@OOfVddlZddlZddlZddlZddlmZddlmZddlmZddl m Z ddl m Z ddl mZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlm Z ddlmZ!dZ"ejFjHe%ejFddzZ&GddeZ'dejPde)e*defdZ+GddZ,de-dej\fdZ/y)N)Path)Any) TypedDict)H3_ALPN) CipherSuite)x509)crypto)SSL)certs) connection)ctx) exceptions)tls) CONF_BASENAME)context)modes)quic)zECDHE-ECDSA-AES128-GCM-SHA256zECDHE-RSA-AES128-GCM-SHA256zECDHE-ECDSA-AES256-GCM-SHA384zECDHE-RSA-AES256-GCM-SHA384zECDHE-ECDSA-CHACHA20-POLY1305zECDHE-RSA-CHACHA20-POLY1305zDHE-RSA-AES128-GCM-SHA256zDHE-RSA-AES256-GCM-SHA384zDHE-RSA-CHACHA20-POLY1305zECDHE-ECDSA-AES128-SHA256zECDHE-RSA-AES128-SHA256zECDHE-ECDSA-AES128-SHAzECDHE-RSA-AES128-SHAzECDHE-ECDSA-AES256-SHA384zECDHE-RSA-AES256-SHA384zECDHE-ECDSA-AES256-SHAzECDHE-RSA-AES256-SHAzDHE-RSA-AES128-SHA256zDHE-RSA-AES256-SHA256zAES128-GCM-SHA256zAES256-GCM-SHA384z AES128-SHA256z AES256-SHA256z AES128-SHAz AES256-SHAz DES-CBC3-SHA#X509_CHECK_FLAG_NEVER_CHECK_SUBJECTc8eZdZUedzed<edzed<eed<y)AppDataN client_alpn server_alpnhttp2)__name__ __module__ __qualname__bytes__annotations__bool[/var/www/premiumrankchecker/venv/lib/python3.12/site-packages/mitmproxy/addons/tlsconfig.pyrrBs Kr!rconnoptionsreturnc,|j}|d}|d}|d}|||vr|StjS|r||vr|S|dk(rtjS|rtjntj }|D] }||vs|cStjS)Nrrrr!) get_app_datar NO_OVERLAPPING_PROTOCOLS proxy_tls HTTP_ALPNS HTTP1_ALPNS)r#r$app_datarrr http_alpnsalpns r"alpn_select_callbackr/Hs))+H=)K=)K W E ' ! // /{g-c+++).%%I4I4IJ, : K,+++r!c.eZdZUdZdZej ed<dZde jfdZ de jddfd Z de jddfd Zdej ddfd Zdej ddfd Zd ZdZdej,dej.fdZy) TlsConfigzj This addon supplies the proxy core with the desired OpenSSL connection objects to negotiate TLS. N certstorec \|jdttjjtj Dcgc]}|jc}d|jdttj jtj Dcgc]}|jc}d|jdttjjtj Dcgc]}|jc}d|jdttj jtj Dcgc]}|jc}d |jd tdzdd |jd tdzdd ycc}wcc}wcc}wcc}w)Ntls_version_client_minz3Set the minimum TLS version for client connections.)nametypespecdefaultchoiceshelptls_version_client_maxz3Set the maximum TLS version for client connections.tls_version_server_minz3Set the minimum TLS version for server connections.tls_version_server_maxz3Set the maximum TLS version for server connections.tls_ecdh_curve_clientzUse a specific elliptic curve for ECDHE key exchange on client connections. OpenSSL syntax, for example "prime256v1" (see `openssl ecparam -list_curves`).)r5r6r7r9tls_ecdh_curve_serverzUse a specific elliptic curve for ECDHE key exchange on server connections. OpenSSL syntax, for example "prime256v1" (see `openssl ecparam -list_curves`).) add_optionstrnet_tlsDEFAULT_MIN_VERSIONr5VersionDEFAULT_MAX_VERSION)selfloaderxs r"loadzTlsConfig.loadvsp)//44%,__5QVV5F   )//44%,__5QVV5F   )//44%,__5QVV5F   )//44%,__5QVV5F   (4Z]   (4Z]  ?6666sFF-F$F)tls_clienthelloc|j}|jjxrtjj dk(|_y)Neager)rserverrr r$connection_strategyestablish_server_tls_first)rErI conn_contexts r"rIzTlsConfig.tls_clienthellos8&..    # # R (G(G7(R 2r! tls_startr%c |jyt|jtjsJ|j}|j j }|j|j }|jsHtjjr.tjjjd|_|jxst}tjjr |j}ng}t!j"|j$rt j&j(nt j&j*t j,tjj.t j,tjj0t3|tjj4|j6dt8t3||j:j< }t?j@||_|jjC|jDjG|jjItJjLjO|jPtS|j jTdk(r4t|j jTdtVjXrd}n |jZ}|jj]t_||jZtjj`|jjcy) z/Establish TLS or DTLS between client and proxy.N:F) method min_version max_version cipher_list ecdh_curve chain_filerequest_client_certr/extra_chain_certsdhparamsrshttp/1.1)rrr)2ssl_conn isinstancer#r ClientrrLget_certrVr r$ciphers_clientsplitDEFAULT_CIPHERS"add_upstream_certs_to_client_chaincertificate_listrAcreate_client_proxy_contextis_dtlsMethodDTLS_SERVER_METHODTLS_SERVER_METHODrCr4r:tupler=rXr/r2r[r Connectionuse_certificatecert to_pyopenssluse_privatekeyr PKeyfrom_cryptography_key privatekeylenlayersr HttpProxyr. set_app_datarrset_accept_state) rErPclientrLentryrVrZssl_ctxrs r"tls_start_clientzTlsConfig.tls_start_clientsH    ) )..**;*;<<<$-NN$-$5$5$<$< i//0!!ckk&@&@!$!;!;!A!A#!FF ((;O ;; 9 9 & 7 7  " 55  >>4411 (J(JK (J(JKk*{{88'' %!5#$56^^,,  !^^G4 **5::+B+B+DE)) KK - -e.>.> ?  y  '' (A -*    $ $Q '3 )4K ++K'' '"KKkk''   ++-r!c Z |jyt|jtjsJ|j j }|j}|jsJtjjrtjj}ntjj}|j"|jxs|jd|_|j sj|j rWtjj"rt%|j |_n)t%d|j D|_ng|_|j&sHtjj(r.tjj(j+d|_|j&xst,}d}tjj.rt0j2j5tjj.}t0j2j7|r|}na|jxs|jd}t0j2j9||d} t0j2j7| r| }tj:|j<rtj>j@ntj>jBtjDtjjFtjDtjjHt%|tjjJ|tjjLtjjN|tjj } tQjR| |_|jrt|jtTsJtPjVjY|jjZ} tPjVj]| t^ tajb|jjd} tPjVjg| | ti| } tQjj| dk(n'|tjjur tmd |j r%|jju|j |jjwy#tl$r{|jjod}|jjq|tPjVjs| |ti|} tQjj| dk(YwxYw) z/Establish TLS or DTLS between proxy and server.Nrc3,K|] }|dk7s |yw)sh2Nr .0rGs r" z-TlsConfig.tls_start_server..s/e/s rRz.pem) rSrTrUrVrWverifyca_path ca_pemfile client_certlegacy_server_connectidnaz0Cannot validate certificate hostname without SNI)#ssl_verify_upstream_trusted_confdirssl_verify_upstream_trusted_car rlr@_libSSL_get0_param_sslX509_VERIFY_PARAM_set_hostflagsDEFAULT_HOSTFLAGS ipaddress ip_addresspackedX509_VERIFY_PARAM_set1_iprt_openssl_assert ValueErrorencodeset_tlsext_host_nameX509_VERIFY_PARAM_set1_hostset_alpn_protosset_connect_state)rErPryrLrrVrr server_namepr{paramipok host_names r"tls_start_serverzTlsConfig.tls_start_servers    ) )..**;*;<<<$-$5$5$<$<$-NN~~~ ;; # #^^//F^^//F :: 8v~~a'8FJ!!!!;;$$*/v/A/A)BF&)./#)#5#5/*F&&("!!ckk&@&@!$!;!;!A!A#!FF ((;O "& ;; # #77--ckk.F.FGLww~~l+* #)::#B1B GGLL+d/CD77>>!$"#K55  >>4411 (J(JK (J(JKk*{{88KKCC{{AA#"%++":":  !^^G4  ::fjj#. ..HH++I,>,>,C,CDE HH 4 4U>55 5OP P       . .v/A/A B,,.% -"JJ--f5 ""77 BXX999c)n##B!G,  -s)T&&BV*)V*cf|jytj|_t|jt j sJ|j}|jj}|j|j}|jsHtjjr.tjjjd|_ tjjr |j }ng}|jr0|jDcgc] }t"| c}|j_|j&|j&fDcgc]}|s| c}xs |j(Dcgc]}|j+dc}|j_|j.j0|j_|j4|j_g|j8|Dcgc]}|j0c}|j_ycc}wcc}wcc}wcc}w)z(Establish QUIC between client and proxy.NrRascii)settingsrQuicTlsSettingsr^r#r r_rrLr`rVr r$rarbrdrer cipher_suitesr.rdecodealpn_protocolsrn_cert certificaterscertificate_private_key chain_certscertificate_chain) rErPryrLrzrZcipherr.rns r"quic_start_clientzTlsConfig.quic_start_clientOs    ) !113 )..**;*;<<<$-NN$-$5$5$<$< i//0!!ckk&@&@!$!;!;!A!A#!FF  ;; 9 9 & 7 7  "    282D2D0(. F#0I   , ,2;; *DM$M"!!-  KK - )*/)9)9 &5:5E5E 2#KU%6%6#K9J#K0 DJJ0 ,0 N- 0 s!HH$%H$<H)9H.c|jytj|_t|jt j sJ|jj}|j}|jsJtjjr tj|j_ntj |j_|j""|j"xs|jd|_|j$sB|j$rt'|j$|_nt'dt(D|_|j*sHtjj,r.tjj,j/d|_|j*r0|j*Dcgc] }t0| c}|j_|j$r8|j$Dcgc]}|j5dc}|j_tjj8|j_tjj<|j_ycc}wcc}w)z(Establish QUIC between proxy and server.Nrc3>K|]}|jdyw)rN)r)rr.s r"rz.TlsConfig.quic_start_server..s*TD4;;w+?*TsrRr) rrrr^r#r rrryrr r$rssl CERT_NONE verify_mode CERT_REQUIREDrrrkrrVrrbrrrrrrrca_file)rErPryrLrr.s r"quic_start_serverzTlsConfig.quic_start_serverxs    ) !113 )..**;*;<<<$-$5$5$<$<$-NN~~~ ;; # #-0]]I   *-0->->I   * :: 8v~~a'8FJ!!!!%*6+=+=%>"&+*TG*T%T"!!ckk&@&@!$!;!;!A!A#!FF    282D2D0(. F#0I   ,   171C1C1)- G$1I   - &)[[%T%T "%([[%O%O "01s I9<I>c&|jdy)Nconfdir) configure)rEs r"runningzTlsConfig.runnings y!r!cVd|vs d|vs d|vsd|vrtjjtjj }t jj|ttjjtjjr)tjjjdnd|_ |jjjrt!j"dtjj D]}|j%dd }t'|d k(rd |d g}t)|d j}|j+st-j.d | |jj1|d |tjjr)tjjjdnd d|vsd|vrStjj4tjj6fD]}| t9j:|yy#t2$r!}t-j.d|d||d}~wwxYw#t<$r}t-j.d||d}~wwxYw)Nr rkey_sizecert_passphraseutf8)rbasenamer passphraseaThe mitmproxy certificate authority has expired! Please delete all CA-related files in your ~/.mitmproxy folder. The CA will be regenerated automatically after restarting mitmproxy. See https://docs.mitmproxy.org/stable/concepts-certificates/ for additional help.=r*rz!Certificate file does not exist: )rzInvalid certificate format for z: r=r>zInvalid ECDH curve: )rrrr r$rr CertStore from_storerrrrr2 default_ca has_expiredloggingwarningrbrtrexistsr OptionsError add_cert_filerr=r>r get_elliptic_curve Exception)rEupdatedcertstore_pathcertspecpartsrnerWs r"rzTlsConfig.configuresX w G#W$ G+WW// 0C0CDN"__77#&--;;..;;66==fE 8DN~~((446h KK--  sA.u:? %(OEE!H~002{{}$11;D6B NN00a;;66$';;#>#>#E#Ef#M! 1 . #g -1HG1S 11 11 ! )!11*= !2T "$119$r!E%!(552:.A !!s1A$I;J I>I99I> J( J##J(rOcxg}d}tjjr|jjr||jjd}|j r$|j t|j |j|j|jr |j}|jjr/|j t|jjn1|j t|jjd|jjr1|j t|jjdtt j#|}t%d|Dd}|j&j)|||S)z This function determines the Common Name (CN), Subject Alternative Names (SANs) and Organization Name our certificate should have and then fetches a matching cert from the certstore. Nrc3FK|]}t|jyw)N)r@valuers r"rz%TlsConfig.get_cert..s2A3qww<2s!)r r$ upstream_certrLrecnappend_ip_or_dns_nameextendaltnames organizationryrsocknamerlistdictfromkeysnextr2r`)rErOrrrrs r"r`zTlsConfig.get_certsL ,.#'  ;; $ $)<)<)M)M(//@@CM 0@0@ AB OOM22 3)),99     " " OOOL,?,?,C,CD E OOOL,?,?,H,H,KL M    & & OOOL,?,?,G,G,JK L h/022D 9~~&&r8\BBr!)rrr__doc__r2r rrrHrClientHelloDatarITlsDatar|rr QuicTlsDatarrrrrContextCertStoreEntryr`r r!r"r1r1as"&Iu% * X s/B/B =.#++=.$=.~f/#++f/$f/P' 4+;+;' ' R,P4+;+;,P,P\" :!x!CW__!C9M9M!Cr!r1valc tj|}tj|S#t$r5tj |j djcYSwxYw)zFConvert a string into either an x509.IPAddress or x509.DNSName object.r)rrr IPAddressrDNSNamerr)rrs r"rr sZ"  ! !# &~~b!! 9||CJJv.557889s,;A*)A*)0rrrrpathlibrtypingrraioquic.h3.connectionr aioquic.tlsr cryptographyrOpenSSLr r mitmproxyr r r rr mitmproxy.netrAmitmproxy.optionsrmitmproxy.proxyrmitmproxy.proxy.layersrrr)rcr$X509_CHECK_FLAG_NO_PARTIAL_WILDCARDSgetattrrrrlrrr/r1r@ GeneralNamerr r!r"r s )#  (+#('3 >HH11 chh=qAB i ,s~~,U ,,2gCgCT ""!1!1"r!