@OOf+cddlZddlZddlmZddlmZddlmZddlmZddlm Z ddlm Z ddl m Z dd l mZdd l mZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZddlm Z ddlm!Z!ddl"m#Z#de$dee$fdZ%de$de$dzfdZ&de$dedzfdZ'de$dee$fdZ(de$de$dzfdZ)de$dedzfd Z*d!Z+d"e+zZ,eGd#d$eZ-eGd%d&eZ.eGd'd(eZ/eGd)d*eZ0eGd+d,eZ1eGd-d.eZ2eGd/d0eZ3Gd1d2ejhZ5Gd3d4e5Z6Gd5d6e5Z7Gd7d8e5Z8y)9N)Iterator) dataclass)DEBUG)ERROR)INFO)WARNING)SSL)certs) connection)starts_like_dtls_record)starts_like_tls_record)commands)context)events)layer)tunnel) StartHook)tcp)udp) ClientHello)ClientHelloData)TlsData)humandatareturnc#"Kd} t||dzkry|||dz}t|std|dtjd|ddd}|dk(r td|dz }t|||zkry||||z}|||z }w) Returns a generator that yields the bytes contained in each handshake record. This will raise an error on the first non-handshake record, so fully exhausting this generator is a bad idea. rNzExpected TLS record, got instead.!HRecord must not be empty.)lenr ValueErrorstructunpackroffset record_header record_size record_bodys [/var/www/premiumrankchecker/venv/lib/python3.12/site-packages/mitmproxy/proxy/layers/tls.pyhandshake_record_contentsr-s F  t9vz ! Vfqj1 %m488IST TmmD-*;O4O PQR SVW W < $55#$6%677 8 r0cvt|}|r t|ddSy#t$r}td|d}~wwxYw) Check if the supplied bytes contain a full ClientHello message, and if so, parse it. Returns: - A ClientHello object on success - None, if the TLS record is not complete Raises: - A ValueError, if the passed ClientHello is invalid r1NInvalid ClientHello)r9rEOFErrorr$rr6es r,parse_client_hellor@FsM$D)L ;|AB/0 0  ;23 : ;s  8 38c#"Kd} t||dzkry|||dz}t|std|dtjd|ddd}|dk(r td|dz }t|||zkry||||z}|||z }w) rr NzExpected DTLS record, got rr r")r#r r$r%r&r's r,dtls_handshake_record_contentsrD\s F  t9v{ " Vfrk2 &}59-9J)TU UmmD-*<=a@ ! 89 9"  t9v + + 6F[$89 +# r.cd}t|D]M}||z }t|dk\stjdd|ddzddz}t||k\sH|d|cSy) z Read all DTLS records that contain the initial ClientHello. Returns the raw handshake packet bytes, without TLS record headers. r0rBr2r3 rN)rDr#r%r&r5s r,get_dtls_client_hellorHws L +D 18 |  " dGl1R.@$@A!DrI < $55#$6%6778 r0czt|}|r t|dddSy#t$r}td|d}~wwxYw)r;rGNT)dtlsr<)rHrr=r$r>s r,dtls_parse_client_hellorKsO).L ;|BC0t< <  ;23 : ;s : 5:)shttp/1.1shttp/1.0shttp/0.9)sh2ceZdZUdZeed<y)TlsClienthelloHookz Mitmproxy has received a TLS ClientHello message. This hook decides whether a server connection is needed to negotiate TLS with the client (data.establish_server_tls_first) rN)__name__ __module__ __qualname____doc__r__annotations__r0r,rMrMs r0rMceZdZUdZeed<y)TlsStartClientHookz TLS negotation between mitmproxy and a client is about to start. An addon is expected to initialize data.ssl_conn. (by default, this is done by `mitmproxy.addons.tlsconfig`) rNrNrOrPrQrrRrSr0r,rUrU Mr0rUceZdZUdZeed<y)TlsStartServerHookz TLS negotation between mitmproxy and a server is about to start. An addon is expected to initialize data.ssl_conn. (by default, this is done by `mitmproxy.addons.tlsconfig`) rNrVrSr0r,rYrYrWr0rYceZdZUdZeed<y)TlsEstablishedClientHookzL The TLS handshake with the client has been completed successfully. rNrVrSr0r,r[r[ Mr0r[ceZdZUdZeed<y)TlsEstablishedServerHookzL The TLS handshake with the server has been completed successfully. rNrVrSr0r,r^r^r\r0r^ceZdZUdZeed<y)TlsFailedClientHookz7 The TLS handshake with the client has failed. rNrVrSr0r,r`r`r\r0r`ceZdZUdZeed<y)TlsFailedServerHookz7 The TLS handshake with the server has failed. rNrVrSr0r,rbrbr\r0rbceZdZUdZej ed< dejde j ffd Z fdZ e dZ e dZd ej dfd Zd ej dfd Zd ed ej eeedzffd Zded ej dffd Zd ed ej dfdZd ej dffd Zd ed ej dfdZdej:d ej dffd ZxZS)TLSLayerNtlsrconnc8t||||d|_y)N)tunnel_connectionrfT)super__init__reselfrrf __class__s r,rjzTLSLayer.__init__s'  "  r0ct|jdd|jjd|jj dS)N) )ri__repr__replacerfsnialpnrlrms r,rqzTLSLayer.__repr__sB G   & &sa /@$))..ASST,U V r0c4|jjdk(S)Nr)rftransport_protocolrls r,is_dtlszTLSLayer.is_dtlssyy++u44r0c"|jrdSdS)NDTLSTLSryrxs r, proto_namezTLSLayer.proto_namesv050r0rc#K|jrJt|j|j|j}|j|jj k(rt |n t||jsLtjd|jdttj|jy|jsJ|j|_yw)Nr}zNo z* context was provided, failing connection.)rerrfrryclientrUrYssl_connrLogr~rCloseConnection)rl tls_starts r, start_tlszTLSLayer.start_tlss88|DIIt||T\\J 99 ++ +$Y/ /$Y/ /!!,,doo&&PQSX **4995 5 !!!!%%sC1C3c#K |jjd}tj|j|?#t j $rYywxYww)N)rebio_readrSendDatarfr WantReadErrorrlrs r, tls_interactzTLSLayer.tls_interactsY 9xx((/'' 488 $$  s'AA#AAAAArc#K|r|jj| |jj|jjxsg}|j|j j k(r.|jj}|r|jd|tj|j_ |jj|j_ |Dcgc]!}tjj|#c}|j_|jj#|j_|jj'|j_|j*r5t-j.|j*d|jt0|j|j j k(r7t3t5|j|j |jn6t7t5|j|j |j|j9dEd{ycc}w7 #t:j<$r|j?Ed{7Yyt:j@$r'}|jBxrBtE|jBdtFxr#|jBdxr|jBdd}|dvrt:jHjK|jjL}t:jNjQt:jHjS|jU}d|} nB|d vrtE|tVsJ|d } n&|d vr|dd jYrd } n |dvrd} nd|} d| fcYd}~Sd}~wwxYww)Nrz[tls] tls established: r0TNFN)) SSL routinestls_process_server_certificatecertificate verify failed)rrzCertificate verify failed: ))rssl3_read_bytestlsv1 alert unknown ca)rrsslv3 alert bad certificate)rrssl/tls alert bad certificate)rrr)rrr)rrr))rssl3_get_recordwrong version number)rrr)rrzpacket length too long)rrzrecord layer failurer1z%The remote server does not speak TLS.))rrtlsv1 alert protocol version)rrrzThe remote server and mitmproxy cannot agree on a TLS version to use. You may need to adjust mitmproxy's tls_version_server_min option.zOpenSSL F)-re bio_write do_handshakeget_peer_cert_chainrfrrget_peer_certificateinserttimetimestamp_tls_setupget_alpn_proto_negotiatedrtr Certfrom_pyopensslcertificate_listget_cipher_namecipherget_protocol_version_name tls_versiondebugrrrr[rr^ receive_datar rrErrorargs isinstancelist_libSSL_get_verify_result_ssl_ffistringX509_verify_cert_error_stringdecodetupleisascii) rlr all_certscertxr?last_err verify_resulterrorerrs r,receive_handshake_datazTLSLayer.receive_handshake_data"s,  HH  t $X  HH ! ! #z446<"IyyDLL///xx446$$Q-,0IIKDII )!XX??ADIIN6?*12 ))!,*DII & $xx779DII $(HH$F$F$HDII !zzllzzl"9$))EuyyDLL///.DIIt||TXX>/DIIt||TXX>((- - -%*" .k   ((* * *yy1 V:affQi6V166!9VPQSU !$ > >txx}} M HH::=I&(4E7;"(E222qk!H$$&= X !&#: c1 sfO!I6B?O!:&I/ E O!)I4* O!6&OJO"O!$O7DOOO!OO!rc#K||j_|j|jjk(r7t t |j|j|j n6tt |j|j|j t|%|Ed{y7wN) rfrrrr`rrerbrion_handshake_errorrlrrms r,rzTLSLayer.on_handshake_errors{  99 ++ +%gdiitxx&PQ Q%gdiitxx&PQ Q7-c222sB4B?7B=8B?c#K|r|jj||jEd{t}d} |j |jj d,7=#t j$rYnTt j$rd}Yn>t j$r)}tjd|tYd}~nd}~wwxYw|rA|jtj|j t#|Ed{7|r|j xj$t&j(j*zc_|j,r5tj|j,d|j t.|jtj0|j Ed{7yyw)NFTrz TLS Error: z[tls] close_notify )rerr bytearrayextendrecvr rZeroReturnErrorrrrrevent_to_childr DataReceivedrfbytesstater ConnectionStateCAN_READrrConnectionClosed)rlr plaintextcloser?s r,rzTLSLayer.receive_datasq  HH  t $$$&&&K    u!56 '$$ && 99  ll[#4g>>  **##DIIuY/?@    IIOO : : C CC COzzlldjj\1DTYYK#PRWXX**6+B+B499+MN N N sk1GA1G*A30G3CGCGC0CGCAGDB1G G Gc#K|jjtjzryt|Ed{y7wr)re get_shutdownr RECEIVED_SHUTDOWNri receive_closerus r,rzTLSLayer.receive_closes6 88 "S%:%: : w,. . .s>A AA c#K |jj||j Ed{y#tjtjf$rY>wxYw7.wr)resendallr r SysCallErrorrrs r, send_datazTLSLayer.send_datas[  HH  T "$$&&&##S%5%56    's/A#8A#A!A##AA#AA#commandc#@Kt||Ed{y7wr)ri send_close)rlrrms r,rzTLSLayer.send_closes7%g...s ) rNrOrPrer ConnectionrRrContextr rjrqpropertyryr~rCommandGeneratorrrrrboolstrrrrrrrrr __classcell__rms@r,rdrds^C'z7L7L 5511&511$7&"9e44T:9^^   dC$J&6 7 8^@3c3e.D.DT.J3OO5+A+A$+GOB/u55d;/ 'e'(>(>t(D'////    %//r0rdceZdZUdZdZeed<ddejde jdzffd Z de jdfd Zd ej de jdffd Zd ede jdffd ZxZS)ServerTLSLayerzD This layer establishes TLS for a single server connection. Fwait_for_clienthelloNrrfcBt|||xs |jyr)rirjserverrks r,rjzServerTLSLayer.__init__s $"8'..9r0rc#4K|j xrt|jt}|r'd|_t j j|_y|jEd{|jr|jdEd{yy7+7w)NTr0) command_to_reply_tor child_layerClientTLSLayerrr TunnelStateCLOSED tunnel_staterrer)rlrs r,start_handshakezServerTLSLayer.start_handshakes(( ( = 4++^<  (,D % & 2 2 9 9D ~~' ' 'xx66s;;; (;s$A&B(B)$B BBBeventc#K|jrTt| |D]A}t|tj r!|j |jk(rd|_>|Cyt| |Ed{y7w)NF)rrirrrOpenConnectionr rf)rlrrrms r,rzServerTLSLayer.event_to_childso  $ $ 71%8 "w(?(?@**dii705D-"M "w-e4 4 4sA3A>6A<7A>rc#Ktjd|tt||Ed{y7w)NzServer TLS handshake failed. level)rrrrirrs r,rz!ServerTLSLayer.on_handshake_errors3ll:3%@PP7-c222s 3><>r)rNrOrPrQrrrRrrr ServerrjrrrrEventrrrrrs@r,rrs"'$&::z7H7H47O:<!7!7!=<& 5FLL 5U5K5KD5Q 53c3e.D.DT.J33r0rc\eZdZUdZeed<eed<dZeed<dejffd Z de jd fd Z d ede jeeed zfffd Zde jed zfd Zdede jd ffd Zdej*de jd fdZxZS)ru This layer establishes TLS on a single client connection. ┌─────┐ │Start│ └┬────┘ ↓ ┌────────────────────┐ │Wait for ClientHello│ └┬───────────────────┘ ↓ ┌────────────────┐ │Process messages│ └────────────────┘ recv_bufferserver_tls_availableFclient_hello_parsedrc|jjrd|j_d|j_d|j_d|j_d|j_g|j_d|j_g|j_ g|j_ t|1||jt|jjdt |_t%|_y)N)rrertrrsrrrmitmcert alpn_offers cipher_listrirjrrlayersrrrr)rlrrms r,rjzClientTLSLayer.__init__s >>  #'GNN $(GNN !!%GNN 15GNN .)-GNN &.0GNN +&*GNN #)+GNN &)+GNN & '..1$.t||/B/B2/F$W!$;r0rNc#$KdEd{y7w)NrSrSrxs r,rzClientTLSLayer.start_handshakes  s rc #K|jrt| |Ed{S|jj | |j rt |j}nt|j}|rd|_ny|j|j_ |j|j_ t|j|}t!||j"r\t%j&ddx|_ |_|jj*|jj*j-|dz }t/|t0r"t%j2dx|_ |_|j r't5j6|jd |_n&t;j<|jd |_|j?tAjB|jjDtG|jEd{|jjIy |jJro|jjLjNsO|jQEd{}|r5tSjTd |jVd |d |jVd|jYEd{|jjZsyt| tG|jEd{}|jjI|S7#t$r"dd|jjfcYSwxYw7A777Xw)NFzCannot parse ClientHello: Tr)z ignore-connr)peernamesocknamer4address)ignorerzUnable to establish z connection with server (z). Trying to establish z with client anyway. If you plan to redirect requests away from this server, consider setting `connection_strategy` to `lazy` to suppress early connections.)Fconnection closed early).rrirrrryrKr@r$hexrsrfalpn_protocolsrrrrMignore_connectionr ClientrhrindexrrrrUDPLayerrrTCPLayerrrrrrclearestablish_server_tls_firstrtls_establishedstart_server_tlsrrr~r connected)rlrr6tls_clienthello parent_layerrretrms r,rz%ClientTLSLayer.receive_handshake_datas  # #$w=dCC D % P||6t7G7GH 1$2B2BC  '+D $$(( , ; ; )$,, E 11  , ,2<1B1B+6H2 DI. <<..t||/B/B/H/H/NQR/RSL,7EOEVEV F !L$B||#&<< T#J #&<< T#J **##DLL$7$7t?O?O9PQ      " " $  6 6LL''77!2244Cll*4??*;;TUXTYZ++/??*;>###yy""37d>N>N8OPP   wD P6t7G7G7K7K7M6NOO O P8 5 $QsyM1L7M17L::F-M1'M((AM1M+AM1M-AM1M/!M1:(M%"M1$M%%M1+M1-M1/M1c#K|jsd|jdStj|jj }|Sw)z We often need information from the upstream connection to establish TLS with the client. For example, we need to check if the client does ALPN or not. z No server z available.)rr~rrrr)rlrs r,rzClientTLSLayer.start_server_tls`sG ((0 < <++DLL,?,?@@ sA A rc#K|jjr|jj}n3tj|jj j }t}|jdrnBd|vsd|vrd}n7d|vsd|vsd|vr d|d |d }n!|d k(r d |d }t}n|dk(rn d|d |d }|dk7rtjd||t|5|Ed{|j|_y7w)NzCannot parse ClientHellozO('SSL routines', 'tls_early_post_process_client_hello', 'unsupported protocol')z,('SSL routines', '', 'unsupported protocol')z|Client and mitmproxy cannot agree on a TLS version to use. You may need to adjust mitmproxy's tls_version_client_min option.z unknown cazbad certificatezcertificate unknownz6The client does not trust the proxy's certificate for z (rozconnection closedzOThe client disconnected during the handshake. If this happens consistently for zK, this may indicate that the client does not trust the proxy's certificate.rz5The client may not trust the proxy's certificate for zClient TLS handshake failed. r)rfrsrformat_addressrrr r startswithrrrrirerroredr)rlrdestrrms r,rz!ClientTLSLayer.on_handshake_errorjs? 99==99==D'' (;(;(C(CDD >>4 5  ] =DT  C  C'$+IbQTPUUVW ' 'abfagh\] E - - I$rRUQVVWXC + +,,!>seDER R7-c222"ll 3sC.D 1D2D rc#~K|j-tj|jd|dtyyw)Nz[tls] Swallowing z as handshake failed.)rrrr)rlrs r,r"zClientTLSLayer.erroreds> :: !,,::,/w6KLe  "s;=)rNrOrPrQrrRrrrrrjrrrrrrrrrrrr"rrs@r,rrs" %%'',!7!7!=??   dC$J&6 7 8?B%"8"8t"D&+c&+e.D.DT.J&+PV\\e.D.DT.Jr0rc<eZdZdZdej ffd ZxZS) MockTLSLayerzMock layer to disable actual TLS and use cleartext in tests. Use like so: monkeypatch.setattr(tls, "ServerTLSLayer", tls.MockTLSLayer) ctxcNt||tjdy)Nr )rirjr r)rlr'rms r,rjzMockTLSLayer.__init__s j//=>r0)rNrOrPrQrrrjrrs@r,r&r&s ?GOO??r0r&)9r%rcollections.abcr dataclassesrloggingrrrrOpenSSLr mitmproxyr r mitmproxy.net.tlsr r mitmproxy.proxyrrrrrmitmproxy.proxy.commandsrmitmproxy.proxy.layersrr mitmproxy.tlsrrrmitmproxy.utilsrrr-r9r@rDrHrK HTTP1_ALPNS HTTP_ALPNSrMrUrYr[r^r`rb TunnelLayerrdrrr&rSr0r,r7s $! 54$#"!".&&%)!!Ehuo2 5 UT\ U{T'9,8E?6%$,$%K$,>,6  #        y  y  )  ) O/v!!O/d-3X-3`fXfR?8?r0