups.append(Group.SECP256R1) elif group == Group.X25519: self._x25519_private_key = x25519.X25519PrivateKey.generate() key_share.append( encode_public_key(self._x25519_private_key.public_key()) ) supported_groups.append(Group.X25519) elif group == Group.X448: self._x448_private_key = x448.X448PrivateKey.generate() key_share.append(encode_public_key(self._x448_private_key.public_key())) supported_groups.append(Group.X448) elif group == Group.GREASE: key_share.append((Group.GREASE, b"\x00")) supported_groups.append(Group.GREASE) assert len(key_share), "no key share entries" # Literal IPv4 and IPv6 addresses are not permitted in # Server Name Indication (SNI) hostname. try: ipaddress.ip_address(self._server_name) except ValueError: server_name = self._server_name else: server_name = None hello = ClientHello( random=self.client_random, legacy_session_id=self.legacy_session_id, cipher_suites=[int(x) for x in self._cipher_suites], legacy_compression_methods=self._legacy_compression_methods, alpn_protocols=self._alpn_protocols, key_share=key_share, psk_key_exchange_modes=( self._psk_key_exchange_modes if (self.session_ticket or self.new_session_ticket_cb is not None) else None ), server_name=server_name, signature_algorithms=self._signature_algorithms, supported_groups=supported_groups, supported_versions=self._supported_versions, other_extensions=self.handshake_extensions, ) # PSK if self.session_ticket and self.session_ticket.is_valid: self._key_schedule_psk = KeySchedule(self.session_ticket.cipher_suite) self._key_schedule_psk.extract(self.session_ticket.resumption_secret) binder_key = self._key_schedule_psk.derive_secret(b"res binder") binder_length = self._key_schedule_psk.algorithm.digest_size # update hello if self.session_ticket.max_early_data_size is not None: hello.early_data = True hello.pre_shared_key = OfferedPsks( identities=[ (self.session_ticket.ticket, self.session_ticket.obfuscated_age) ], binders=[bytes(binder_length)], ) # serialize hello without binder tmp_buf = Buffer(capacity=1024) push_client_hello(tmp_buf, hello) # calculate binder hash_offset = tmp_buf.tell() - binder_length - 3 self._key_schedule_psk.update_hash(tmp_buf.data_slice(0, hash_offset)) binder = self._key_schedule_psk.finished_verify_data(binder_key) hello.pre_shared_key.binders[0] = binder self._key_schedule_psk.update_hash( tmp_buf.data_slice(hash_offset, hash_offset + 3) + binder ) # calculate early data key if hello.early_data: early_key = self._key_schedule_psk.derive_secret(b"c e traffic") self.update_traffic_key_cb( Direction.ENCRYPT, Epoch.ZERO_RTT, self._key_schedule_psk.cipher_suite, early_key, ) self._key_schedule_proxy = KeyScheduleProxy(self._cipher_suites) self._key_schedule_proxy.extract(None) with push_message(self._key_schedule_proxy, output_buf): push_client_hello(output_buf, hello) self._set_state(State.CLIENT_EXPECT_SERVER_HELLO) def _client_handle_hello(self, input_buf: Buffer, output_buf: Buffer) -> None: peer_hello = pull_server_hello(input_buf) cipher_suite = negotiate( self._cipher_suites, [peer_hello.cipher_suite], AlertHandshakeFailure("Unsupported cipher suite"), ) if peer_hello.compression_method not in self._legacy_compression_methods: raise AlertIllegalParameter( "ServerHello has a compression method we did not advertise" ) if peer_hello.supported_version not in self._supported_versions: raise AlertIllegalParameter( "ServerHello has a version we did not advertise" ) # select key schedule if peer_hello.pre_shared_key is not None: if ( self._key_schedule_psk is None or peer_hello.pre_shared_key != 0 or cipher_suite != self._key_schedule_psk.cipher_suite ): raise AlertIllegalParameter self.key_schedule = self._key_schedule_psk self._session_resumed = True else: self.key_schedule = self._key_schedule_proxy.select(cipher_suite) self._key_schedule_psk = None self._key_schedule_proxy = None # perform key exchange peer_public_key = decode_public_key(peer_hello.key_share) shared_key: Optional[bytes] = None if ( isinstance(peer_public_key, x25519.X25519PublicKey) and self._x25519_private_key is not None ): shared_key = self._x25519_private_key.exchange(peer_public_key) elif ( isinstance(peer_public_key, x448.X448PublicKey) and self._x448_private_key is not None ): shared_key = self._x448_private_key.exchange(peer_public_key) elif ( isinstance(peer_public_key, ec.EllipticCurvePublicKey) and self._ec_private_key is not None and self._ec_private_key.public_key().curve.__class__ == peer_public_key.curve.__class__ ): shared_key = self._ec_private_key.exchange(ec.ECDH(), peer_public_key) assert shared_key is not None self.key_schedule.update_hash(input_buf.data) self.key_schedule.extract(shared_key) self._setup_traffic_protection( Direction.DECRYPT, Epoch.HANDSHAKE, b"s hs traffic" ) self._set_state(State.CLIENT_EXPECT_ENCRYPTED_EXTENSIONS) def _client_handle_encrypted_extensions(self, input_buf: Buffer) -> None: encrypted_extensions = pull_encrypted_extensions(input_buf) self.alpn_negotiated = encrypted_extensions.alpn_protocol self.early_data_accepted = encrypted_extensions.early_data self.received_extensions = encrypted_extensions.other_extensions if self.alpn_cb: self.alpn_cb(self.alpn_negotiated) self._setup_traffic_protection( Direction.ENCRYPT, Epoch.HANDSHAKE, b"c hs traffic" ) self.key_schedule.update_hash(input_buf.data) # if the server accepted our PSK we are done, other we want its certificate if self._session_resumed: self._set_state(State.CLIENT_EXPECT_FINISHED) else: self._set_state(State.CLIENT_EXPECT_CERTIFICATE_REQUEST_OR_CERTIFICATE) def _client_handle_certificate_request(self, input_buf: Buffer) -> None: self._certificate_request = pull_certificate_request(input_buf) self.key_schedule.update_hash(input_buf.data) self._set_state(State.CLIENT_EXPECT_CERTIFICATE) def _client_handle_certificate(self, input_buf: Buffer) -> None: certificate = pull_certificate(input_buf) self.key_schedule.update_hash(input_buf.data) self._set_peer_certificate(certificate) self._set_state(State.CLIENT_EXPECT_CERTIFICATE_VERIFY) def _client_handle_certificate_verify(self, input_buf: Buffer) -> None: verify = pull_certificate_verify(input_buf) # check signature self._check_certificate_verify_signature(verify) # check certificate if self._verify_mode != ssl.CERT_NONE: verify_certificate( cadata=self._cadata, cafile=self._cafile, capath=self._capath, certificate=self._peer_certificate, chain=self._peer_certificate_chain, server_name=self._server_name, ) self.key_schedule.update_hash(input_buf.data) self._set_state(State.CLIENT_EXPECT_FINISHED) def _client_handle_finished(self, input_buf: Buffer, output_buf: Buffer) -> None: finished = pull_finished(input_buf) # check verify data expected_verify_data = self.key_schedule.finished_verify_data(self._dec_key) if finished.verify_data != expected_verify_data: raise AlertDecryptError self.key_schedule.update_hash(input_buf.data) # prepare traffic keys assert self.key_schedule.generation == 2 self.key_schedule.extract(None) self._setup_traffic_protection( Direction.DECRYPT, Epoch.ONE_RTT, b"s ap traffic" ) next_enc_key = self.key_schedule.derive_secret(b"c ap traffic") if self._certificate_request is not None: # check whether we have a suitable signature algorithm if ( self.certificate is not None and self.certificate_private_key is not None ): signature_algorithm = negotiate( self._signature_algorithms_for_private_key(), self._certificate_request.signature_algorithms, ) else: signature_algorithm = None # send certificate with push_message(self.key_schedule, output_buf): push_certificate( output_buf, Certificate( request_context=self._certificate_request.request_context, certificates=( [ (x.public_bytes(Encoding.DER), b"") for x in [self.certificate] + self.certificate_chain ] if signature_algorithm else [] ), ), ) # send certificate verify if signature_algorithm: signature = self.certificate_private_key.sign( self.key_schedule.certificate_verify_data(CLIENT_CONTEXT_STRING), *signature_algorithm_params(signature_algorithm), ) with push_message(self.key_schedule, output_buf): push_certificate_verify( output_buf, CertificateVerify( algorithm=signature_algorithm, signature=signature ), ) # send finished with push_message(self.key_schedule, output_buf): push_finished( output_buf, Finished( verify_data=self.key_schedule.finished_verify_data(self._enc_key) ), ) # commit traffic key self._enc_key = next_enc_key self.update_traffic_key_cb( Direction.ENCRYPT, Epoch.ONE_RTT, self.key_schedule.cipher_suite, self._enc_key, ) self._set_state(State.CLIENT_POST_HANDSHAKE) def _client_handle_new_session_ticket(self, input_buf: Buffer) -> None: new_session_ticket = pull_new_session_ticket(input_buf) # notify application if self.new_session_ticket_cb is not None: ticket = self._build_session_ticket( new_session_ticket, self.received_extensions ) self.new_session_ticket_cb(ticket) def _server_expect_finished(self, onertt_buf: Buffer): # anticipate client's FINISHED self._expected_verify_data = self.key_schedule.finished_verify_data( self._dec_key ) buf = Buffer(capacity=64) push_finished(buf, Finished(verify_data=self._expected_verify_data)) self.key_schedule.update_hash(buf.data) # create a new session ticket if ( self.new_session_ticket_cb is not None and self._psk_key_exchange_mode is not None ): self._new_session_ticket = NewSessionTicket( ticket_lifetime=86400, ticket_age_add=struct.unpack("I", os.urandom(4))[0], ticket_nonce=b"", ticket=os.urandom(64), max_early_data_size=self._max_early_data, ) # send message push_new_session_ticket(onertt_buf, self._new_session_ticket) # notify application ticket = self._build_session_ticket( self._new_session_ticket, self.handshake_extensions ) self.new_session_ticket_cb(ticket) self._set_state(State.SERVER_EXPECT_FINISHED) def _server_handle_hello( self, input_buf: Buffer, initial_buf: Buffer, handshake_buf: Buffer, onertt_buf: Buffer, ) -> None: peer_hello = pull_client_hello(input_buf) # negotiate parameters cipher_suite = negotiate( self._cipher_suites, peer_hello.cipher_suites, AlertHandshakeFailure("No supported cipher suite"), ) compression_method = negotiate( self._legacy_compression_methods, peer_hello.legacy_compression_methods, AlertHandshakeFailure("No supported compression method"), ) psk_key_exchange_mode = negotiate( self._psk_key_exchange_modes, peer_hello.psk_key_exchange_modes ) signature_algorithm = negotiate( self._signature_algorithms_for_private_key(), peer_hello.signature_algorithms, AlertHandshakeFailure("No supported signature algorithm"), ) supported_version = negotiate( self._supported_versions, peer_hello.supported_versions, AlertProtocolVersion("No supported protocol version"), ) # negotiate ALPN if self._alpn_protocols is not None: self.alpn_negotiated = negotiate( self._alpn_protocols, peer_hello.alpn_protocols, AlertHandshakeFailure("No common ALPN protocols"), ) if self.alpn_cb: self.alpn_cb(self.alpn_negotiated) self.client_random = peer_hello.random self.server_random = os.urandom(32) self.legacy_session_id = peer_hello.legacy_session_id self.received_extensions = peer_hello.other_extensions # select key schedule pre_shared_key = None if ( self.get_session_ticket_cb is not None and psk_key_exchange_mode is not None and peer_hello.pre_shared_key is not None and len(peer_hello.pre_shared_key.identities) == 1 and len(peer_hello.pre_shared_key.binders) == 1 ): # ask application to find session ticket identity = peer_hello.pre_shared_key.identities[0] session_ticket = self.get_session_ticket_cb(identity[0]) # validate session ticket if ( session_ticket is not None and session_ticket.is_valid and session_ticket.cipher_suite == cipher_suite ): self.key_schedule = KeySchedule(cipher_suite) self.key_schedule.extract(session_ticket.resumption_secret) binder_key = self.key_schedule.derive_secret(b"res binder") binder_length = self.key_schedule.algorithm.digest_size hash_offset = input_buf.tell() - binder_length - 3 binder = input_buf.data_slice( hash_offset + 3, hash_offset + 3 + binder_length ) self.key_schedule.update_hash(input_buf.data_slice(0, hash_offset)) expected_binder = self.key_schedule.finished_verify_data(binder_key) if binder != expected_binder: raise AlertHandshakeFailure("PSK validation failed") self.key_schedule.update_hash( input_buf.data_slice(hash_offset, hash_offset + 3 + binder_length) ) self._session_resumed = True # calculate early data key if peer_hello.early_data: early_key = self.key_schedule.derive_secret(b"c e traffic") self.early_data_accepted = True self.update_traffic_key_cb( Direction.DECRYPT, Epoch.ZERO_RTT, self.key_schedule.cipher_suite, early_key, ) pre_shared_key = 0 # if PSK is not used, initialize key schedule if pre_shared_key is None: self.key_schedule = KeySchedule(cipher_suite) self.key_schedule.extract(None) self.key_schedule.update_hash(input_buf.data) # perform key exchange public_key: Union[ ec.EllipticCurvePublicKey, x25519.X25519PublicKey, x448.X448PublicKey ] shared_key: Optional[bytes] = None for key_share in peer_hello.key_share: peer_public_key = decode_public_key(key_share) if isinstance(peer_public_key, x25519.X25519PublicKey): self._x25519_private_key = x25519.X25519PrivateKey.generate() public_key = self._x25519_private_key.public_key() shared_key = self._x25519_private_key.exchange(peer_public_key) break elif isinstance(peer_public_key, x448.X448PublicKey): self._x448_private_key = x448.X448PrivateKey.generate() public_key = self._x448_private_key.public_key() shared_key = self._x448_private_key.exchange(peer_public_key) break elif isinstance(peer_public_key, ec.EllipticCurvePublicKey): self._ec_private_key = ec.generate_private_key( GROUP_TO_CURVE[key_share[0]]() ) public_key = self._ec_private_key.public_key() shared_key = self._ec_private_key.exchange(ec.ECDH(), peer_public_key) break assert shared_key is not None # send hello hello = ServerHello( random=self.server_random, legacy_session_id=self.legacy_session_id, cipher_suite=cipher_suite, compression_method=compression_method, key_share=encode_public_key(public_key), pre_shared_key=pre_shared_key, supported_version=supported_version, ) with push_message(self.key_schedule, initial_buf): push_server_hello(initial_buf, hello) self.key_schedule.extract(shared_key) self._setup_traffic_protection( Direction.ENCRYPT, Epoch.HANDSHAKE, b"s hs traffic" ) self._setup_traffic_protection( Direction.DECRYPT, Epoch.HANDSHAKE, b"c hs traffic" ) # send encrypted extensions with push_message(self.key_schedule, handshake_buf): push_encrypted_extensions( handshake_buf, EncryptedExtensions( alpn_protocol=self.alpn_negotiated, early_data=self.early_data_accepted, other_extensions=self.handshake_extensions, ), ) if pre_shared_key is None: # send certificate request if self._request_client_certificate: with push_message(self.key_schedule, handshake_buf): push_certificate_request( handshake_buf, CertificateRequest( request_context=b"", signature_algorithms=self._signature_algorithms, ), ) # send certificate with push_message(self.key_schedule, handshake_buf): push_certificate( handshake_buf, Certificate( request_context=b"", certificates=[ (x.public_bytes(Encoding.DER), b"") for x in [self.certificate] + self.certificate_chain ], ), ) # send certificate verify signature = self.certificate_private_key.sign( self.key_schedule.certificate_verify_data(SERVER_CONTEXT_STRING), *signature_algorithm_params(signature_algorithm), ) with push_message(self.key_schedule, handshake_buf): push_certificate_verify( handshake_buf, CertificateVerify( algorithm=signature_algorithm, signature=signature ), ) # send finished with push_message(self.key_schedule, handshake_buf): push_finished( handshake_buf, Finished( verify_data=self.key_schedule.finished_verify_data(self._enc_key) ), ) # prepare traffic keys assert self.key_schedule.generation == 2 self.key_schedule.extract(None) self._setup_traffic_protection( Direction.ENCRYPT, Epoch.ONE_RTT, b"s ap traffic" ) self._next_dec_key = self.key_schedule.derive_secret(b"c ap traffic") self._psk_key_exchange_mode = psk_key_exchange_mode if self._request_client_certificate: self._set_state(State.SERVER_EXPECT_CERTIFICATE) else: self._server_expect_finished(onertt_buf) def _server_handle_certificate(self, input_buf: Buffer, output_buf: Buffer) -> None: certificate = pull_certificate(input_buf) self.key_schedule.update_hash(input_buf.data) if certificate.certificates: self._set_peer_certificate(certificate) self._set_state(State.SERVER_EXPECT_CERTIFICATE_VERIFY) else: self._server_expect_finished(output_buf) def _server_handle_certificate_verify( self, input_buf: Buffer, output_buf: Buffer ) -> None: verify = pull_certificate_verify(input_buf) # check signature self._check_certificate_verify_signature(verify) self.key_schedule.update_hash(input_buf.data) self._server_expect_finished(output_buf) def _server_handle_finished(self, input_buf: Buffer, output_buf: Buffer) -> None: finished = pull_finished(input_buf) # check verify data if finished.verify_data != self._expected_verify_data: raise AlertDecryptError # commit traffic key self._dec_key = self._next_dec_key self._next_dec_key = None self.update_traffic_key_cb( Direction.DECRYPT, Epoch.ONE_RTT, self.key_schedule.cipher_suite, self._dec_key, ) self._set_state(State.SERVER_POST_HANDSHAKE) def _setup_traffic_protection( self, direction: Direction, epoch: Epoch, label: bytes ) -> None: key = self.key_schedule.derive_secret(label) if direction == Direction.ENCRYPT: self._enc_key = key else: self._dec_key = key self.update_traffic_key_cb( direction, epoch, self.key_schedule.cipher_suite, key ) def _set_peer_certificate(self, certificate: Certificate) -> None: self._peer_certificate = x509.load_der_x509_certificate( certificate.certificates[0][0] ) self._peer_certificate_chain = [ x509.load_der_x509_certificate(certificate.certificates[i][0]) for i in range(1, len(certificate.certificates)) ] def _set_state(self, state: State) -> None: if self.__logger: self.__logger.debug("TLS %s -> %s", self.state, state) self.state = state def _signature_algorithms_for_private_key(self) -> List[SignatureAlgorithm]: signature_algorithms: List[SignatureAlgorithm] = [] if isinstance(self.certificate_private_key, rsa.RSAPrivateKey): signature_algorithms = [ SignatureAlgorithm.RSA_PSS_RSAE_SHA256, SignatureAlgorithm.RSA_PKCS1_SHA256, SignatureAlgorithm.RSA_PKCS1_SHA1, ] elif isinstance( self.certificate_private_key, ec.EllipticCurvePrivateKey ) and isinstance(self.certificate_private_key.curve, ec.SECP256R1): signature_algorithms = [SignatureAlgorithm.ECDSA_SECP256R1_SHA256] elif isinstance(self.certificate_private_key, ed25519.Ed25519PrivateKey): signature_algorithms = [SignatureAlgorithm.ED25519] elif isinstance(self.certificate_private_key, ed448.Ed448PrivateKey): signature_algorithms = [SignatureAlgorithm.ED448] return signature_algorithms