summaryrefslogtreecommitdiffstats
path: root/services/fxaccounts/FxAccountsPairingChannel.js
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--services/fxaccounts/FxAccountsPairingChannel.js3658
1 files changed, 3658 insertions, 0 deletions
diff --git a/services/fxaccounts/FxAccountsPairingChannel.js b/services/fxaccounts/FxAccountsPairingChannel.js
new file mode 100644
index 0000000000..27a346afad
--- /dev/null
+++ b/services/fxaccounts/FxAccountsPairingChannel.js
@@ -0,0 +1,3658 @@
+/*!
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * The following bundle is from an external repository at github.com/mozilla/fxa-pairing-channel,
+ * it implements a shared library for two javascript environments to create an encrypted and authenticated
+ * communication channel by sharing a secret key and by relaying messages through a websocket server.
+ *
+ * It is used by the Firefox Accounts pairing flow, with one side of the channel being web
+ * content from https://accounts.firefox.com and the other side of the channel being chrome native code.
+ *
+ * This uses the event-target-shim node library published under the MIT license:
+ * https://github.com/mysticatea/event-target-shim/blob/master/LICENSE
+ *
+ * Bundle generated from https://github.com/mozilla/fxa-pairing-channel.git. Hash:348f3cf3e80cf7f54f9e, Chunkhash:d34c4d4ec81a46304a5d.
+ *
+ */
+
+const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
+const {setTimeout} = ChromeUtils.import("resource://gre/modules/Timer.jsm");
+// We cannot use WebSocket from chrome code without a window,
+// see https://bugzilla.mozilla.org/show_bug.cgi?id=784686
+const browser = Services.appShell.createWindowlessBrowser(true);
+const {WebSocket} = browser.document.ownerGlobal;
+
+const EXPORTED_SYMBOLS = ["FxAccountsPairingChannel"];
+
+var FxAccountsPairingChannel =
+/******/ (function(modules) { // webpackBootstrap
+/******/ // The module cache
+/******/ var installedModules = {};
+/******/
+/******/ // The require function
+/******/ function __webpack_require__(moduleId) {
+/******/
+/******/ // Check if module is in cache
+/******/ if(installedModules[moduleId]) {
+/******/ return installedModules[moduleId].exports;
+/******/ }
+/******/ // Create a new module (and put it into the cache)
+/******/ var module = installedModules[moduleId] = {
+/******/ i: moduleId,
+/******/ l: false,
+/******/ exports: {}
+/******/ };
+/******/
+/******/ // Execute the module function
+/******/ modules[moduleId].call(module.exports, module, module.exports, __webpack_require__);
+/******/
+/******/ // Flag the module as loaded
+/******/ module.l = true;
+/******/
+/******/ // Return the exports of the module
+/******/ return module.exports;
+/******/ }
+/******/
+/******/
+/******/ // expose the modules object (__webpack_modules__)
+/******/ __webpack_require__.m = modules;
+/******/
+/******/ // expose the module cache
+/******/ __webpack_require__.c = installedModules;
+/******/
+/******/ // define getter function for harmony exports
+/******/ __webpack_require__.d = function(exports, name, getter) {
+/******/ if(!__webpack_require__.o(exports, name)) {
+/******/ Object.defineProperty(exports, name, { enumerable: true, get: getter });
+/******/ }
+/******/ };
+/******/
+/******/ // define __esModule on exports
+/******/ __webpack_require__.r = function(exports) {
+/******/ if(typeof Symbol !== 'undefined' && Symbol.toStringTag) {
+/******/ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+/******/ }
+/******/ Object.defineProperty(exports, '__esModule', { value: true });
+/******/ };
+/******/
+/******/ // create a fake namespace object
+/******/ // mode & 1: value is a module id, require it
+/******/ // mode & 2: merge all properties of value into the ns
+/******/ // mode & 4: return value when already ns object
+/******/ // mode & 8|1: behave like require
+/******/ __webpack_require__.t = function(value, mode) {
+/******/ if(mode & 1) value = __webpack_require__(value);
+/******/ if(mode & 8) return value;
+/******/ if((mode & 4) && typeof value === 'object' && value && value.__esModule) return value;
+/******/ var ns = Object.create(null);
+/******/ __webpack_require__.r(ns);
+/******/ Object.defineProperty(ns, 'default', { enumerable: true, value: value });
+/******/ if(mode & 2 && typeof value != 'string') for(var key in value) __webpack_require__.d(ns, key, function(key) { return value[key]; }.bind(null, key));
+/******/ return ns;
+/******/ };
+/******/
+/******/ // getDefaultExport function for compatibility with non-harmony modules
+/******/ __webpack_require__.n = function(module) {
+/******/ var getter = module && module.__esModule ?
+/******/ function getDefault() { return module['default']; } :
+/******/ function getModuleExports() { return module; };
+/******/ __webpack_require__.d(getter, 'a', getter);
+/******/ return getter;
+/******/ };
+/******/
+/******/ // Object.prototype.hasOwnProperty.call
+/******/ __webpack_require__.o = function(object, property) { return Object.prototype.hasOwnProperty.call(object, property); };
+/******/
+/******/ // __webpack_public_path__
+/******/ __webpack_require__.p = "";
+/******/
+/******/
+/******/ // Load entry module and return exports
+/******/ return __webpack_require__(__webpack_require__.s = 0);
+/******/ })
+/************************************************************************/
+/******/ ([
+/* 0 */
+/***/ (function(module, __webpack_exports__, __webpack_require__) {
+
+"use strict";
+__webpack_require__.r(__webpack_exports__);
+
+// CONCATENATED MODULE: ./src/alerts.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* eslint-disable sorting/sort-object-props */
+const ALERT_LEVEL = {
+ WARNING: 1,
+ FATAL: 2
+};
+
+const ALERT_DESCRIPTION = {
+ CLOSE_NOTIFY: 0,
+ UNEXPECTED_MESSAGE: 10,
+ BAD_RECORD_MAC: 20,
+ RECORD_OVERFLOW: 22,
+ HANDSHAKE_FAILURE: 40,
+ ILLEGAL_PARAMETER: 47,
+ DECODE_ERROR: 50,
+ DECRYPT_ERROR: 51,
+ PROTOCOL_VERSION: 70,
+ INTERNAL_ERROR: 80,
+ MISSING_EXTENSION: 109,
+ UNSUPPORTED_EXTENSION: 110,
+ UNKNOWN_PSK_IDENTITY: 115,
+ NO_APPLICATION_PROTOCOL: 120,
+};
+/* eslint-enable sorting/sort-object-props */
+
+function alertTypeToName(type) {
+ for (const name in ALERT_DESCRIPTION) {
+ if (ALERT_DESCRIPTION[name] === type) {
+ return `${name} (${type})`;
+ }
+ }
+ return `UNKNOWN (${type})`;
+}
+
+class TLSAlert extends Error {
+ constructor(description, level) {
+ super(`TLS Alert: ${alertTypeToName(description)}`);
+ this.description = description;
+ this.level = level;
+ }
+
+ static fromBytes(bytes) {
+ if (bytes.byteLength !== 2) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ switch (bytes[1]) {
+ case ALERT_DESCRIPTION.CLOSE_NOTIFY:
+ if (bytes[0] !== ALERT_LEVEL.WARNING) {
+ // Close notifications should be fatal.
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ return new TLSCloseNotify();
+ default:
+ return new TLSError(bytes[1]);
+ }
+ }
+
+ toBytes() {
+ return new Uint8Array([this.level, this.description]);
+ }
+}
+
+class TLSCloseNotify extends TLSAlert {
+ constructor() {
+ super(ALERT_DESCRIPTION.CLOSE_NOTIFY, ALERT_LEVEL.WARNING);
+ }
+}
+
+class TLSError extends TLSAlert {
+ constructor(description = ALERT_DESCRIPTION.INTERNAL_ERROR) {
+ super(description, ALERT_LEVEL.FATAL);
+ }
+}
+
+// CONCATENATED MODULE: ./src/utils.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+
+
+//
+// Various low-level utility functions.
+//
+// These are mostly conveniences for working with Uint8Arrays as
+// the primitive "bytes" type.
+//
+
+const UTF8_ENCODER = new TextEncoder();
+const UTF8_DECODER = new TextDecoder();
+
+function noop() {}
+
+function assert(cond, msg) {
+ if (! cond) {
+ throw new Error('assert failed: ' + msg);
+ }
+}
+
+function assertIsBytes(value, msg = 'value must be a Uint8Array') {
+ // Using `value instanceof Uint8Array` seems to fail in Firefox chrome code
+ // for inscrutable reasons, so we do a less direct check.
+ assert(ArrayBuffer.isView(value), msg);
+ assert(value.BYTES_PER_ELEMENT === 1, msg);
+ return value;
+}
+
+const EMPTY = new Uint8Array(0);
+
+function zeros(n) {
+ return new Uint8Array(n);
+}
+
+function arrayToBytes(value) {
+ return new Uint8Array(value);
+}
+
+function bytesToHex(bytes) {
+ return Array.prototype.map.call(bytes, byte => {
+ let s = byte.toString(16);
+ if (s.length === 1) {
+ s = '0' + s;
+ }
+ return s;
+ }).join('');
+}
+
+function hexToBytes(hexstr) {
+ assert(hexstr.length % 2 === 0, 'hexstr.length must be even');
+ return new Uint8Array(Array.prototype.map.call(hexstr, (c, n) => {
+ if (n % 2 === 1) {
+ return hexstr[n - 1] + c;
+ } else {
+ return '';
+ }
+ }).filter(s => {
+ return !! s;
+ }).map(s => {
+ return parseInt(s, 16);
+ }));
+}
+
+function bytesToUtf8(bytes) {
+ return UTF8_DECODER.decode(bytes);
+}
+
+function utf8ToBytes(str) {
+ return UTF8_ENCODER.encode(str);
+}
+
+function bytesToBase64url(bytes) {
+ // XXX TODO: try to use something constant-time, in case calling code
+ // uses it to encode secrets?
+ const charCodes = String.fromCharCode.apply(String, bytes);
+ return btoa(charCodes).replace(/\+/g, '-').replace(/\//g, '_');
+}
+
+function base64urlToBytes(str) {
+ // XXX TODO: try to use something constant-time, in case calling code
+ // uses it to decode secrets?
+ str = atob(str.replace(/-/g, '+').replace(/_/g, '/'));
+ const bytes = new Uint8Array(str.length);
+ for (let i = 0; i < str.length; i++) {
+ bytes[i] = str.charCodeAt(i);
+ }
+ return bytes;
+}
+
+function bytesAreEqual(v1, v2) {
+ assertIsBytes(v1);
+ assertIsBytes(v2);
+ if (v1.length !== v2.length) {
+ return false;
+ }
+ for (let i = 0; i < v1.length; i++) {
+ if (v1[i] !== v2[i]) {
+ return false;
+ }
+ }
+ return true;
+}
+
+// The `BufferReader` and `BufferWriter` classes are helpers for dealing with the
+// binary struct format that's used for various TLS message. Think of them as a
+// buffer with a pointer to the "current position" and a bunch of helper methods
+// to read/write structured data and advance said pointer.
+
+class utils_BufferWithPointer {
+ constructor(buf) {
+ this._buffer = buf;
+ this._dataview = new DataView(buf.buffer, buf.byteOffset, buf.byteLength);
+ this._pos = 0;
+ }
+
+ length() {
+ return this._buffer.byteLength;
+ }
+
+ tell() {
+ return this._pos;
+ }
+
+ seek(pos) {
+ if (pos < 0) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ if (pos > this.length()) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ this._pos = pos;
+ }
+
+ incr(offset) {
+ this.seek(this._pos + offset);
+ }
+}
+
+// The `BufferReader` class helps you read structured data from a byte array.
+// It offers methods for reading both primitive values, and the variable-length
+// vector structures defined in https://tools.ietf.org/html/rfc8446#section-3.4.
+//
+// Such vectors are represented as a length followed by the concatenated
+// bytes of each item, and the size of the length field is determined by
+// the maximum allowed number of bytes in the vector. For example
+// to read a vector that may contain up to 65535 bytes, use `readVector16`.
+//
+// To read a variable-length vector of between 1 and 100 uint16 values,
+// defined in the RFC like this:
+//
+// uint16 items<2..200>;
+//
+// You would do something like this:
+//
+// const items = []
+// buf.readVector8(buf => {
+// items.push(buf.readUint16())
+// })
+//
+// The various `read` will throw `DECODE_ERROR` if you attempt to read path
+// the end of the buffer, or past the end of a variable-length list.
+//
+class utils_BufferReader extends utils_BufferWithPointer {
+
+ hasMoreBytes() {
+ return this.tell() < this.length();
+ }
+
+ readBytes(length) {
+ // This avoids copies by returning a view onto the existing buffer.
+ const start = this._buffer.byteOffset + this.tell();
+ this.incr(length);
+ return new Uint8Array(this._buffer.buffer, start, length);
+ }
+
+ _rangeErrorToAlert(cb) {
+ try {
+ return cb(this);
+ } catch (err) {
+ if (err instanceof RangeError) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ throw err;
+ }
+ }
+
+ readUint8() {
+ return this._rangeErrorToAlert(() => {
+ const n = this._dataview.getUint8(this._pos);
+ this.incr(1);
+ return n;
+ });
+ }
+
+ readUint16() {
+ return this._rangeErrorToAlert(() => {
+ const n = this._dataview.getUint16(this._pos);
+ this.incr(2);
+ return n;
+ });
+ }
+
+ readUint24() {
+ return this._rangeErrorToAlert(() => {
+ let n = this._dataview.getUint16(this._pos);
+ n = (n << 8) | this._dataview.getUint8(this._pos + 2);
+ this.incr(3);
+ return n;
+ });
+ }
+
+ readUint32() {
+ return this._rangeErrorToAlert(() => {
+ const n = this._dataview.getUint32(this._pos);
+ this.incr(4);
+ return n;
+ });
+ }
+
+ _readVector(length, cb) {
+ const contentsBuf = new utils_BufferReader(this.readBytes(length));
+ const expectedEnd = this.tell();
+ // Keep calling the callback until we've consumed the expected number of bytes.
+ let n = 0;
+ while (contentsBuf.hasMoreBytes()) {
+ const prevPos = contentsBuf.tell();
+ cb(contentsBuf, n);
+ // Check that the callback made forward progress, otherwise we'll infinite loop.
+ if (contentsBuf.tell() <= prevPos) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ n += 1;
+ }
+ // Check that the callback correctly consumed the vector's entire contents.
+ if (this.tell() !== expectedEnd) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ }
+
+ readVector8(cb) {
+ const length = this.readUint8();
+ return this._readVector(length, cb);
+ }
+
+ readVector16(cb) {
+ const length = this.readUint16();
+ return this._readVector(length, cb);
+ }
+
+ readVector24(cb) {
+ const length = this.readUint24();
+ return this._readVector(length, cb);
+ }
+
+ readVectorBytes8() {
+ return this.readBytes(this.readUint8());
+ }
+
+ readVectorBytes16() {
+ return this.readBytes(this.readUint16());
+ }
+
+ readVectorBytes24() {
+ return this.readBytes(this.readUint24());
+ }
+}
+
+
+class utils_BufferWriter extends utils_BufferWithPointer {
+ constructor(size = 1024) {
+ super(new Uint8Array(size));
+ }
+
+ _maybeGrow(n) {
+ const curSize = this._buffer.byteLength;
+ const newPos = this._pos + n;
+ const shortfall = newPos - curSize;
+ if (shortfall > 0) {
+ // Classic grow-by-doubling, up to 4kB max increment.
+ // This formula was not arrived at by any particular science.
+ const incr = Math.min(curSize, 4 * 1024);
+ const newbuf = new Uint8Array(curSize + Math.ceil(shortfall / incr) * incr);
+ newbuf.set(this._buffer, 0);
+ this._buffer = newbuf;
+ this._dataview = new DataView(newbuf.buffer, newbuf.byteOffset, newbuf.byteLength);
+ }
+ }
+
+ slice(start = 0, end = this.tell()) {
+ if (end < 0) {
+ end = this.tell() + end;
+ }
+ if (start < 0) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ if (end < 0) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ if (end > this.length()) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ return this._buffer.slice(start, end);
+ }
+
+ flush() {
+ const slice = this.slice();
+ this.seek(0);
+ return slice;
+ }
+
+ writeBytes(data) {
+ this._maybeGrow(data.byteLength);
+ this._buffer.set(data, this.tell());
+ this.incr(data.byteLength);
+ }
+
+ writeUint8(n) {
+ this._maybeGrow(1);
+ this._dataview.setUint8(this._pos, n);
+ this.incr(1);
+ }
+
+ writeUint16(n) {
+ this._maybeGrow(2);
+ this._dataview.setUint16(this._pos, n);
+ this.incr(2);
+ }
+
+ writeUint24(n) {
+ this._maybeGrow(3);
+ this._dataview.setUint16(this._pos, n >> 8);
+ this._dataview.setUint8(this._pos + 2, n & 0xFF);
+ this.incr(3);
+ }
+
+ writeUint32(n) {
+ this._maybeGrow(4);
+ this._dataview.setUint32(this._pos, n);
+ this.incr(4);
+ }
+
+ // These are helpers for writing the variable-length vector structure
+ // defined in https://tools.ietf.org/html/rfc8446#section-3.4.
+ //
+ // Such vectors are represented as a length followed by the concatenated
+ // bytes of each item, and the size of the length field is determined by
+ // the maximum allowed size of the vector. For example to write a vector
+ // that may contain up to 65535 bytes, use `writeVector16`.
+ //
+ // To write a variable-length vector of between 1 and 100 uint16 values,
+ // defined in the RFC like this:
+ //
+ // uint16 items<2..200>;
+ //
+ // You would do something like this:
+ //
+ // buf.writeVector8(buf => {
+ // for (let item of items) {
+ // buf.writeUint16(item)
+ // }
+ // })
+ //
+ // The helper will automatically take care of writing the appropriate
+ // length field once the callback completes.
+
+ _writeVector(maxLength, writeLength, cb) {
+ // Initially, write the length field as zero.
+ const lengthPos = this.tell();
+ writeLength(0);
+ // Call the callback to write the vector items.
+ const bodyPos = this.tell();
+ cb(this);
+ const length = this.tell() - bodyPos;
+ if (length >= maxLength) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ // Backfill the actual length field.
+ this.seek(lengthPos);
+ writeLength(length);
+ this.incr(length);
+ return length;
+ }
+
+ writeVector8(cb) {
+ return this._writeVector(Math.pow(2, 8), len => this.writeUint8(len), cb);
+ }
+
+ writeVector16(cb) {
+ return this._writeVector(Math.pow(2, 16), len => this.writeUint16(len), cb);
+ }
+
+ writeVector24(cb) {
+ return this._writeVector(Math.pow(2, 24), len => this.writeUint24(len), cb);
+ }
+
+ writeVectorBytes8(bytes) {
+ return this.writeVector8(buf => {
+ buf.writeBytes(bytes);
+ });
+ }
+
+ writeVectorBytes16(bytes) {
+ return this.writeVector16(buf => {
+ buf.writeBytes(bytes);
+ });
+ }
+
+ writeVectorBytes24(bytes) {
+ return this.writeVector24(buf => {
+ buf.writeBytes(bytes);
+ });
+ }
+}
+
+// CONCATENATED MODULE: ./src/crypto.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+//
+// Low-level crypto primitives.
+//
+// This file implements the AEAD encrypt/decrypt and hashing routines
+// for the TLS_AES_128_GCM_SHA256 ciphersuite.
+//
+
+
+
+
+const AEAD_SIZE_INFLATION = 16;
+const KEY_LENGTH = 16;
+const IV_LENGTH = 12;
+const HASH_LENGTH = 32;
+
+async function prepareKey(key, mode) {
+ return crypto.subtle.importKey('raw', key, { name: 'AES-GCM' }, false, [mode]);
+}
+
+async function encrypt(key, iv, plaintext, additionalData) {
+ const ciphertext = await crypto.subtle.encrypt({
+ additionalData,
+ iv,
+ name: 'AES-GCM',
+ tagLength: AEAD_SIZE_INFLATION * 8
+ }, key, plaintext);
+ return new Uint8Array(ciphertext);
+}
+
+async function decrypt(key, iv, ciphertext, additionalData) {
+ try {
+ const plaintext = await crypto.subtle.decrypt({
+ additionalData,
+ iv,
+ name: 'AES-GCM',
+ tagLength: AEAD_SIZE_INFLATION * 8
+ }, key, ciphertext);
+ return new Uint8Array(plaintext);
+ } catch (err) {
+ // Yes, we really do throw 'decrypt_error' when failing to verify a HMAC,
+ // and a 'bad_record_mac' error when failing to decrypt.
+ throw new TLSError(ALERT_DESCRIPTION.BAD_RECORD_MAC);
+ }
+}
+
+async function hash(message) {
+ return new Uint8Array(await crypto.subtle.digest({ name: 'SHA-256' }, message));
+}
+
+async function hmac(keyBytes, message) {
+ const key = await crypto.subtle.importKey('raw', keyBytes, {
+ hash: { name: 'SHA-256' },
+ name: 'HMAC',
+ }, false, ['sign']);
+ const sig = await crypto.subtle.sign({ name: 'HMAC' }, key, message);
+ return new Uint8Array(sig);
+}
+
+async function verifyHmac(keyBytes, signature, message) {
+ const key = await crypto.subtle.importKey('raw', keyBytes, {
+ hash: { name: 'SHA-256' },
+ name: 'HMAC',
+ }, false, ['verify']);
+ if (! await crypto.subtle.verify({ name: 'HMAC' }, key, signature, message)) {
+ // Yes, we really do throw 'decrypt_error' when failing to verify a HMAC,
+ // and a 'bad_record_mac' error when failing to decrypt.
+ throw new TLSError(ALERT_DESCRIPTION.DECRYPT_ERROR);
+ }
+}
+
+async function hkdfExtract(salt, ikm) {
+ // Ref https://tools.ietf.org/html/rfc5869#section-2.2
+ return await hmac(salt, ikm);
+}
+
+async function hkdfExpand(prk, info, length) {
+ // Ref https://tools.ietf.org/html/rfc5869#section-2.3
+ const N = Math.ceil(length / HASH_LENGTH);
+ if (N <= 0) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ if (N >= 255) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ const input = new utils_BufferWriter();
+ const output = new utils_BufferWriter();
+ let T = new Uint8Array(0);
+ for (let i = 1; i <= N; i++) {
+ input.writeBytes(T);
+ input.writeBytes(info);
+ input.writeUint8(i);
+ T = await hmac(prk, input.flush());
+ output.writeBytes(T);
+ }
+ return output.slice(0, length);
+}
+
+async function hkdfExpandLabel(secret, label, context, length) {
+ // struct {
+ // uint16 length = Length;
+ // opaque label < 7..255 > = "tls13 " + Label;
+ // opaque context < 0..255 > = Context;
+ // } HkdfLabel;
+ const hkdfLabel = new utils_BufferWriter();
+ hkdfLabel.writeUint16(length);
+ hkdfLabel.writeVectorBytes8(utf8ToBytes('tls13 ' + label));
+ hkdfLabel.writeVectorBytes8(context);
+ return hkdfExpand(secret, hkdfLabel.flush(), length);
+}
+
+async function getRandomBytes(size) {
+ const bytes = new Uint8Array(size);
+ crypto.getRandomValues(bytes);
+ return bytes;
+}
+
+// CONCATENATED MODULE: ./src/extensions.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+//
+// Extension parsing.
+//
+// This file contains some helpers for reading/writing the various kinds
+// of Extension that might appear in a HandshakeMessage.
+//
+
+
+
+
+
+/* eslint-disable sorting/sort-object-props */
+const EXTENSION_TYPE = {
+ PRE_SHARED_KEY: 41,
+ SUPPORTED_VERSIONS: 43,
+ PSK_KEY_EXCHANGE_MODES: 45,
+};
+/* eslint-enable sorting/sort-object-props */
+
+// Base class for generic reading/writing of extensions,
+// which are all uniformly formatted as:
+//
+// struct {
+// ExtensionType extension_type;
+// opaque extension_data<0..2^16-1>;
+// } Extension;
+//
+// Extensions always appear inside of a handshake message,
+// and their internal structure may differ based on the
+// type of that message.
+
+class extensions_Extension {
+
+ get TYPE_TAG() {
+ throw new Error('not implemented');
+ }
+
+ static read(messageType, buf) {
+ const type = buf.readUint16();
+ let ext = {
+ TYPE_TAG: type,
+ };
+ buf.readVector16(buf => {
+ switch (type) {
+ case EXTENSION_TYPE.PRE_SHARED_KEY:
+ ext = extensions_PreSharedKeyExtension._read(messageType, buf);
+ break;
+ case EXTENSION_TYPE.SUPPORTED_VERSIONS:
+ ext = extensions_SupportedVersionsExtension._read(messageType, buf);
+ break;
+ case EXTENSION_TYPE.PSK_KEY_EXCHANGE_MODES:
+ ext = extensions_PskKeyExchangeModesExtension._read(messageType, buf);
+ break;
+ default:
+ // Skip over unrecognised extensions.
+ buf.incr(buf.length());
+ }
+ if (buf.hasMoreBytes()) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ });
+ return ext;
+ }
+
+ write(messageType, buf) {
+ buf.writeUint16(this.TYPE_TAG);
+ buf.writeVector16(buf => {
+ this._write(messageType, buf);
+ });
+ }
+
+ static _read(messageType, buf) {
+ throw new Error('not implemented');
+ }
+
+ static _write(messageType, buf) {
+ throw new Error('not implemented');
+ }
+}
+
+// The PreSharedKey extension:
+//
+// struct {
+// opaque identity<1..2^16-1>;
+// uint32 obfuscated_ticket_age;
+// } PskIdentity;
+// opaque PskBinderEntry<32..255>;
+// struct {
+// PskIdentity identities<7..2^16-1>;
+// PskBinderEntry binders<33..2^16-1>;
+// } OfferedPsks;
+// struct {
+// select(Handshake.msg_type) {
+// case client_hello: OfferedPsks;
+// case server_hello: uint16 selected_identity;
+// };
+// } PreSharedKeyExtension;
+
+class extensions_PreSharedKeyExtension extends extensions_Extension {
+ constructor(identities, binders, selectedIdentity) {
+ super();
+ this.identities = identities;
+ this.binders = binders;
+ this.selectedIdentity = selectedIdentity;
+ }
+
+ get TYPE_TAG() {
+ return EXTENSION_TYPE.PRE_SHARED_KEY;
+ }
+
+ static _read(messageType, buf) {
+ let identities = null, binders = null, selectedIdentity = null;
+ switch (messageType) {
+ case HANDSHAKE_TYPE.CLIENT_HELLO:
+ identities = []; binders = [];
+ buf.readVector16(buf => {
+ const identity = buf.readVectorBytes16();
+ buf.readBytes(4); // Skip over the ticket age.
+ identities.push(identity);
+ });
+ buf.readVector16(buf => {
+ const binder = buf.readVectorBytes8();
+ if (binder.byteLength < HASH_LENGTH) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ binders.push(binder);
+ });
+ if (identities.length !== binders.length) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ break;
+ case HANDSHAKE_TYPE.SERVER_HELLO:
+ selectedIdentity = buf.readUint16();
+ break;
+ default:
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ return new this(identities, binders, selectedIdentity);
+ }
+
+ _write(messageType, buf) {
+ switch (messageType) {
+ case HANDSHAKE_TYPE.CLIENT_HELLO:
+ buf.writeVector16(buf => {
+ this.identities.forEach(pskId => {
+ buf.writeVectorBytes16(pskId);
+ buf.writeUint32(0); // Zero for "tag age" field.
+ });
+ });
+ buf.writeVector16(buf => {
+ this.binders.forEach(pskBinder => {
+ buf.writeVectorBytes8(pskBinder);
+ });
+ });
+ break;
+ case HANDSHAKE_TYPE.SERVER_HELLO:
+ buf.writeUint16(this.selectedIdentity);
+ break;
+ default:
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ }
+}
+
+
+// The SupportedVersions extension:
+//
+// struct {
+// select(Handshake.msg_type) {
+// case client_hello:
+// ProtocolVersion versions < 2..254 >;
+// case server_hello:
+// ProtocolVersion selected_version;
+// };
+// } SupportedVersions;
+
+class extensions_SupportedVersionsExtension extends extensions_Extension {
+ constructor(versions, selectedVersion) {
+ super();
+ this.versions = versions;
+ this.selectedVersion = selectedVersion;
+ }
+
+ get TYPE_TAG() {
+ return EXTENSION_TYPE.SUPPORTED_VERSIONS;
+ }
+
+ static _read(messageType, buf) {
+ let versions = null, selectedVersion = null;
+ switch (messageType) {
+ case HANDSHAKE_TYPE.CLIENT_HELLO:
+ versions = [];
+ buf.readVector8(buf => {
+ versions.push(buf.readUint16());
+ });
+ break;
+ case HANDSHAKE_TYPE.SERVER_HELLO:
+ selectedVersion = buf.readUint16();
+ break;
+ default:
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ return new this(versions, selectedVersion);
+ }
+
+ _write(messageType, buf) {
+ switch (messageType) {
+ case HANDSHAKE_TYPE.CLIENT_HELLO:
+ buf.writeVector8(buf => {
+ this.versions.forEach(version => {
+ buf.writeUint16(version);
+ });
+ });
+ break;
+ case HANDSHAKE_TYPE.SERVER_HELLO:
+ buf.writeUint16(this.selectedVersion);
+ break;
+ default:
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ }
+}
+
+
+class extensions_PskKeyExchangeModesExtension extends extensions_Extension {
+ constructor(modes) {
+ super();
+ this.modes = modes;
+ }
+
+ get TYPE_TAG() {
+ return EXTENSION_TYPE.PSK_KEY_EXCHANGE_MODES;
+ }
+
+ static _read(messageType, buf) {
+ const modes = [];
+ switch (messageType) {
+ case HANDSHAKE_TYPE.CLIENT_HELLO:
+ buf.readVector8(buf => {
+ modes.push(buf.readUint8());
+ });
+ break;
+ default:
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ return new this(modes);
+ }
+
+ _write(messageType, buf) {
+ switch (messageType) {
+ case HANDSHAKE_TYPE.CLIENT_HELLO:
+ buf.writeVector8(buf => {
+ this.modes.forEach(mode => {
+ buf.writeUint8(mode);
+ });
+ });
+ break;
+ default:
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ }
+}
+
+// CONCATENATED MODULE: ./src/constants.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const VERSION_TLS_1_0 = 0x0301;
+const VERSION_TLS_1_2 = 0x0303;
+const VERSION_TLS_1_3 = 0x0304;
+const TLS_AES_128_GCM_SHA256 = 0x1301;
+const PSK_MODE_KE = 0;
+
+// CONCATENATED MODULE: ./src/messages.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+//
+// Message parsing.
+//
+// Herein we need code for reading and writing the various Handshake
+// messages involved in the protocol.
+//
+
+
+
+
+
+
+
+/* eslint-disable sorting/sort-object-props */
+const HANDSHAKE_TYPE = {
+ CLIENT_HELLO: 1,
+ SERVER_HELLO: 2,
+ NEW_SESSION_TICKET: 4,
+ ENCRYPTED_EXTENSIONS: 8,
+ FINISHED: 20,
+};
+/* eslint-enable sorting/sort-object-props */
+
+// Base class for generic reading/writing of handshake messages,
+// which are all uniformly formatted as:
+//
+// struct {
+// HandshakeType msg_type; /* handshake type */
+// uint24 length; /* bytes in message */
+// select(Handshake.msg_type) {
+// ... type specific cases here ...
+// };
+// } Handshake;
+
+class messages_HandshakeMessage {
+
+ get TYPE_TAG() {
+ throw new Error('not implemented');
+ }
+
+ static fromBytes(bytes) {
+ // Each handshake message has a type and length prefix, per
+ // https://tools.ietf.org/html/rfc8446#appendix-B.3
+ const buf = new utils_BufferReader(bytes);
+ const msg = this.read(buf);
+ if (buf.hasMoreBytes()) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ return msg;
+ }
+
+ toBytes() {
+ const buf = new utils_BufferWriter();
+ this.write(buf);
+ return buf.flush();
+ }
+
+ static read(buf) {
+ const type = buf.readUint8();
+ let msg = null;
+ buf.readVector24(buf => {
+ switch (type) {
+ case HANDSHAKE_TYPE.CLIENT_HELLO:
+ msg = messages_ClientHello._read(buf);
+ break;
+ case HANDSHAKE_TYPE.SERVER_HELLO:
+ msg = messages_ServerHello._read(buf);
+ break;
+ case HANDSHAKE_TYPE.NEW_SESSION_TICKET:
+ msg = messages_NewSessionTicket._read(buf);
+ break;
+ case HANDSHAKE_TYPE.ENCRYPTED_EXTENSIONS:
+ msg = EncryptedExtensions._read(buf);
+ break;
+ case HANDSHAKE_TYPE.FINISHED:
+ msg = messages_Finished._read(buf);
+ break;
+ }
+ if (buf.hasMoreBytes()) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ });
+ if (msg === null) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ return msg;
+ }
+
+ write(buf) {
+ buf.writeUint8(this.TYPE_TAG);
+ buf.writeVector24(buf => {
+ this._write(buf);
+ });
+ }
+
+ static _read(buf) {
+ throw new Error('not implemented');
+ }
+
+ _write(buf) {
+ throw new Error('not implemented');
+ }
+
+ // Some little helpers for reading a list of extensions,
+ // which is uniformly represented as:
+ //
+ // Extension extensions<8..2^16-1>;
+ //
+ // Recognized extensions are returned as a Map from extension type
+ // to extension data object, with a special `lastSeenExtension`
+ // property to make it easy to check which one came last.
+
+ static _readExtensions(messageType, buf) {
+ const extensions = new Map();
+ buf.readVector16(buf => {
+ const ext = extensions_Extension.read(messageType, buf);
+ if (extensions.has(ext.TYPE_TAG)) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ extensions.set(ext.TYPE_TAG, ext);
+ extensions.lastSeenExtension = ext.TYPE_TAG;
+ });
+ return extensions;
+ }
+
+ _writeExtensions(buf, extensions) {
+ buf.writeVector16(buf => {
+ extensions.forEach(ext => {
+ ext.write(this.TYPE_TAG, buf);
+ });
+ });
+ }
+}
+
+
+// The ClientHello message:
+//
+// struct {
+// ProtocolVersion legacy_version = 0x0303;
+// Random random;
+// opaque legacy_session_id<0..32>;
+// CipherSuite cipher_suites<2..2^16-2>;
+// opaque legacy_compression_methods<1..2^8-1>;
+// Extension extensions<8..2^16-1>;
+// } ClientHello;
+
+class messages_ClientHello extends messages_HandshakeMessage {
+
+ constructor(random, sessionId, extensions) {
+ super();
+ this.random = random;
+ this.sessionId = sessionId;
+ this.extensions = extensions;
+ }
+
+ get TYPE_TAG() {
+ return HANDSHAKE_TYPE.CLIENT_HELLO;
+ }
+
+ static _read(buf) {
+ // The legacy_version field may indicate an earlier version of TLS
+ // for backwards compatibility, but must not predate TLS 1.0!
+ if (buf.readUint16() < VERSION_TLS_1_0) {
+ throw new TLSError(ALERT_DESCRIPTION.PROTOCOL_VERSION);
+ }
+ // The random bytes provided by the peer.
+ const random = buf.readBytes(32);
+ // Read legacy_session_id, so the server can echo it.
+ const sessionId = buf.readVectorBytes8();
+ // We only support a single ciphersuite, but the peer may offer several.
+ // Scan the list to confirm that the one we want is present.
+ let found = false;
+ buf.readVector16(buf => {
+ const cipherSuite = buf.readUint16();
+ if (cipherSuite === TLS_AES_128_GCM_SHA256) {
+ found = true;
+ }
+ });
+ if (! found) {
+ throw new TLSError(ALERT_DESCRIPTION.HANDSHAKE_FAILURE);
+ }
+ // legacy_compression_methods must be a single zero byte for TLS1.3 ClientHellos.
+ // It can be non-zero in previous versions of TLS, but we're not going to
+ // make a successful handshake with such versions, so better to just bail out now.
+ const legacyCompressionMethods = buf.readVectorBytes8();
+ if (legacyCompressionMethods.byteLength !== 1) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ if (legacyCompressionMethods[0] !== 0x00) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ // Read and check the extensions.
+ const extensions = this._readExtensions(HANDSHAKE_TYPE.CLIENT_HELLO, buf);
+ if (! extensions.has(EXTENSION_TYPE.SUPPORTED_VERSIONS)) {
+ throw new TLSError(ALERT_DESCRIPTION.MISSING_EXTENSION);
+ }
+ if (extensions.get(EXTENSION_TYPE.SUPPORTED_VERSIONS).versions.indexOf(VERSION_TLS_1_3) === -1) {
+ throw new TLSError(ALERT_DESCRIPTION.PROTOCOL_VERSION);
+ }
+ // Was the PreSharedKey extension the last one?
+ if (extensions.has(EXTENSION_TYPE.PRE_SHARED_KEY)) {
+ if (extensions.lastSeenExtension !== EXTENSION_TYPE.PRE_SHARED_KEY) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ }
+ return new this(random, sessionId, extensions);
+ }
+
+ _write(buf) {
+ buf.writeUint16(VERSION_TLS_1_2);
+ buf.writeBytes(this.random);
+ buf.writeVectorBytes8(this.sessionId);
+ // Our single supported ciphersuite
+ buf.writeVector16(buf => {
+ buf.writeUint16(TLS_AES_128_GCM_SHA256);
+ });
+ // A single zero byte for legacy_compression_methods
+ buf.writeVectorBytes8(new Uint8Array(1));
+ this._writeExtensions(buf, this.extensions);
+ }
+}
+
+
+// The ServerHello message:
+//
+// struct {
+// ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */
+// Random random;
+// opaque legacy_session_id_echo<0..32>;
+// CipherSuite cipher_suite;
+// uint8 legacy_compression_method = 0;
+// Extension extensions < 6..2 ^ 16 - 1 >;
+// } ServerHello;
+
+class messages_ServerHello extends messages_HandshakeMessage {
+
+ constructor(random, sessionId, extensions) {
+ super();
+ this.random = random;
+ this.sessionId = sessionId;
+ this.extensions = extensions;
+ }
+
+ get TYPE_TAG() {
+ return HANDSHAKE_TYPE.SERVER_HELLO;
+ }
+
+ static _read(buf) {
+ // Fixed value for legacy_version.
+ if (buf.readUint16() !== VERSION_TLS_1_2) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ // Random bytes from the server.
+ const random = buf.readBytes(32);
+ // It should have echoed our vector for legacy_session_id.
+ const sessionId = buf.readVectorBytes8();
+ // It should have selected our single offered ciphersuite.
+ if (buf.readUint16() !== TLS_AES_128_GCM_SHA256) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ // legacy_compression_method must be zero.
+ if (buf.readUint8() !== 0) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ const extensions = this._readExtensions(HANDSHAKE_TYPE.SERVER_HELLO, buf);
+ if (! extensions.has(EXTENSION_TYPE.SUPPORTED_VERSIONS)) {
+ throw new TLSError(ALERT_DESCRIPTION.MISSING_EXTENSION);
+ }
+ if (extensions.get(EXTENSION_TYPE.SUPPORTED_VERSIONS).selectedVersion !== VERSION_TLS_1_3) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ return new this(random, sessionId, extensions);
+ }
+
+ _write(buf) {
+ buf.writeUint16(VERSION_TLS_1_2);
+ buf.writeBytes(this.random);
+ buf.writeVectorBytes8(this.sessionId);
+ // Our single supported ciphersuite
+ buf.writeUint16(TLS_AES_128_GCM_SHA256);
+ // A single zero byte for legacy_compression_method
+ buf.writeUint8(0);
+ this._writeExtensions(buf, this.extensions);
+ }
+}
+
+
+// The EncryptedExtensions message:
+//
+// struct {
+// Extension extensions < 0..2 ^ 16 - 1 >;
+// } EncryptedExtensions;
+//
+// We don't actually send any EncryptedExtensions,
+// but still have to send an empty message.
+
+class EncryptedExtensions extends messages_HandshakeMessage {
+ constructor(extensions) {
+ super();
+ this.extensions = extensions;
+ }
+
+ get TYPE_TAG() {
+ return HANDSHAKE_TYPE.ENCRYPTED_EXTENSIONS;
+ }
+
+ static _read(buf) {
+ const extensions = this._readExtensions(HANDSHAKE_TYPE.ENCRYPTED_EXTENSIONS, buf);
+ return new this(extensions);
+ }
+
+ _write(buf) {
+ this._writeExtensions(buf, this.extensions);
+ }
+}
+
+
+// The Finished message:
+//
+// struct {
+// opaque verify_data[Hash.length];
+// } Finished;
+
+class messages_Finished extends messages_HandshakeMessage {
+
+ constructor(verifyData) {
+ super();
+ this.verifyData = verifyData;
+ }
+
+ get TYPE_TAG() {
+ return HANDSHAKE_TYPE.FINISHED;
+ }
+
+ static _read(buf) {
+ const verifyData = buf.readBytes(HASH_LENGTH);
+ return new this(verifyData);
+ }
+
+ _write(buf) {
+ buf.writeBytes(this.verifyData);
+ }
+}
+
+
+// The NewSessionTicket message:
+//
+// struct {
+// uint32 ticket_lifetime;
+// uint32 ticket_age_add;
+// opaque ticket_nonce < 0..255 >;
+// opaque ticket < 1..2 ^ 16 - 1 >;
+// Extension extensions < 0..2 ^ 16 - 2 >;
+// } NewSessionTicket;
+//
+// We don't actually make use of these, but we need to be able
+// to accept them and do basic validation.
+
+class messages_NewSessionTicket extends messages_HandshakeMessage {
+ constructor(ticketLifetime, ticketAgeAdd, ticketNonce, ticket, extensions) {
+ super();
+ this.ticketLifetime = ticketLifetime;
+ this.ticketAgeAdd = ticketAgeAdd;
+ this.ticketNonce = ticketNonce;
+ this.ticket = ticket;
+ this.extensions = extensions;
+ }
+
+ get TYPE_TAG() {
+ return HANDSHAKE_TYPE.NEW_SESSION_TICKET;
+ }
+
+ static _read(buf) {
+ const ticketLifetime = buf.readUint32();
+ const ticketAgeAdd = buf.readUint32();
+ const ticketNonce = buf.readVectorBytes8();
+ const ticket = buf.readVectorBytes16();
+ if (ticket.byteLength < 1) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ const extensions = this._readExtensions(HANDSHAKE_TYPE.NEW_SESSION_TICKET, buf);
+ return new this(ticketLifetime, ticketAgeAdd, ticketNonce, ticket, extensions);
+ }
+
+ _write(buf) {
+ buf.writeUint32(this.ticketLifetime);
+ buf.writeUint32(this.ticketAgeAdd);
+ buf.writeVectorBytes8(this.ticketNonce);
+ buf.writeVectorBytes16(this.ticket);
+ this._writeExtensions(buf, this.extensions);
+ }
+}
+
+// CONCATENATED MODULE: ./src/states.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+
+
+
+
+
+
+
+//
+// State-machine for TLS Handshake Management.
+//
+// Internally, we manage the TLS connection by explicitly modelling the
+// client and server state-machines from RFC8446. You can think of
+// these `State` objects as little plugins for the `Connection` class
+// that provide different behaviours of `send` and `receive` depending
+// on the state of the connection.
+//
+
+class states_State {
+
+ constructor(conn) {
+ this.conn = conn;
+ }
+
+ async initialize() {
+ // By default, nothing to do when entering the state.
+ }
+
+ async sendApplicationData(bytes) {
+ // By default, assume we're not ready to send yet and the caller
+ // should be blocking on the connection promise before reaching here.
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+
+ async recvApplicationData(bytes) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+
+ async recvHandshakeMessage(msg) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+
+ async recvAlertMessage(alert) {
+ switch (alert.description) {
+ case ALERT_DESCRIPTION.CLOSE_NOTIFY:
+ this.conn._closeForRecv(alert);
+ throw alert;
+ default:
+ return await this.handleErrorAndRethrow(alert);
+ }
+ }
+
+ async recvChangeCipherSpec(bytes) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+
+ async handleErrorAndRethrow(err) {
+ let alert = err;
+ if (! (alert instanceof TLSAlert)) {
+ alert = new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ // Try to send error alert to the peer, but we may not
+ // be able to if the outgoing connection was already closed.
+ try {
+ await this.conn._sendAlertMessage(alert);
+ } catch (_) { }
+ await this.conn._transition(ERROR, err);
+ throw err;
+ }
+
+ async close() {
+ const alert = new TLSCloseNotify();
+ await this.conn._sendAlertMessage(alert);
+ this.conn._closeForSend(alert);
+ }
+
+}
+
+// A special "guard" state to prevent us from using
+// an improperly-initialized Connection.
+
+class UNINITIALIZED extends states_State {
+ async initialize() {
+ throw new Error('uninitialized state');
+ }
+ async sendApplicationData(bytes) {
+ throw new Error('uninitialized state');
+ }
+ async recvApplicationData(bytes) {
+ throw new Error('uninitialized state');
+ }
+ async recvHandshakeMessage(msg) {
+ throw new Error('uninitialized state');
+ }
+ async recvChangeCipherSpec(bytes) {
+ throw new Error('uninitialized state');
+ }
+ async handleErrorAndRethrow(err) {
+ throw err;
+ }
+ async close() {
+ throw new Error('uninitialized state');
+ }
+}
+
+// A special "error" state for when something goes wrong.
+// This state never transitions to another state, effectively
+// terminating the connection.
+
+class ERROR extends states_State {
+ async initialize(err) {
+ this.error = err;
+ this.conn._setConnectionFailure(err);
+ // Unceremoniously shut down the record layer on error.
+ this.conn._recordlayer.setSendError(err);
+ this.conn._recordlayer.setRecvError(err);
+ }
+ async sendApplicationData(bytes) {
+ throw this.error;
+ }
+ async recvApplicationData(bytes) {
+ throw this.error;
+ }
+ async recvHandshakeMessage(msg) {
+ throw this.error;
+ }
+ async recvAlertMessage(err) {
+ throw this.error;
+ }
+ async recvChangeCipherSpec(bytes) {
+ throw this.error;
+ }
+ async handleErrorAndRethrow(err) {
+ throw err;
+ }
+ async close() {
+ throw this.error;
+ }
+}
+
+// The "connected" state, for when the handshake is complete
+// and we're ready to send application-level data.
+// The logic for this is largely symmetric between client and server.
+
+class states_CONNECTED extends states_State {
+ async initialize() {
+ this.conn._setConnectionSuccess();
+ }
+ async sendApplicationData(bytes) {
+ await this.conn._sendApplicationData(bytes);
+ }
+ async recvApplicationData(bytes) {
+ return bytes;
+ }
+ async recvChangeCipherSpec(bytes) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+}
+
+// A base class for states that occur in the middle of the handshake
+// (that is, between ClientHello and Finished). These states may receive
+// CHANGE_CIPHER_SPEC records for b/w compat reasons, which must contain
+// exactly a single 0x01 byte and must otherwise be ignored.
+
+class states_MidHandshakeState extends states_State {
+ async recvChangeCipherSpec(bytes) {
+ if (this.conn._hasSeenChangeCipherSpec) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ if (bytes.byteLength !== 1 || bytes[0] !== 1) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ this.conn._hasSeenChangeCipherSpec = true;
+ }
+}
+
+// These states implement (part of) the client state-machine from
+// https://tools.ietf.org/html/rfc8446#appendix-A.1
+//
+// Since we're only implementing a small subset of TLS1.3,
+// we only need a small subset of the handshake. It basically goes:
+//
+// * send ClientHello
+// * receive ServerHello
+// * receive EncryptedExtensions
+// * receive server Finished
+// * send client Finished
+//
+// We include some unused states for completeness, so that it's easier
+// to check the implementation against the diagrams in the RFC.
+
+class states_CLIENT_START extends states_State {
+ async initialize() {
+ const keyschedule = this.conn._keyschedule;
+ await keyschedule.addPSK(this.conn.psk);
+ // Construct a ClientHello message with our single PSK.
+ // We can't know the PSK binder value yet, so we initially write zeros.
+ const clientHello = new messages_ClientHello(
+ // Client random salt.
+ await getRandomBytes(32),
+ // Random legacy_session_id; we *could* send an empty string here,
+ // but sending a random one makes it easier to be compatible with
+ // the data emitted by tlslite-ng for test-case generation.
+ await getRandomBytes(32),
+ [
+ new extensions_SupportedVersionsExtension([VERSION_TLS_1_3]),
+ new extensions_PskKeyExchangeModesExtension([PSK_MODE_KE]),
+ new extensions_PreSharedKeyExtension([this.conn.pskId], [zeros(HASH_LENGTH)]),
+ ],
+ );
+ const buf = new utils_BufferWriter();
+ clientHello.write(buf);
+ // Now that we know what the ClientHello looks like,
+ // go back and calculate the appropriate PSK binder value.
+ // We only support a single PSK, so the length of the binders field is the
+ // length of the hash plus one for rendering it as a variable-length byte array,
+ // plus two for rendering the variable-length list of PSK binders.
+ const PSK_BINDERS_SIZE = HASH_LENGTH + 1 + 2;
+ const truncatedTranscript = buf.slice(0, buf.tell() - PSK_BINDERS_SIZE);
+ const pskBinder = await keyschedule.calculateFinishedMAC(keyschedule.extBinderKey, truncatedTranscript);
+ buf.incr(-HASH_LENGTH);
+ buf.writeBytes(pskBinder);
+ await this.conn._sendHandshakeMessageBytes(buf.flush());
+ await this.conn._transition(states_CLIENT_WAIT_SH, clientHello.sessionId);
+ }
+}
+
+class states_CLIENT_WAIT_SH extends states_State {
+ async initialize(sessionId) {
+ this._sessionId = sessionId;
+ }
+ async recvHandshakeMessage(msg) {
+ if (! (msg instanceof messages_ServerHello)) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ if (! bytesAreEqual(msg.sessionId, this._sessionId)) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ const pskExt = msg.extensions.get(EXTENSION_TYPE.PRE_SHARED_KEY);
+ if (! pskExt) {
+ throw new TLSError(ALERT_DESCRIPTION.MISSING_EXTENSION);
+ }
+ // We expect only the SUPPORTED_VERSIONS and PRE_SHARED_KEY extensions.
+ if (msg.extensions.size !== 2) {
+ throw new TLSError(ALERT_DESCRIPTION.UNSUPPORTED_EXTENSION);
+ }
+ if (pskExt.selectedIdentity !== 0) {
+ throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
+ }
+ await this.conn._keyschedule.addECDHE(null);
+ await this.conn._setSendKey(this.conn._keyschedule.clientHandshakeTrafficSecret);
+ await this.conn._setRecvKey(this.conn._keyschedule.serverHandshakeTrafficSecret);
+ await this.conn._transition(states_CLIENT_WAIT_EE);
+ }
+}
+
+class states_CLIENT_WAIT_EE extends states_MidHandshakeState {
+ async recvHandshakeMessage(msg) {
+ // We don't make use of any encrypted extensions, but we still
+ // have to wait for the server to send the (empty) list of them.
+ if (! (msg instanceof EncryptedExtensions)) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ // We do not support any EncryptedExtensions.
+ if (msg.extensions.size !== 0) {
+ throw new TLSError(ALERT_DESCRIPTION.UNSUPPORTED_EXTENSION);
+ }
+ const keyschedule = this.conn._keyschedule;
+ const serverFinishedTranscript = keyschedule.getTranscript();
+ await this.conn._transition(states_CLIENT_WAIT_FINISHED, serverFinishedTranscript);
+ }
+}
+
+class states_CLIENT_WAIT_FINISHED extends states_State {
+ async initialize(serverFinishedTranscript) {
+ this._serverFinishedTranscript = serverFinishedTranscript;
+ }
+ async recvHandshakeMessage(msg) {
+ if (! (msg instanceof messages_Finished)) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ // Verify server Finished MAC.
+ const keyschedule = this.conn._keyschedule;
+ await keyschedule.verifyFinishedMAC(keyschedule.serverHandshakeTrafficSecret, msg.verifyData, this._serverFinishedTranscript);
+ // Send our own Finished message in return.
+ // This must be encrypted with the handshake traffic key,
+ // but must not appear in the transcript used to calculate the application keys.
+ const clientFinishedMAC = await keyschedule.calculateFinishedMAC(keyschedule.clientHandshakeTrafficSecret);
+ await keyschedule.finalize();
+ await this.conn._sendHandshakeMessage(new messages_Finished(clientFinishedMAC));
+ await this.conn._setSendKey(keyschedule.clientApplicationTrafficSecret);
+ await this.conn._setRecvKey(keyschedule.serverApplicationTrafficSecret);
+ await this.conn._transition(states_CLIENT_CONNECTED);
+ }
+}
+
+class states_CLIENT_CONNECTED extends states_CONNECTED {
+ async recvHandshakeMessage(msg) {
+ // A connected client must be prepared to accept NewSessionTicket
+ // messages. We never use them, but other server implementations
+ // might send them.
+ if (! (msg instanceof messages_NewSessionTicket)) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ }
+}
+
+// These states implement (part of) the server state-machine from
+// https://tools.ietf.org/html/rfc8446#appendix-A.2
+//
+// Since we're only implementing a small subset of TLS1.3,
+// we only need a small subset of the handshake. It basically goes:
+//
+// * receive ClientHello
+// * send ServerHello
+// * send empty EncryptedExtensions
+// * send server Finished
+// * receive client Finished
+//
+// We include some unused states for completeness, so that it's easier
+// to check the implementation against the diagrams in the RFC.
+
+class states_SERVER_START extends states_State {
+ async recvHandshakeMessage(msg) {
+ if (! (msg instanceof messages_ClientHello)) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ // In the spec, this is where we select connection parameters, and maybe
+ // tell the client to try again if we can't find a compatible set.
+ // Since we only support a fixed cipherset, the only thing to "negotiate"
+ // is whether they provided an acceptable PSK.
+ const pskExt = msg.extensions.get(EXTENSION_TYPE.PRE_SHARED_KEY);
+ const pskModesExt = msg.extensions.get(EXTENSION_TYPE.PSK_KEY_EXCHANGE_MODES);
+ if (! pskExt || ! pskModesExt) {
+ throw new TLSError(ALERT_DESCRIPTION.MISSING_EXTENSION);
+ }
+ if (pskModesExt.modes.indexOf(PSK_MODE_KE) === -1) {
+ throw new TLSError(ALERT_DESCRIPTION.HANDSHAKE_FAILURE);
+ }
+ const pskIndex = pskExt.identities.findIndex(pskId => bytesAreEqual(pskId, this.conn.pskId));
+ if (pskIndex === -1) {
+ throw new TLSError(ALERT_DESCRIPTION.UNKNOWN_PSK_IDENTITY);
+ }
+ await this.conn._keyschedule.addPSK(this.conn.psk);
+ // Validate the PSK binder.
+ const keyschedule = this.conn._keyschedule;
+ const transcript = keyschedule.getTranscript();
+ // Calculate size occupied by the PSK binders.
+ let pskBindersSize = 2; // Vector16 representation overhead.
+ for (const binder of pskExt.binders) {
+ pskBindersSize += binder.byteLength + 1; // Vector8 representation overhead.
+ }
+ await keyschedule.verifyFinishedMAC(keyschedule.extBinderKey, pskExt.binders[pskIndex], transcript.slice(0, -pskBindersSize));
+ await this.conn._transition(states_SERVER_NEGOTIATED, msg.sessionId, pskIndex);
+ }
+}
+
+class states_SERVER_NEGOTIATED extends states_MidHandshakeState {
+ async initialize(sessionId, pskIndex) {
+ await this.conn._sendHandshakeMessage(new messages_ServerHello(
+ // Server random
+ await getRandomBytes(32),
+ sessionId,
+ [
+ new extensions_SupportedVersionsExtension(null, VERSION_TLS_1_3),
+ new extensions_PreSharedKeyExtension(null, null, pskIndex),
+ ]
+ ));
+ // If the client sent a non-empty sessionId, the server *must* send a change-cipher-spec for b/w compat.
+ if (sessionId.byteLength > 0) {
+ await this.conn._sendChangeCipherSpec();
+ }
+ // We can now transition to the encrypted part of the handshake.
+ const keyschedule = this.conn._keyschedule;
+ await keyschedule.addECDHE(null);
+ await this.conn._setSendKey(keyschedule.serverHandshakeTrafficSecret);
+ await this.conn._setRecvKey(keyschedule.clientHandshakeTrafficSecret);
+ // Send an empty EncryptedExtensions message.
+ await this.conn._sendHandshakeMessage(new EncryptedExtensions([]));
+ // Send the Finished message.
+ const serverFinishedMAC = await keyschedule.calculateFinishedMAC(keyschedule.serverHandshakeTrafficSecret);
+ await this.conn._sendHandshakeMessage(new messages_Finished(serverFinishedMAC));
+ // We can now *send* using the application traffic key,
+ // but have to wait to receive the client Finished before receiving under that key.
+ // We need to remember the handshake state from before the client Finished
+ // in order to successfully verify the client Finished.
+ const clientFinishedTranscript = await keyschedule.getTranscript();
+ const clientHandshakeTrafficSecret = keyschedule.clientHandshakeTrafficSecret;
+ await keyschedule.finalize();
+ await this.conn._setSendKey(keyschedule.serverApplicationTrafficSecret);
+ await this.conn._transition(states_SERVER_WAIT_FINISHED, clientHandshakeTrafficSecret, clientFinishedTranscript);
+ }
+}
+
+class states_SERVER_WAIT_FINISHED extends states_MidHandshakeState {
+ async initialize(clientHandshakeTrafficSecret, clientFinishedTranscript) {
+ this._clientHandshakeTrafficSecret = clientHandshakeTrafficSecret;
+ this._clientFinishedTranscript = clientFinishedTranscript;
+ }
+ async recvHandshakeMessage(msg) {
+ if (! (msg instanceof messages_Finished)) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ const keyschedule = this.conn._keyschedule;
+ await keyschedule.verifyFinishedMAC(this._clientHandshakeTrafficSecret, msg.verifyData, this._clientFinishedTranscript);
+ this._clientHandshakeTrafficSecret = this._clientFinishedTranscript = null;
+ await this.conn._setRecvKey(keyschedule.clientApplicationTrafficSecret);
+ await this.conn._transition(states_CONNECTED);
+ }
+}
+
+// CONCATENATED MODULE: ./src/keyschedule.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// TLS1.3 Key Schedule.
+//
+// In this file we implement the "key schedule" from
+// https://tools.ietf.org/html/rfc8446#section-7.1, which
+// defines how to calculate various keys as the handshake
+// state progresses.
+
+
+
+
+
+
+
+// The `KeySchedule` class progresses through three stages corresponding
+// to the three phases of the TLS1.3 key schedule:
+//
+// UNINITIALIZED
+// |
+// | addPSK()
+// v
+// EARLY_SECRET
+// |
+// | addECDHE()
+// v
+// HANDSHAKE_SECRET
+// |
+// | finalize()
+// v
+// MASTER_SECRET
+//
+// It will error out if the calling code attempts to add key material
+// in the wrong order.
+
+const STAGE_UNINITIALIZED = 0;
+const STAGE_EARLY_SECRET = 1;
+const STAGE_HANDSHAKE_SECRET = 2;
+const STAGE_MASTER_SECRET = 3;
+
+class keyschedule_KeySchedule {
+ constructor() {
+ this.stage = STAGE_UNINITIALIZED;
+ // WebCrypto doesn't support a rolling hash construct, so we have to
+ // keep the entire message transcript in memory.
+ this.transcript = new utils_BufferWriter();
+ // This tracks the main secret from with other keys are derived at each stage.
+ this.secret = null;
+ // And these are all the various keys we'll derive as the handshake progresses.
+ this.extBinderKey = null;
+ this.clientHandshakeTrafficSecret = null;
+ this.serverHandshakeTrafficSecret = null;
+ this.clientApplicationTrafficSecret = null;
+ this.serverApplicationTrafficSecret = null;
+ }
+
+ async addPSK(psk) {
+ // Use the selected PSK (if any) to calculate the "early secret".
+ if (psk === null) {
+ psk = zeros(HASH_LENGTH);
+ }
+ if (this.stage !== STAGE_UNINITIALIZED) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ this.stage = STAGE_EARLY_SECRET;
+ this.secret = await hkdfExtract(zeros(HASH_LENGTH), psk);
+ this.extBinderKey = await this.deriveSecret('ext binder', EMPTY);
+ this.secret = await this.deriveSecret('derived', EMPTY);
+ }
+
+ async addECDHE(ecdhe) {
+ // Mix in the ECDHE output (if any) to calculate the "handshake secret".
+ if (ecdhe === null) {
+ ecdhe = zeros(HASH_LENGTH);
+ }
+ if (this.stage !== STAGE_EARLY_SECRET) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ this.stage = STAGE_HANDSHAKE_SECRET;
+ this.extBinderKey = null;
+ this.secret = await hkdfExtract(this.secret, ecdhe);
+ this.clientHandshakeTrafficSecret = await this.deriveSecret('c hs traffic');
+ this.serverHandshakeTrafficSecret = await this.deriveSecret('s hs traffic');
+ this.secret = await this.deriveSecret('derived', EMPTY);
+ }
+
+ async finalize() {
+ if (this.stage !== STAGE_HANDSHAKE_SECRET) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ this.stage = STAGE_MASTER_SECRET;
+ this.clientHandshakeTrafficSecret = null;
+ this.serverHandshakeTrafficSecret = null;
+ this.secret = await hkdfExtract(this.secret, zeros(HASH_LENGTH));
+ this.clientApplicationTrafficSecret = await this.deriveSecret('c ap traffic');
+ this.serverApplicationTrafficSecret = await this.deriveSecret('s ap traffic');
+ this.secret = null;
+ }
+
+ addToTranscript(bytes) {
+ this.transcript.writeBytes(bytes);
+ }
+
+ getTranscript() {
+ return this.transcript.slice();
+ }
+
+ async deriveSecret(label, transcript = undefined) {
+ transcript = transcript || this.getTranscript();
+ return await hkdfExpandLabel(this.secret, label, await hash(transcript), HASH_LENGTH);
+ }
+
+ async calculateFinishedMAC(baseKey, transcript = undefined) {
+ transcript = transcript || this.getTranscript();
+ const finishedKey = await hkdfExpandLabel(baseKey, 'finished', EMPTY, HASH_LENGTH);
+ return await hmac(finishedKey, await hash(transcript));
+ }
+
+ async verifyFinishedMAC(baseKey, mac, transcript = undefined) {
+ transcript = transcript || this.getTranscript();
+ const finishedKey = await hkdfExpandLabel(baseKey, 'finished', EMPTY, HASH_LENGTH);
+ await verifyHmac(finishedKey, mac, await hash(transcript));
+ }
+}
+
+// CONCATENATED MODULE: ./src/recordlayer.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+//
+// This file implements the "record layer" for TLS1.3, as defined in
+// https://tools.ietf.org/html/rfc8446#section-5.
+//
+// The record layer is responsible for encrypting/decrypting bytes to be
+// sent over the wire, including stateful management of sequence numbers
+// for the incoming and outgoing stream.
+//
+// The main interface is the RecordLayer class, which takes a callback function
+// sending data and can be used like so:
+//
+// rl = new RecordLayer(async function send_encrypted_data(data) {
+// // application-specific sending logic here.
+// });
+//
+// // Records are sent and received in plaintext by default,
+// // until you specify the key to use.
+// await rl.setSendKey(key)
+//
+// // Send some data by specifying the record type and the bytes.
+// // Where allowed by the record type, it will be buffered until
+// // explicitly flushed, and then sent by calling the callback.
+// await rl.send(RECORD_TYPE.HANDSHAKE, <bytes for a handshake message>)
+// await rl.send(RECORD_TYPE.HANDSHAKE, <bytes for another handshake message>)
+// await rl.flush()
+//
+// // Separate keys are used for sending and receiving.
+// rl.setRecvKey(key);
+//
+// // When data is received, push it into the RecordLayer
+// // and pass a callback that will be called with a [type, bytes]
+// // pair for each message parsed from the data.
+// rl.recv(dataReceivedFromPeer, async (type, bytes) => {
+// switch (type) {
+// case RECORD_TYPE.APPLICATION_DATA:
+// // do something with application data
+// case RECORD_TYPE.HANDSHAKE:
+// // do something with a handshake message
+// default:
+// // etc...
+// }
+// });
+//
+
+
+
+
+
+
+
+/* eslint-disable sorting/sort-object-props */
+const RECORD_TYPE = {
+ CHANGE_CIPHER_SPEC: 20,
+ ALERT: 21,
+ HANDSHAKE: 22,
+ APPLICATION_DATA: 23,
+};
+/* eslint-enable sorting/sort-object-props */
+
+// Encrypting at most 2^24 records will force us to stay
+// below data limits on AES-GCM encryption key use, and also
+// means we can accurately represent the sequence number as
+// a javascript double.
+const MAX_SEQUENCE_NUMBER = Math.pow(2, 24);
+const MAX_RECORD_SIZE = Math.pow(2, 14);
+const MAX_ENCRYPTED_RECORD_SIZE = MAX_RECORD_SIZE + 256;
+const RECORD_HEADER_SIZE = 5;
+
+// These are some helper classes to manage the encryption/decryption state
+// for a particular key.
+
+class recordlayer_CipherState {
+ constructor(key, iv) {
+ this.key = key;
+ this.iv = iv;
+ this.seqnum = 0;
+ }
+
+ static async create(baseKey, mode) {
+ // Derive key and iv per https://tools.ietf.org/html/rfc8446#section-7.3
+ const key = await prepareKey(await hkdfExpandLabel(baseKey, 'key', EMPTY, KEY_LENGTH), mode);
+ const iv = await hkdfExpandLabel(baseKey, 'iv', EMPTY, IV_LENGTH);
+ return new this(key, iv);
+ }
+
+ nonce() {
+ // Ref https://tools.ietf.org/html/rfc8446#section-5.3:
+ // * left-pad the sequence number with zeros to IV_LENGTH
+ // * xor with the provided iv
+ // Our sequence numbers are always less than 2^24, so fit in a Uint32
+ // in the last 4 bytes of the nonce.
+ const nonce = this.iv.slice();
+ const dv = new DataView(nonce.buffer, nonce.byteLength - 4, 4);
+ dv.setUint32(0, dv.getUint32(0) ^ this.seqnum);
+ this.seqnum += 1;
+ if (this.seqnum > MAX_SEQUENCE_NUMBER) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ return nonce;
+ }
+}
+
+class recordlayer_EncryptionState extends recordlayer_CipherState {
+ static async create(key) {
+ return super.create(key, 'encrypt');
+ }
+
+ async encrypt(plaintext, additionalData) {
+ return await encrypt(this.key, this.nonce(), plaintext, additionalData);
+ }
+}
+
+class recordlayer_DecryptionState extends recordlayer_CipherState {
+ static async create(key) {
+ return super.create(key, 'decrypt');
+ }
+
+ async decrypt(ciphertext, additionalData) {
+ return await decrypt(this.key, this.nonce(), ciphertext, additionalData);
+ }
+}
+
+// The main RecordLayer class.
+
+class recordlayer_RecordLayer {
+ constructor(sendCallback) {
+ this.sendCallback = sendCallback;
+ this._sendEncryptState = null;
+ this._sendError = null;
+ this._recvDecryptState = null;
+ this._recvError = null;
+ this._pendingRecordType = 0;
+ this._pendingRecordBuf = null;
+ }
+
+ async setSendKey(key) {
+ await this.flush();
+ this._sendEncryptState = await recordlayer_EncryptionState.create(key);
+ }
+
+ async setRecvKey(key) {
+ this._recvDecryptState = await recordlayer_DecryptionState.create(key);
+ }
+
+ async setSendError(err) {
+ this._sendError = err;
+ }
+
+ async setRecvError(err) {
+ this._recvError = err;
+ }
+
+ async send(type, data) {
+ if (this._sendError !== null) {
+ throw this._sendError;
+ }
+ // Forbid sending data that doesn't fit into a single record.
+ // We do not support fragmentation over multiple records.
+ if (data.byteLength > MAX_RECORD_SIZE) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ // Flush if we're switching to a different record type.
+ if (this._pendingRecordType && this._pendingRecordType !== type) {
+ await this.flush();
+ }
+ // Flush if we would overflow the max size of a record.
+ if (this._pendingRecordBuf !== null) {
+ if (this._pendingRecordBuf.tell() + data.byteLength > MAX_RECORD_SIZE) {
+ await this.flush();
+ }
+ }
+ // Start a new pending record if necessary.
+ // We reserve space at the start of the buffer for the record header,
+ // which is conveniently always a fixed size.
+ if (this._pendingRecordBuf === null) {
+ this._pendingRecordType = type;
+ this._pendingRecordBuf = new utils_BufferWriter();
+ this._pendingRecordBuf.incr(RECORD_HEADER_SIZE);
+ }
+ this._pendingRecordBuf.writeBytes(data);
+ }
+
+ async flush() {
+ // If there's nothing to flush, bail out early.
+ // Don't throw `_sendError` if we're not sending anything, because `flush()`
+ // can be called when we're trying to transition into an error state.
+ const buf = this._pendingRecordBuf;
+ let type = this._pendingRecordType;
+ if (! type) {
+ if (buf !== null) {
+ throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
+ }
+ return;
+ }
+ if (this._sendError !== null) {
+ throw this._sendError;
+ }
+ // If we're encrypting, turn the existing buffer contents into a `TLSInnerPlaintext` by
+ // appending the type. We don't do any zero-padding, although the spec allows it.
+ let inflation = 0, innerPlaintext = null;
+ if (this._sendEncryptState !== null) {
+ buf.writeUint8(type);
+ innerPlaintext = buf.slice(RECORD_HEADER_SIZE);
+ inflation = AEAD_SIZE_INFLATION;
+ type = RECORD_TYPE.APPLICATION_DATA;
+ }
+ // Write the common header for either `TLSPlaintext` or `TLSCiphertext` record.
+ const length = buf.tell() - RECORD_HEADER_SIZE + inflation;
+ buf.seek(0);
+ buf.writeUint8(type);
+ buf.writeUint16(VERSION_TLS_1_2);
+ buf.writeUint16(length);
+ // Followed by different payload depending on encryption status.
+ if (this._sendEncryptState !== null) {
+ const additionalData = buf.slice(0, RECORD_HEADER_SIZE);
+ const ciphertext = await this._sendEncryptState.encrypt(innerPlaintext, additionalData);
+ buf.writeBytes(ciphertext);
+ } else {
+ buf.incr(length);
+ }
+ this._pendingRecordBuf = null;
+ this._pendingRecordType = 0;
+ await this.sendCallback(buf.flush());
+ }
+
+ async recv(data) {
+ if (this._recvError !== null) {
+ throw this._recvError;
+ }
+ // For simplicity, we assume that the given data contains exactly one record.
+ // Peers using this library will send one record at a time over the websocket
+ // connection, and we can assume that the server-side websocket bridge will split
+ // up any traffic into individual records if we ever start interoperating with
+ // peers using a different TLS implementation.
+ // Similarly, we assume that handshake messages will not be fragmented across
+ // multiple records. This should be trivially true for the PSK-only mode used
+ // by this library, but we may want to relax it in future for interoperability
+ // with e.g. large ClientHello messages that contain lots of different options.
+ const buf = new utils_BufferReader(data);
+ // The data to read is either a TLSPlaintext or TLSCiphertext struct,
+ // depending on whether record protection has been enabled yet:
+ //
+ // struct {
+ // ContentType type;
+ // ProtocolVersion legacy_record_version;
+ // uint16 length;
+ // opaque fragment[TLSPlaintext.length];
+ // } TLSPlaintext;
+ //
+ // struct {
+ // ContentType opaque_type = application_data; /* 23 */
+ // ProtocolVersion legacy_record_version = 0x0303; /* TLS v1.2 */
+ // uint16 length;
+ // opaque encrypted_record[TLSCiphertext.length];
+ // } TLSCiphertext;
+ //
+ let type = buf.readUint8();
+ // The spec says legacy_record_version "MUST be ignored for all purposes",
+ // but we know TLS1.3 implementations will only ever emit two possible values,
+ // so it seems useful to bail out early if we receive anything else.
+ const version = buf.readUint16();
+ if (version !== VERSION_TLS_1_2) {
+ // TLS1.0 is only acceptable on initial plaintext records.
+ if (this._recvDecryptState !== null || version !== VERSION_TLS_1_0) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ }
+ const length = buf.readUint16();
+ let plaintext;
+ if (this._recvDecryptState === null || type === RECORD_TYPE.CHANGE_CIPHER_SPEC) {
+ [type, plaintext] = await this._readPlaintextRecord(type, length, buf);
+ } else {
+ [type, plaintext] = await this._readEncryptedRecord(type, length, buf);
+ }
+ // Sanity-check that we received exactly one record.
+ if (buf.hasMoreBytes()) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ return [type, plaintext];
+ }
+
+ // Helper to read an unencrypted `TLSPlaintext` struct
+
+ async _readPlaintextRecord(type, length, buf) {
+ if (length > MAX_RECORD_SIZE) {
+ throw new TLSError(ALERT_DESCRIPTION.RECORD_OVERFLOW);
+ }
+ return [type, buf.readBytes(length)];
+ }
+
+ // Helper to read an encrypted `TLSCiphertext` struct,
+ // decrypting it into plaintext.
+
+ async _readEncryptedRecord(type, length, buf) {
+ if (length > MAX_ENCRYPTED_RECORD_SIZE) {
+ throw new TLSError(ALERT_DESCRIPTION.RECORD_OVERFLOW);
+ }
+ // The outer type for encrypted records is always APPLICATION_DATA.
+ if (type !== RECORD_TYPE.APPLICATION_DATA) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ // Decrypt and decode the contained `TLSInnerPlaintext` struct:
+ //
+ // struct {
+ // opaque content[TLSPlaintext.length];
+ // ContentType type;
+ // uint8 zeros[length_of_padding];
+ // } TLSInnerPlaintext;
+ //
+ // The additional data for the decryption is the `TLSCiphertext` record
+ // header, which is a fixed size and immediately prior to current buffer position.
+ buf.incr(-RECORD_HEADER_SIZE);
+ const additionalData = buf.readBytes(RECORD_HEADER_SIZE);
+ const ciphertext = buf.readBytes(length);
+ const paddedPlaintext = await this._recvDecryptState.decrypt(ciphertext, additionalData);
+ // We have to scan backwards over the zero padding at the end of the struct
+ // in order to find the non-zero `type` byte.
+ let i;
+ for (i = paddedPlaintext.byteLength - 1; i >= 0; i--) {
+ if (paddedPlaintext[i] !== 0) {
+ break;
+ }
+ }
+ if (i < 0) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ type = paddedPlaintext[i];
+ // `change_cipher_spec` records must always be plaintext.
+ if (type === RECORD_TYPE.CHANGE_CIPHER_SPEC) {
+ throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
+ }
+ return [type, paddedPlaintext.slice(0, i)];
+ }
+}
+
+// CONCATENATED MODULE: ./src/tlsconnection.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// The top-level APIs offered by this module are `ClientConnection` and
+// `ServerConnection` classes, which provide authenticated and encrypted
+// communication via the "externally-provisioned PSK" mode of TLS1.3.
+// They each take a callback to be used for sending data to the remote peer,
+// and operate like this:
+//
+// conn = await ClientConnection.create(psk, pskId, async function send_data_to_server(data) {
+// // application-specific sending logic here.
+// })
+//
+// // Send data to the server by calling `send`,
+// // which will use the callback provided in the constructor.
+// // A single `send()` by the application may result in multiple
+// // invokations of the callback.
+//
+// await conn.send('application-level data')
+//
+// // When data is received from the server, push it into
+// // the connection and let it return any decrypted app-level data.
+// // There might not be any app-level data if it was a protocol control
+// // message, and the receipt of the data might trigger additional calls
+// // to the send callback for protocol control purposes.
+//
+// serverSocket.on('data', async encrypted_data => {
+// const plaintext = await conn.recv(data)
+// if (plaintext !== null) {
+// do_something_with_app_level_data(plaintext)
+// }
+// })
+//
+// // It's good practice to explicitly close the connection
+// // when finished. This will send a "closed" notification
+// // to the server.
+//
+// await conn.close()
+//
+// // When the peer sends a "closed" notification it will show up
+// // as a `TLSCloseNotify` exception from recv:
+//
+// try {
+// data = await conn.recv(data);
+// } catch (err) {
+// if (! (err instanceof TLSCloseNotify) { throw err }
+// do_something_to_cleanly_close_data_connection();
+// }
+//
+// The `ServerConnection` API operates similarly; the distinction is mainly
+// in which side is expected to send vs receieve during the protocol handshake.
+
+
+
+
+
+
+
+
+
+
+class tlsconnection_Connection {
+ constructor(psk, pskId, sendCallback) {
+ this.psk = assertIsBytes(psk);
+ this.pskId = assertIsBytes(pskId);
+ this.connected = new Promise((resolve, reject) => {
+ this._onConnectionSuccess = resolve;
+ this._onConnectionFailure = reject;
+ });
+ this._state = new UNINITIALIZED(this);
+ this._handshakeRecvBuffer = null;
+ this._hasSeenChangeCipherSpec = false;
+ this._recordlayer = new recordlayer_RecordLayer(sendCallback);
+ this._keyschedule = new keyschedule_KeySchedule();
+ this._lastPromise = Promise.resolve();
+ }
+
+ // Subclasses will override this with some async initialization logic.
+ static async create(psk, pskId, sendCallback) {
+ return new this(psk, pskId, sendCallback);
+ }
+
+ // These are the three public API methods that consumers can use
+ // to send and receive data encrypted with TLS1.3.
+
+ async send(data) {
+ assertIsBytes(data);
+ await this.connected;
+ await this._synchronized(async () => {
+ await this._state.sendApplicationData(data);
+ });
+ }
+
+ async recv(data) {
+ assertIsBytes(data);
+ return await this._synchronized(async () => {
+ // Decrypt the data using the record layer.
+ // We expect to receive precisely one record at a time.
+ const [type, bytes] = await this._recordlayer.recv(data);
+ // Dispatch based on the type of the record.
+ switch (type) {
+ case RECORD_TYPE.CHANGE_CIPHER_SPEC:
+ await this._state.recvChangeCipherSpec(bytes);
+ return null;
+ case RECORD_TYPE.ALERT:
+ await this._state.recvAlertMessage(TLSAlert.fromBytes(bytes));
+ return null;
+ case RECORD_TYPE.APPLICATION_DATA:
+ return await this._state.recvApplicationData(bytes);
+ case RECORD_TYPE.HANDSHAKE:
+ // Multiple handshake messages may be coalesced into a single record.
+ // Store the in-progress record buffer on `this` so that we can guard
+ // against handshake messages that span a change in keys.
+ this._handshakeRecvBuffer = new utils_BufferReader(bytes);
+ if (! this._handshakeRecvBuffer.hasMoreBytes()) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ do {
+ // Each handshake messages has a type and length prefix, per
+ // https://tools.ietf.org/html/rfc8446#appendix-B.3
+ this._handshakeRecvBuffer.incr(1);
+ const mlength = this._handshakeRecvBuffer.readUint24();
+ this._handshakeRecvBuffer.incr(-4);
+ const messageBytes = this._handshakeRecvBuffer.readBytes(mlength + 4);
+ this._keyschedule.addToTranscript(messageBytes);
+ await this._state.recvHandshakeMessage(messages_HandshakeMessage.fromBytes(messageBytes));
+ } while (this._handshakeRecvBuffer.hasMoreBytes());
+ this._handshakeRecvBuffer = null;
+ return null;
+ default:
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ });
+ }
+
+ async close() {
+ await this._synchronized(async () => {
+ await this._state.close();
+ });
+ }
+
+ // Ensure that async functions execute one at a time,
+ // by waiting for the previous call to `_synchronized()` to complete
+ // before starting a new one. This helps ensure that we complete
+ // one state-machine transition before starting to do the next.
+ // It's also a convenient place to catch and alert on errors.
+
+ _synchronized(cb) {
+ const nextPromise = this._lastPromise.then(() => {
+ return cb();
+ }).catch(async err => {
+ if (err instanceof TLSCloseNotify) {
+ throw err;
+ }
+ await this._state.handleErrorAndRethrow(err);
+ });
+ // We don't want to hold on to the return value or error,
+ // just synchronize on the fact that it completed.
+ this._lastPromise = nextPromise.then(noop, noop);
+ return nextPromise;
+ }
+
+ // This drives internal transition of the state-machine,
+ // ensuring that the new state is properly initialized.
+
+ async _transition(State, ...args) {
+ this._state = new State(this);
+ await this._state.initialize(...args);
+ await this._recordlayer.flush();
+ }
+
+ // These are helpers to allow the State to manipulate the recordlayer
+ // and send out various types of data.
+
+ async _sendApplicationData(bytes) {
+ await this._recordlayer.send(RECORD_TYPE.APPLICATION_DATA, bytes);
+ await this._recordlayer.flush();
+ }
+
+ async _sendHandshakeMessage(msg) {
+ await this._sendHandshakeMessageBytes(msg.toBytes());
+ }
+
+ async _sendHandshakeMessageBytes(bytes) {
+ this._keyschedule.addToTranscript(bytes);
+ await this._recordlayer.send(RECORD_TYPE.HANDSHAKE, bytes);
+ // Don't flush after each handshake message, since we can probably
+ // coalesce multiple messages into a single record.
+ }
+
+ async _sendAlertMessage(err) {
+ await this._recordlayer.send(RECORD_TYPE.ALERT, err.toBytes());
+ await this._recordlayer.flush();
+ }
+
+ async _sendChangeCipherSpec() {
+ await this._recordlayer.send(RECORD_TYPE.CHANGE_CIPHER_SPEC, new Uint8Array([0x01]));
+ await this._recordlayer.flush();
+ }
+
+ async _setSendKey(key) {
+ return await this._recordlayer.setSendKey(key);
+ }
+
+ async _setRecvKey(key) {
+ // Handshake messages that change keys must be on a record boundary.
+ if (this._handshakeRecvBuffer && this._handshakeRecvBuffer.hasMoreBytes()) {
+ throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE);
+ }
+ return await this._recordlayer.setRecvKey(key);
+ }
+
+ _setConnectionSuccess() {
+ if (this._onConnectionSuccess !== null) {
+ this._onConnectionSuccess();
+ this._onConnectionSuccess = null;
+ this._onConnectionFailure = null;
+ }
+ }
+
+ _setConnectionFailure(err) {
+ if (this._onConnectionFailure !== null) {
+ this._onConnectionFailure(err);
+ this._onConnectionSuccess = null;
+ this._onConnectionFailure = null;
+ }
+ }
+
+ _closeForSend(alert) {
+ this._recordlayer.setSendError(alert);
+ }
+
+ _closeForRecv(alert) {
+ this._recordlayer.setRecvError(alert);
+ }
+}
+
+class tlsconnection_ClientConnection extends tlsconnection_Connection {
+ static async create(psk, pskId, sendCallback) {
+ const instance = await super.create(psk, pskId, sendCallback);
+ await instance._transition(states_CLIENT_START);
+ return instance;
+ }
+}
+
+class tlsconnection_ServerConnection extends tlsconnection_Connection {
+ static async create(psk, pskId, sendCallback) {
+ const instance = await super.create(psk, pskId, sendCallback);
+ await instance._transition(states_SERVER_START);
+ return instance;
+ }
+}
+
+// CONCATENATED MODULE: ./node_modules/event-target-shim/dist/event-target-shim.mjs
+/**
+ * @author Toru Nagashima <https://github.com/mysticatea>
+ * @copyright 2015 Toru Nagashima. All rights reserved.
+ * See LICENSE file in root directory for full license.
+ */
+/**
+ * @typedef {object} PrivateData
+ * @property {EventTarget} eventTarget The event target.
+ * @property {{type:string}} event The original event object.
+ * @property {number} eventPhase The current event phase.
+ * @property {EventTarget|null} currentTarget The current event target.
+ * @property {boolean} canceled The flag to prevent default.
+ * @property {boolean} stopped The flag to stop propagation.
+ * @property {boolean} immediateStopped The flag to stop propagation immediately.
+ * @property {Function|null} passiveListener The listener if the current listener is passive. Otherwise this is null.
+ * @property {number} timeStamp The unix time.
+ * @private
+ */
+
+/**
+ * Private data for event wrappers.
+ * @type {WeakMap<Event, PrivateData>}
+ * @private
+ */
+const privateData = new WeakMap();
+
+/**
+ * Cache for wrapper classes.
+ * @type {WeakMap<Object, Function>}
+ * @private
+ */
+const wrappers = new WeakMap();
+
+/**
+ * Get private data.
+ * @param {Event} event The event object to get private data.
+ * @returns {PrivateData} The private data of the event.
+ * @private
+ */
+function pd(event) {
+ const retv = privateData.get(event);
+ console.assert(
+ retv != null,
+ "'this' is expected an Event object, but got",
+ event
+ );
+ return retv
+}
+
+/**
+ * https://dom.spec.whatwg.org/#set-the-canceled-flag
+ * @param data {PrivateData} private data.
+ */
+function setCancelFlag(data) {
+ if (data.passiveListener != null) {
+ if (
+ typeof console !== "undefined" &&
+ typeof console.error === "function"
+ ) {
+ console.error(
+ "Unable to preventDefault inside passive event listener invocation.",
+ data.passiveListener
+ );
+ }
+ return
+ }
+ if (!data.event.cancelable) {
+ return
+ }
+
+ data.canceled = true;
+ if (typeof data.event.preventDefault === "function") {
+ data.event.preventDefault();
+ }
+}
+
+/**
+ * @see https://dom.spec.whatwg.org/#interface-event
+ * @private
+ */
+/**
+ * The event wrapper.
+ * @constructor
+ * @param {EventTarget} eventTarget The event target of this dispatching.
+ * @param {Event|{type:string}} event The original event to wrap.
+ */
+function Event(eventTarget, event) {
+ privateData.set(this, {
+ eventTarget,
+ event,
+ eventPhase: 2,
+ currentTarget: eventTarget,
+ canceled: false,
+ stopped: false,
+ immediateStopped: false,
+ passiveListener: null,
+ timeStamp: event.timeStamp || Date.now(),
+ });
+
+ // https://heycam.github.io/webidl/#Unforgeable
+ Object.defineProperty(this, "isTrusted", { value: false, enumerable: true });
+
+ // Define accessors
+ const keys = Object.keys(event);
+ for (let i = 0; i < keys.length; ++i) {
+ const key = keys[i];
+ if (!(key in this)) {
+ Object.defineProperty(this, key, defineRedirectDescriptor(key));
+ }
+ }
+}
+
+// Should be enumerable, but class methods are not enumerable.
+Event.prototype = {
+ /**
+ * The type of this event.
+ * @type {string}
+ */
+ get type() {
+ return pd(this).event.type
+ },
+
+ /**
+ * The target of this event.
+ * @type {EventTarget}
+ */
+ get target() {
+ return pd(this).eventTarget
+ },
+
+ /**
+ * The target of this event.
+ * @type {EventTarget}
+ */
+ get currentTarget() {
+ return pd(this).currentTarget
+ },
+
+ /**
+ * @returns {EventTarget[]} The composed path of this event.
+ */
+ composedPath() {
+ const currentTarget = pd(this).currentTarget;
+ if (currentTarget == null) {
+ return []
+ }
+ return [currentTarget]
+ },
+
+ /**
+ * Constant of NONE.
+ * @type {number}
+ */
+ get NONE() {
+ return 0
+ },
+
+ /**
+ * Constant of CAPTURING_PHASE.
+ * @type {number}
+ */
+ get CAPTURING_PHASE() {
+ return 1
+ },
+
+ /**
+ * Constant of AT_TARGET.
+ * @type {number}
+ */
+ get AT_TARGET() {
+ return 2
+ },
+
+ /**
+ * Constant of BUBBLING_PHASE.
+ * @type {number}
+ */
+ get BUBBLING_PHASE() {
+ return 3
+ },
+
+ /**
+ * The target of this event.
+ * @type {number}
+ */
+ get eventPhase() {
+ return pd(this).eventPhase
+ },
+
+ /**
+ * Stop event bubbling.
+ * @returns {void}
+ */
+ stopPropagation() {
+ const data = pd(this);
+
+ data.stopped = true;
+ if (typeof data.event.stopPropagation === "function") {
+ data.event.stopPropagation();
+ }
+ },
+
+ /**
+ * Stop event bubbling.
+ * @returns {void}
+ */
+ stopImmediatePropagation() {
+ const data = pd(this);
+
+ data.stopped = true;
+ data.immediateStopped = true;
+ if (typeof data.event.stopImmediatePropagation === "function") {
+ data.event.stopImmediatePropagation();
+ }
+ },
+
+ /**
+ * The flag to be bubbling.
+ * @type {boolean}
+ */
+ get bubbles() {
+ return Boolean(pd(this).event.bubbles)
+ },
+
+ /**
+ * The flag to be cancelable.
+ * @type {boolean}
+ */
+ get cancelable() {
+ return Boolean(pd(this).event.cancelable)
+ },
+
+ /**
+ * Cancel this event.
+ * @returns {void}
+ */
+ preventDefault() {
+ setCancelFlag(pd(this));
+ },
+
+ /**
+ * The flag to indicate cancellation state.
+ * @type {boolean}
+ */
+ get defaultPrevented() {
+ return pd(this).canceled
+ },
+
+ /**
+ * The flag to be composed.
+ * @type {boolean}
+ */
+ get composed() {
+ return Boolean(pd(this).event.composed)
+ },
+
+ /**
+ * The unix time of this event.
+ * @type {number}
+ */
+ get timeStamp() {
+ return pd(this).timeStamp
+ },
+
+ /**
+ * The target of this event.
+ * @type {EventTarget}
+ * @deprecated
+ */
+ get srcElement() {
+ return pd(this).eventTarget
+ },
+
+ /**
+ * The flag to stop event bubbling.
+ * @type {boolean}
+ * @deprecated
+ */
+ get cancelBubble() {
+ return pd(this).stopped
+ },
+ set cancelBubble(value) {
+ if (!value) {
+ return
+ }
+ const data = pd(this);
+
+ data.stopped = true;
+ if (typeof data.event.cancelBubble === "boolean") {
+ data.event.cancelBubble = true;
+ }
+ },
+
+ /**
+ * The flag to indicate cancellation state.
+ * @type {boolean}
+ * @deprecated
+ */
+ get returnValue() {
+ return !pd(this).canceled
+ },
+ set returnValue(value) {
+ if (!value) {
+ setCancelFlag(pd(this));
+ }
+ },
+
+ /**
+ * Initialize this event object. But do nothing under event dispatching.
+ * @param {string} type The event type.
+ * @param {boolean} [bubbles=false] The flag to be possible to bubble up.
+ * @param {boolean} [cancelable=false] The flag to be possible to cancel.
+ * @deprecated
+ */
+ initEvent() {
+ // Do nothing.
+ },
+};
+
+// `constructor` is not enumerable.
+Object.defineProperty(Event.prototype, "constructor", {
+ value: Event,
+ configurable: true,
+ writable: true,
+});
+
+// Ensure `event instanceof window.Event` is `true`.
+if (typeof window !== "undefined" && typeof window.Event !== "undefined") {
+ Object.setPrototypeOf(Event.prototype, window.Event.prototype);
+
+ // Make association for wrappers.
+ wrappers.set(window.Event.prototype, Event);
+}
+
+/**
+ * Get the property descriptor to redirect a given property.
+ * @param {string} key Property name to define property descriptor.
+ * @returns {PropertyDescriptor} The property descriptor to redirect the property.
+ * @private
+ */
+function defineRedirectDescriptor(key) {
+ return {
+ get() {
+ return pd(this).event[key]
+ },
+ set(value) {
+ pd(this).event[key] = value;
+ },
+ configurable: true,
+ enumerable: true,
+ }
+}
+
+/**
+ * Get the property descriptor to call a given method property.
+ * @param {string} key Property name to define property descriptor.
+ * @returns {PropertyDescriptor} The property descriptor to call the method property.
+ * @private
+ */
+function defineCallDescriptor(key) {
+ return {
+ value() {
+ const event = pd(this).event;
+ return event[key].apply(event, arguments)
+ },
+ configurable: true,
+ enumerable: true,
+ }
+}
+
+/**
+ * Define new wrapper class.
+ * @param {Function} BaseEvent The base wrapper class.
+ * @param {Object} proto The prototype of the original event.
+ * @returns {Function} The defined wrapper class.
+ * @private
+ */
+function defineWrapper(BaseEvent, proto) {
+ const keys = Object.keys(proto);
+ if (keys.length === 0) {
+ return BaseEvent
+ }
+
+ /** CustomEvent */
+ function CustomEvent(eventTarget, event) {
+ BaseEvent.call(this, eventTarget, event);
+ }
+
+ CustomEvent.prototype = Object.create(BaseEvent.prototype, {
+ constructor: { value: CustomEvent, configurable: true, writable: true },
+ });
+
+ // Define accessors.
+ for (let i = 0; i < keys.length; ++i) {
+ const key = keys[i];
+ if (!(key in BaseEvent.prototype)) {
+ const descriptor = Object.getOwnPropertyDescriptor(proto, key);
+ const isFunc = typeof descriptor.value === "function";
+ Object.defineProperty(
+ CustomEvent.prototype,
+ key,
+ isFunc
+ ? defineCallDescriptor(key)
+ : defineRedirectDescriptor(key)
+ );
+ }
+ }
+
+ return CustomEvent
+}
+
+/**
+ * Get the wrapper class of a given prototype.
+ * @param {Object} proto The prototype of the original event to get its wrapper.
+ * @returns {Function} The wrapper class.
+ * @private
+ */
+function getWrapper(proto) {
+ if (proto == null || proto === Object.prototype) {
+ return Event
+ }
+
+ let wrapper = wrappers.get(proto);
+ if (wrapper == null) {
+ wrapper = defineWrapper(getWrapper(Object.getPrototypeOf(proto)), proto);
+ wrappers.set(proto, wrapper);
+ }
+ return wrapper
+}
+
+/**
+ * Wrap a given event to management a dispatching.
+ * @param {EventTarget} eventTarget The event target of this dispatching.
+ * @param {Object} event The event to wrap.
+ * @returns {Event} The wrapper instance.
+ * @private
+ */
+function wrapEvent(eventTarget, event) {
+ const Wrapper = getWrapper(Object.getPrototypeOf(event));
+ return new Wrapper(eventTarget, event)
+}
+
+/**
+ * Get the immediateStopped flag of a given event.
+ * @param {Event} event The event to get.
+ * @returns {boolean} The flag to stop propagation immediately.
+ * @private
+ */
+function isStopped(event) {
+ return pd(event).immediateStopped
+}
+
+/**
+ * Set the current event phase of a given event.
+ * @param {Event} event The event to set current target.
+ * @param {number} eventPhase New event phase.
+ * @returns {void}
+ * @private
+ */
+function setEventPhase(event, eventPhase) {
+ pd(event).eventPhase = eventPhase;
+}
+
+/**
+ * Set the current target of a given event.
+ * @param {Event} event The event to set current target.
+ * @param {EventTarget|null} currentTarget New current target.
+ * @returns {void}
+ * @private
+ */
+function setCurrentTarget(event, currentTarget) {
+ pd(event).currentTarget = currentTarget;
+}
+
+/**
+ * Set a passive listener of a given event.
+ * @param {Event} event The event to set current target.
+ * @param {Function|null} passiveListener New passive listener.
+ * @returns {void}
+ * @private
+ */
+function setPassiveListener(event, passiveListener) {
+ pd(event).passiveListener = passiveListener;
+}
+
+/**
+ * @typedef {object} ListenerNode
+ * @property {Function} listener
+ * @property {1|2|3} listenerType
+ * @property {boolean} passive
+ * @property {boolean} once
+ * @property {ListenerNode|null} next
+ * @private
+ */
+
+/**
+ * @type {WeakMap<object, Map<string, ListenerNode>>}
+ * @private
+ */
+const listenersMap = new WeakMap();
+
+// Listener types
+const CAPTURE = 1;
+const BUBBLE = 2;
+const ATTRIBUTE = 3;
+
+/**
+ * Check whether a given value is an object or not.
+ * @param {any} x The value to check.
+ * @returns {boolean} `true` if the value is an object.
+ */
+function isObject(x) {
+ return x !== null && typeof x === "object" //eslint-disable-line no-restricted-syntax
+}
+
+/**
+ * Get listeners.
+ * @param {EventTarget} eventTarget The event target to get.
+ * @returns {Map<string, ListenerNode>} The listeners.
+ * @private
+ */
+function getListeners(eventTarget) {
+ const listeners = listenersMap.get(eventTarget);
+ if (listeners == null) {
+ throw new TypeError(
+ "'this' is expected an EventTarget object, but got another value."
+ )
+ }
+ return listeners
+}
+
+/**
+ * Get the property descriptor for the event attribute of a given event.
+ * @param {string} eventName The event name to get property descriptor.
+ * @returns {PropertyDescriptor} The property descriptor.
+ * @private
+ */
+function defineEventAttributeDescriptor(eventName) {
+ return {
+ get() {
+ const listeners = getListeners(this);
+ let node = listeners.get(eventName);
+ while (node != null) {
+ if (node.listenerType === ATTRIBUTE) {
+ return node.listener
+ }
+ node = node.next;
+ }
+ return null
+ },
+
+ set(listener) {
+ if (typeof listener !== "function" && !isObject(listener)) {
+ listener = null; // eslint-disable-line no-param-reassign
+ }
+ const listeners = getListeners(this);
+
+ // Traverse to the tail while removing old value.
+ let prev = null;
+ let node = listeners.get(eventName);
+ while (node != null) {
+ if (node.listenerType === ATTRIBUTE) {
+ // Remove old value.
+ if (prev !== null) {
+ prev.next = node.next;
+ } else if (node.next !== null) {
+ listeners.set(eventName, node.next);
+ } else {
+ listeners.delete(eventName);
+ }
+ } else {
+ prev = node;
+ }
+
+ node = node.next;
+ }
+
+ // Add new value.
+ if (listener !== null) {
+ const newNode = {
+ listener,
+ listenerType: ATTRIBUTE,
+ passive: false,
+ once: false,
+ next: null,
+ };
+ if (prev === null) {
+ listeners.set(eventName, newNode);
+ } else {
+ prev.next = newNode;
+ }
+ }
+ },
+ configurable: true,
+ enumerable: true,
+ }
+}
+
+/**
+ * Define an event attribute (e.g. `eventTarget.onclick`).
+ * @param {Object} eventTargetPrototype The event target prototype to define an event attrbite.
+ * @param {string} eventName The event name to define.
+ * @returns {void}
+ */
+function defineEventAttribute(eventTargetPrototype, eventName) {
+ Object.defineProperty(
+ eventTargetPrototype,
+ `on${eventName}`,
+ defineEventAttributeDescriptor(eventName)
+ );
+}
+
+/**
+ * Define a custom EventTarget with event attributes.
+ * @param {string[]} eventNames Event names for event attributes.
+ * @returns {EventTarget} The custom EventTarget.
+ * @private
+ */
+function defineCustomEventTarget(eventNames) {
+ /** CustomEventTarget */
+ function CustomEventTarget() {
+ EventTarget.call(this);
+ }
+
+ CustomEventTarget.prototype = Object.create(EventTarget.prototype, {
+ constructor: {
+ value: CustomEventTarget,
+ configurable: true,
+ writable: true,
+ },
+ });
+
+ for (let i = 0; i < eventNames.length; ++i) {
+ defineEventAttribute(CustomEventTarget.prototype, eventNames[i]);
+ }
+
+ return CustomEventTarget
+}
+
+/**
+ * EventTarget.
+ *
+ * - This is constructor if no arguments.
+ * - This is a function which returns a CustomEventTarget constructor if there are arguments.
+ *
+ * For example:
+ *
+ * class A extends EventTarget {}
+ * class B extends EventTarget("message") {}
+ * class C extends EventTarget("message", "error") {}
+ * class D extends EventTarget(["message", "error"]) {}
+ */
+function EventTarget() {
+ /*eslint-disable consistent-return */
+ if (this instanceof EventTarget) {
+ listenersMap.set(this, new Map());
+ return
+ }
+ if (arguments.length === 1 && Array.isArray(arguments[0])) {
+ return defineCustomEventTarget(arguments[0])
+ }
+ if (arguments.length > 0) {
+ const types = new Array(arguments.length);
+ for (let i = 0; i < arguments.length; ++i) {
+ types[i] = arguments[i];
+ }
+ return defineCustomEventTarget(types)
+ }
+ throw new TypeError("Cannot call a class as a function")
+ /*eslint-enable consistent-return */
+}
+
+// Should be enumerable, but class methods are not enumerable.
+EventTarget.prototype = {
+ /**
+ * Add a given listener to this event target.
+ * @param {string} eventName The event name to add.
+ * @param {Function} listener The listener to add.
+ * @param {boolean|{capture?:boolean,passive?:boolean,once?:boolean}} [options] The options for this listener.
+ * @returns {void}
+ */
+ addEventListener(eventName, listener, options) {
+ if (listener == null) {
+ return
+ }
+ if (typeof listener !== "function" && !isObject(listener)) {
+ throw new TypeError("'listener' should be a function or an object.")
+ }
+
+ const listeners = getListeners(this);
+ const optionsIsObj = isObject(options);
+ const capture = optionsIsObj
+ ? Boolean(options.capture)
+ : Boolean(options);
+ const listenerType = capture ? CAPTURE : BUBBLE;
+ const newNode = {
+ listener,
+ listenerType,
+ passive: optionsIsObj && Boolean(options.passive),
+ once: optionsIsObj && Boolean(options.once),
+ next: null,
+ };
+
+ // Set it as the first node if the first node is null.
+ let node = listeners.get(eventName);
+ if (node === undefined) {
+ listeners.set(eventName, newNode);
+ return
+ }
+
+ // Traverse to the tail while checking duplication..
+ let prev = null;
+ while (node != null) {
+ if (
+ node.listener === listener &&
+ node.listenerType === listenerType
+ ) {
+ // Should ignore duplication.
+ return
+ }
+ prev = node;
+ node = node.next;
+ }
+
+ // Add it.
+ prev.next = newNode;
+ },
+
+ /**
+ * Remove a given listener from this event target.
+ * @param {string} eventName The event name to remove.
+ * @param {Function} listener The listener to remove.
+ * @param {boolean|{capture?:boolean,passive?:boolean,once?:boolean}} [options] The options for this listener.
+ * @returns {void}
+ */
+ removeEventListener(eventName, listener, options) {
+ if (listener == null) {
+ return
+ }
+
+ const listeners = getListeners(this);
+ const capture = isObject(options)
+ ? Boolean(options.capture)
+ : Boolean(options);
+ const listenerType = capture ? CAPTURE : BUBBLE;
+
+ let prev = null;
+ let node = listeners.get(eventName);
+ while (node != null) {
+ if (
+ node.listener === listener &&
+ node.listenerType === listenerType
+ ) {
+ if (prev !== null) {
+ prev.next = node.next;
+ } else if (node.next !== null) {
+ listeners.set(eventName, node.next);
+ } else {
+ listeners.delete(eventName);
+ }
+ return
+ }
+
+ prev = node;
+ node = node.next;
+ }
+ },
+
+ /**
+ * Dispatch a given event.
+ * @param {Event|{type:string}} event The event to dispatch.
+ * @returns {boolean} `false` if canceled.
+ */
+ dispatchEvent(event) {
+ if (event == null || typeof event.type !== "string") {
+ throw new TypeError('"event.type" should be a string.')
+ }
+
+ // If listeners aren't registered, terminate.
+ const listeners = getListeners(this);
+ const eventName = event.type;
+ let node = listeners.get(eventName);
+ if (node == null) {
+ return true
+ }
+
+ // Since we cannot rewrite several properties, so wrap object.
+ const wrappedEvent = wrapEvent(this, event);
+
+ // This doesn't process capturing phase and bubbling phase.
+ // This isn't participating in a tree.
+ let prev = null;
+ while (node != null) {
+ // Remove this listener if it's once
+ if (node.once) {
+ if (prev !== null) {
+ prev.next = node.next;
+ } else if (node.next !== null) {
+ listeners.set(eventName, node.next);
+ } else {
+ listeners.delete(eventName);
+ }
+ } else {
+ prev = node;
+ }
+
+ // Call this listener
+ setPassiveListener(
+ wrappedEvent,
+ node.passive ? node.listener : null
+ );
+ if (typeof node.listener === "function") {
+ try {
+ node.listener.call(this, wrappedEvent);
+ } catch (err) {
+ if (
+ typeof console !== "undefined" &&
+ typeof console.error === "function"
+ ) {
+ console.error(err);
+ }
+ }
+ } else if (
+ node.listenerType !== ATTRIBUTE &&
+ typeof node.listener.handleEvent === "function"
+ ) {
+ node.listener.handleEvent(wrappedEvent);
+ }
+
+ // Break if `event.stopImmediatePropagation` was called.
+ if (isStopped(wrappedEvent)) {
+ break
+ }
+
+ node = node.next;
+ }
+ setPassiveListener(wrappedEvent, null);
+ setEventPhase(wrappedEvent, 0);
+ setCurrentTarget(wrappedEvent, null);
+
+ return !wrappedEvent.defaultPrevented
+ },
+};
+
+// `constructor` is not enumerable.
+Object.defineProperty(EventTarget.prototype, "constructor", {
+ value: EventTarget,
+ configurable: true,
+ writable: true,
+});
+
+// Ensure `eventTarget instanceof window.EventTarget` is `true`.
+if (
+ typeof window !== "undefined" &&
+ typeof window.EventTarget !== "undefined"
+) {
+ Object.setPrototypeOf(EventTarget.prototype, window.EventTarget.prototype);
+}
+
+/* harmony default export */ var event_target_shim = (EventTarget);
+
+
+// CONCATENATED MODULE: ./src/index.js
+/* harmony export (binding) */ __webpack_require__.d(__webpack_exports__, "PairingChannel", function() { return src_PairingChannel; });
+/* harmony export (binding) */ __webpack_require__.d(__webpack_exports__, "_internals", function() { return _internals; });
+/* concated harmony reexport base64urlToBytes */__webpack_require__.d(__webpack_exports__, "base64urlToBytes", function() { return base64urlToBytes; });
+/* concated harmony reexport bytesToBase64url */__webpack_require__.d(__webpack_exports__, "bytesToBase64url", function() { return bytesToBase64url; });
+/* concated harmony reexport bytesToHex */__webpack_require__.d(__webpack_exports__, "bytesToHex", function() { return bytesToHex; });
+/* concated harmony reexport bytesToUtf8 */__webpack_require__.d(__webpack_exports__, "bytesToUtf8", function() { return bytesToUtf8; });
+/* concated harmony reexport hexToBytes */__webpack_require__.d(__webpack_exports__, "hexToBytes", function() { return hexToBytes; });
+/* concated harmony reexport TLSCloseNotify */__webpack_require__.d(__webpack_exports__, "TLSCloseNotify", function() { return TLSCloseNotify; });
+/* concated harmony reexport TLSError */__webpack_require__.d(__webpack_exports__, "TLSError", function() { return TLSError; });
+/* concated harmony reexport utf8ToBytes */__webpack_require__.d(__webpack_exports__, "utf8ToBytes", function() { return utf8ToBytes; });
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// A wrapper that combines a WebSocket to the channelserver
+// with some client-side encryption for securing the channel.
+// We'll improve the encryption before initial release...
+
+
+
+
+
+
+
+const CLOSE_FLUSH_BUFFER_INTERVAL_MS = 200;
+const CLOSE_FLUSH_BUFFER_MAX_TRIES = 5;
+
+class src_PairingChannel extends EventTarget {
+ constructor(channelId, channelKey, socket, connection) {
+ super();
+ this._channelId = channelId;
+ this._channelKey = channelKey;
+ this._socket = socket;
+ this._connection = connection;
+ this._selfClosed = false;
+ this._peerClosed = false;
+ this._setupListeners();
+ }
+
+ /**
+ * Create a new pairing channel.
+ *
+ * @returns Promise<PairingChannel>
+ */
+ static create(channelServerURI) {
+ const wsURI = new URL('/v1/ws/', channelServerURI).href;
+ const channelKey = crypto.getRandomValues(new Uint8Array(32));
+ return this._makePairingChannel(wsURI, tlsconnection_ServerConnection, channelKey);
+ }
+
+ /**
+ * Connect to an existing pairing channel.
+ *
+ * @returns Promise<PairingChannel>
+ */
+ static connect(channelServerURI, channelId, channelKey) {
+ const wsURI = new URL(`/v1/ws/${channelId}`, channelServerURI).href;
+ return this._makePairingChannel(wsURI, tlsconnection_ClientConnection, channelKey);
+ }
+
+ static _makePairingChannel(wsUri, ConnectionClass, psk) {
+ const socket = new WebSocket(wsUri);
+ return new Promise((resolve, reject) => {
+ // eslint-disable-next-line prefer-const
+ let stopListening;
+ const onConnectionError = async () => {
+ stopListening();
+ reject(new Error('Error while creating the pairing channel'));
+ };
+ const onFirstMessage = async event => {
+ stopListening();
+ try {
+ const {channelid: channelId} = JSON.parse(event.data);
+ const pskId = utf8ToBytes(channelId);
+ const connection = await ConnectionClass.create(psk, pskId, data => {
+ // The channelserver websocket handler epxects b64urlsafe strings
+ // rather than raw bytes, because it wraps them in a JSON object envelope.
+ socket.send(bytesToBase64url(data));
+ });
+ const instance = new this(channelId, psk, socket, connection);
+ resolve(instance);
+ } catch (err) {
+ reject(err);
+ }
+ };
+ stopListening = () => {
+ socket.removeEventListener('error', onConnectionError);
+ socket.removeEventListener('message', onFirstMessage);
+ };
+ socket.addEventListener('error', onConnectionError);
+ socket.addEventListener('message', onFirstMessage);
+ });
+ }
+
+ _setupListeners() {
+ this._socket.addEventListener('message', async event => {
+ try {
+ const channelServerEnvelope = JSON.parse(event.data);
+ const payload = await this._connection.recv(base64urlToBytes(channelServerEnvelope.message));
+ if (payload !== null) {
+ const data = JSON.parse(bytesToUtf8(payload));
+ this.dispatchEvent(new CustomEvent('message', {
+ detail: {
+ data,
+ sender: channelServerEnvelope.sender,
+ },
+ }));
+ }
+ } catch (error) {
+ let event;
+ if (error instanceof TLSCloseNotify) {
+ this._peerClosed = true;
+ if (this._selfClosed) {
+ this._shutdown();
+ }
+ event = new CustomEvent('close');
+ } else {
+ event = new CustomEvent('error', {
+ detail: {
+ error,
+ }
+ });
+ }
+ this.dispatchEvent(event);
+ }
+ });
+ // Relay the WebSocket events.
+ this._socket.addEventListener('error', () => {
+ this._shutdown();
+ // The dispatched event that we receive has no useful information.
+ this.dispatchEvent(new CustomEvent('error', {
+ detail: {
+ error: new Error('WebSocket error.'),
+ },
+ }));
+ });
+ // In TLS, the peer has to explicitly send a close notification,
+ // which we dispatch above. Unexpected socket close is an error.
+ this._socket.addEventListener('close', () => {
+ this._shutdown();
+ if (! this._peerClosed) {
+ this.dispatchEvent(new CustomEvent('error', {
+ detail: {
+ error: new Error('WebSocket unexpectedly closed'),
+ }
+ }));
+ }
+ });
+ }
+
+ /**
+ * @param {Object} data
+ */
+ async send(data) {
+ const payload = utf8ToBytes(JSON.stringify(data));
+ await this._connection.send(payload);
+ }
+
+ async close() {
+ this._selfClosed = true;
+ await this._connection.close();
+ try {
+ // Ensure all queued bytes have been sent before closing the connection.
+ let tries = 0;
+ while (this._socket.bufferedAmount > 0) {
+ if (++tries > CLOSE_FLUSH_BUFFER_MAX_TRIES) {
+ throw new Error('Could not flush the outgoing buffer in time.');
+ }
+ await new Promise(res => setTimeout(res, CLOSE_FLUSH_BUFFER_INTERVAL_MS));
+ }
+ } finally {
+ // If the peer hasn't closed, we might still receive some data.
+ if (this._peerClosed) {
+ this._shutdown();
+ }
+ }
+ }
+
+ _shutdown() {
+ if (this._socket) {
+ this._socket.close();
+ this._socket = null;
+ this._connection = null;
+ }
+ }
+
+ get closed() {
+ return (! this._socket) || (this._socket.readyState === 3);
+ }
+
+ get channelId() {
+ return this._channelId;
+ }
+
+ get channelKey() {
+ return this._channelKey;
+ }
+}
+
+// Re-export helpful utilities for calling code to use.
+
+
+// For running tests using the built bundle,
+// expose a bunch of implementation details.
+
+
+
+
+
+
+
+const _internals = {
+ arrayToBytes: arrayToBytes,
+ BufferReader: utils_BufferReader,
+ BufferWriter: utils_BufferWriter,
+ bytesAreEqual: bytesAreEqual,
+ bytesToHex: bytesToHex,
+ bytesToUtf8: bytesToUtf8,
+ ClientConnection: tlsconnection_ClientConnection,
+ Connection: tlsconnection_Connection,
+ DecryptionState: recordlayer_DecryptionState,
+ EncryptedExtensions: EncryptedExtensions,
+ EncryptionState: recordlayer_EncryptionState,
+ Finished: messages_Finished,
+ HASH_LENGTH: HASH_LENGTH,
+ hexToBytes: hexToBytes,
+ hkdfExpand: hkdfExpand,
+ KeySchedule: keyschedule_KeySchedule,
+ NewSessionTicket: messages_NewSessionTicket,
+ RecordLayer: recordlayer_RecordLayer,
+ ServerConnection: tlsconnection_ServerConnection,
+ utf8ToBytes: utf8ToBytes,
+ zeros: zeros,
+};
+
+
+/***/ })
+/******/ ])["PairingChannel"]; \ No newline at end of file