const ALERT_LEVEL = {
  WARNING: 1,
  FATAL: 2
};

const ALERT_DESCRIPTION = {
  CLOSE_NOTIFY: 0,
  UNEXPECTED_MESSAGE: 10,
  BAD_RECORD_MAC: 20,
  RECORD_OVERFLOW: 22,
  HANDSHAKE_FAILURE: 40,
  ILLEGAL_PARAMETER: 47,
  DECODE_ERROR: 50,
  DECRYPT_ERROR: 51,
  PROTOCOL_VERSION: 70,
  INTERNAL_ERROR: 80,
  MISSING_EXTENSION: 109,
  UNSUPPORTED_EXTENSION: 110,
  UNKNOWN_PSK_IDENTITY: 115,
  NO_APPLICATION_PROTOCOL: 120,
};

function alertTypeToName(type) {
  for (const name in ALERT_DESCRIPTION) {
    if (ALERT_DESCRIPTION[name] === type) {
      return `${name} (${type})`;
    }
  }
  return `UNKNOWN (${type})`;
}

class TLSAlert extends Error {
  constructor(description, level) {
    super(`TLS Alert: ${alertTypeToName(description)}`);
    this.description = description;
    this.level = level;
  }

  static fromBytes(bytes) {
    if (bytes.byteLength !== 2) {
      throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
    }
    switch (bytes[1]) {
      case ALERT_DESCRIPTION.CLOSE_NOTIFY:
        if (bytes[0] !== ALERT_LEVEL.WARNING) {
          // Close notifications should be fatal.
          throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER);
        }
        return new TLSCloseNotify();
      default:
        return new TLSError(bytes[1]);
    }
  }

  toBytes() {
    return new Uint8Array([this.level, this.description]);
  }
}

class TLSCloseNotify extends TLSAlert {
  constructor() {
    super(ALERT_DESCRIPTION.CLOSE_NOTIFY, ALERT_LEVEL.WARNING);
  }
}

class TLSError extends TLSAlert {
  constructor(description = ALERT_DESCRIPTION.INTERNAL_ERROR) {
    super(description, ALERT_LEVEL.FATAL);
  }
}

// CONCATENATED MODULE: ./src/utils.js const UTF8_ENCODER = new TextEncoder();
const UTF8_DECODER = new TextDecoder();

function noop() {}

function assert(cond, msg) {
  if (! cond) {
    throw new Error('assert failed: ' + msg);
  }
}

function assertIsBytes(value, msg = 'value must be a Uint8Array') {
  // Using `value instanceof Uint8Array` seems to fail in Firefox chrome code
  // for inscrutable reasons, so we do a less direct check.
  assert(ArrayBuffer.isView(value), msg);
  assert(value.BYTES_PER_ELEMENT === 1, msg);
  return value;
}

const EMPTY = new Uint8Array(0);

function zeros(n) {
  return new Uint8Array(n);
}

function arrayToBytes(value) {
  return new Uint8Array(value);
}

function bytesToHex(bytes) {
  return Array.prototype.map.call(bytes, byte => {
    let s = byte.toString(16);
    if (s.length === 1) {
      s = '0' + s;
    }
    return s;
  }).join('');
}

function hexToBytes(hexstr) {
  assert(hexstr.length % 2 === 0, 'hexstr.length must be even');
  return new Uint8Array(Array.prototype.map.call(hexstr, (c, n) => {
    if (n % 2 === 1) {
      return hexstr[n - 1] + c;
    } else {
      return '';
    }
  }).filter(s => {
    return !! s;
  }).map(s => {
    return parseInt(s, 16);
  }));
}

function bytesToUtf8(bytes) {
  return UTF8_DECODER.decode(bytes);
}

function utf8ToBytes(str) {
  return UTF8_ENCODER.encode(str);
}

function bytesToBase64url(bytes) {
  // XXX TODO: try to use something constant-time, in case calling code
  // uses it to encode secrets?
  const charCodes = String.fromCharCode.apply(String, bytes);
  return btoa(charCodes).replace(/\+/g, '-').replace(/\//g, '_');
}

function base64urlToBytes(str) {
  // XXX TODO: try to use something constant-time, in case calling code
  // uses it to decode secrets?
  str = atob(str.replace(/-/g, '+').replace(/_/g, '/'));
  const bytes = new Uint8Array(str.length);
  for (let i = 0; i < str.length; i++) {
    bytes[i] = str.charCodeAt(i);
  }
  return bytes;
}

function bytesAreEqual(v1, v2) {
  assertIsBytes(v1);
  assertIsBytes(v2);
  if (v1.length !== v2.length) {
    return false;
  }
  for (let i = 0; i < v1.length; i++) {
    if (v1[i] !== v2[i]) {
      return false;
    }
  }
  return true;
}

// The `BufferReader` and `BufferWriter` classes are helpers for dealing with the
// binary struct format that's used for various TLS message. Think of them as a
// buffer with a pointer to the "current position" and a bunch of helper methods
// to read/write structured data and advance said pointer.

class utils_BufferWithPointer {
  constructor(buf) {
    this._buffer = buf;
    this._dataview = new DataView(buf.buffer, buf.byteOffset, buf.byteLength);
    this._pos = 0;
  }

  length() {
    return this._buffer.byteLength;
  }

  tell() {
    return this._pos;
  }

  seek(pos) {
    if (pos < 0) {
      throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
    }
    if (pos > this.length()) {
      throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
    }
    this._pos = pos;
  }

  incr(offset) {
    this.seek(this._pos + offset);
  }
}

// The `BufferReader` class helps you read structured data from a byte array.
// It offers methods for reading both primitive values, and the variable-length
// vector structures defined in https://tools.ietf.org/html/rfc8446#section-3.4.
//
// Such vectors are represented as a length followed by the concatenated
// bytes of each item, and the size of the length field is determined by
// the maximum allowed number of bytes in the vector. For example
// to read a vector that may contain up to 65535 bytes, use `readVector16`.
//
// To read a variable-length vector of between 1 and 100 uint16 values,
// defined in the RFC like this:
//
//   uint16 items<2..200>;
//
// You would do something like this:
//
//   const items = []
//   buf.readVector8(buf => {
//     items.push(buf.readUint16())
//   })
//
// The various `read` will throw `DECODE_ERROR` if you attempt to read path
// the end of the buffer, or past the end of a variable-length list.
//

class utils_BufferReader extends utils_BufferWithPointer {
  hasMoreBytes() {
    return this.tell() < this.length();
  }

  readBytes(length) {
    // This avoids copies by returning a view onto the existing buffer.
    const start = this._buffer.byteOffset + this.tell();
    this.incr(length);
    return new Uint8Array(this._buffer.buffer, start, length);
  }

  _rangeErrorToAlert(cb) {
    try {
      return cb(this);
    } catch (err) {
      if (err instanceof RangeError) {
        throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
      }
      throw err;
    }
  }

  readUint8() {
    return this._rangeErrorToAlert(() => {
      const n = this._dataview.getUint8(this._pos);
      this.incr(1);
      return n;
    });
  }

  readUint16() {
    return this._rangeErrorToAlert(() => {
      const n = this._dataview.getUint16(this._pos);
      this.incr(2);
      return n;
    });
  }

  readUint24() {
    return this._rangeErrorToAlert(() => {
      let n = this._dataview.getUint16(this._pos);
      n = (n << 8) | this._dataview.getUint8(this._pos + 2);
      this.incr(3);
      return n;
    });
  }

  readUint32() {
    return this._rangeErrorToAlert(() => {
      const n = this._dataview.getUint32(this._pos);
      this.incr(4);
      return n;
    });
  }

  _readVector(length, cb) {
    const contentsBuf = new utils_BufferReader(this.readBytes(length));
    const expectedEnd = this.tell();
    // Keep calling the callback until we've consumed the expected number of bytes.
    let n = 0;
    while (contentsBuf.hasMoreBytes()) {
      const prevPos = contentsBuf.tell();
      cb(contentsBuf, n);
      // Check that the callback made forward progress, otherwise we'll infinite loop.
      if (contentsBuf.tell() <= prevPos) {
        throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
      }
      n += 1;
    }
    // Check that the callback correctly consumed the vector's entire contents.
    if (this.tell() !== expectedEnd) {
      throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR);
    }
  }

  readVector8(cb) {
    const length = this.readUint8();
    return this._readVector(length, cb);
  }

  readVector16(cb) {
    const length = this.readUint16();
    return this._readVector(length, cb);
  }

  readVector24(cb) {
    const length = this.readUint24();
    return this._readVector(length, cb);
  }

  readVectorBytes8() {
    return this.readBytes(this.readUint8());
  }

  readVectorBytes16() {
    return this.readBytes(this.readUint16());
  }

  readVectorBytes24() {
    return this.readBytes(this.readUint24());
  }
}

class utils_BufferWriter extends utils_BufferWithPointer {
  constructor(size = 1024) {
    super(new Uint8Array(size));
  }

  _maybeGrow(n) {
    const curSize = this._buffer.byteLength;
    const newPos = this._pos + n;
    const shortfall = newPos - curSize;
    if (shortfall > 0) {
      // Classic grow-by-doubling, up to 4kB max increment.
      // This formula was not arrived at by any particular science.
      const incr = Math.min(curSize, 4 * 1024);
      const newbuf = new Uint8Array(curSize + Math.ceil(shortfall / incr) * incr);
      newbuf.set(this._buffer, 0);
      this._buffer = newbuf;
      this._dataview = new DataView(newbuf.buffer, newbuf.byteOffset, newbuf.byteLength);
    }
  }

  slice(start = 0, end = this.tell()) {
    if (end < 0) {
      end = this.tell() + end;
    }
    if (start < 0) {
      throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
    }
    if (end < 0) {
      throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
    }
    if (end > this.length()) {
      throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR);
    }
    return this._buffer.slice(start, end);
  }

  flush() {
    const slice = this.slice();
    this.seek(0);
    return slice;
  }

  writeBytes(data) {
    this._maybeGrow(data.byteLength);
    this._buffer.set(data, this.tell());
    this.incr(data.byteLength);
  }

  writeUint8(n) {
    this._maybeGrow(1);
    this._dataview.setUint8(this._pos, n);
    this.incr(1);
  }

  writeUint16(n) {
    this._maybeGrow(2);
    this._dataview.setUint16(this._pos, n);
    this.incr(2);
  }

  writeUint24(n) {
    this._maybeGrow(3);
    this._dataview.setUint16(this._pos, n >> 8);
    this._dataview.setUint8(this._pos + 2, n & 0xFF);
    this.incr(3);
  }

  writeUint32(n) {
    this._maybeGrow(4);
    this._dataview.setUint32(this._pos, n);
    this.incr(4);
  }

  // These are helpers for writing the variable-length vector structure
  // defined in https://tools.ietf.org/html/rfc8446#section-3.4.
  //
  // Such vectors are represented as a length followed by the concatenated
  // bytes of each item, and the size of the length field is determined by
  // the maximum allowed size of the vector. For example to write a vector
// that may contain up to 65535 bytes, use `writeVector16`.
//
// To write a variable-length vector of If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ // // Low-level crypto primitives. // // This file implements the AEAD encrypt/decrypt and hashing routines // for the TLS_AES_128_GCM_SHA256 ciphersuite. // const AEAD_SIZE_INFLATION = 16; const KEY_LENGTH = 16; const IV_LENGTH = 12; const HASH_LENGTH = 32; async function prepareKey(key, mode) { return crypto.subtle.importKey('raw', key, { name: 'AES-GCM' }, false, [mode]); } async function encrypt(key, iv, plaintext, additionalData) { const ciphertext = await crypto.subtle.encrypt({ additionalData, iv, name: 'AES-GCM', tagLength: AEAD_SIZE_INFLATION * 8 }, key, plaintext); return new Uint8Array(ciphertext); } async function decrypt(key, iv, ciphertext, additionalData) { try { const plaintext = await crypto.subtle.decrypt({ additionalData, iv, name: 'AES-GCM', tagLength: AEAD_SIZE_INFLATION * 8 }, key, ciphertext); return new Uint8Array(plaintext); } catch (err) { // Yes, we really do throw 'decrypt_error' when failing to verify a HMAC, // and a 'bad_record_mac' error when failing to decrypt. throw new TLSError(ALERT_DESCRIPTION.BAD_RECORD_MAC); } } async function hash(message) { return new Uint8Array(await crypto.subtle.digest({ name: 'SHA-256' }, message)); } async function hmac(keyBytes, message) { const key = await crypto.subtle.importKey('raw', keyBytes, { hash: { name: 'SHA-256' }, name: 'HMAC', }, false, ['sign']); const sig = await crypto.subtle.sign({ name: 'HMAC' }, key, message); return new Uint8Array(sig); } async function verifyHmac(keyBytes, signature, message) { const key = await crypto.subtle.importKey('raw', keyBytes, { hash: { name: 'SHA-256' }, name: 'HMAC', }, false, ['verify']); if (! await crypto.subtle.verify({ name: 'HMAC' }, key, signature, message)) { // Yes, we really do throw 'decrypt_error' when failing to verify a HMAC, // and a 'bad_record_mac' error when failing to decrypt. throw new TLSError(ALERT_DESCRIPTION.DECRYPT_ERROR); } } async function hkdfExtract(salt, ikm) { // Ref https://tools.ietf.org/html/rfc5869#section-2.2 return await hmac(salt, ikm); } async function hkdfExpand(prk, info, length) { // Ref https://tools.ietf.org/html/rfc5869#section-2.3 const N = Math.ceil(length / HASH_LENGTH); if (N <= 0) { throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } if (N >= 255) { throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } const input = new utils_BufferWriter(); const output = new utils_BufferWriter(); let T = new Uint8Array(0); for (let i = 1; i <= N; i++) { input.writeBytes(T); input.writeBytes(info); input.writeUint8(i); T = await hmac(prk, input.flush()); output.writeBytes(T); } return output.slice(0, length); } async function hkdfExpandLabel(secret, label, context, length) { // struct { // uint16 length = Length; // opaque label < 7..255 > = "tls13 " + Label; // opaque context < 0..255 > = Context; // } HkdfLabel; const hkdfLabel = new utils_BufferWriter(); hkdfLabel.writeUint16(length); hkdfLabel.writeVectorBytes8(utf8ToBytes('tls13 ' + label)); hkdfLabel.writeVectorBytes8(context); return hkdfExpand(secret, hkdfLabel.flush(), length); } async function getRandomBytes(size) { const bytes = new Uint8Array(size); crypto.getRandomValues(bytes); return bytes; } // CONCATENATED MODULE: ./src/extensions.js /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ // // Extension parsing. // // This file contains some helpers for reading/writing the various kinds // of Extension that might appear in a HandshakeMessage. // /* eslint-disable sorting/sort-object-props */ const EXTENSION_TYPE = { PRE_SHARED_KEY: 41, SUPPORTED_VERSIONS: 43, PSK_KEY_EXCHANGE_MODES: 45, }; /* eslint-enable sorting/sort-object-props */ // Base class for generic reading/writing of extensions, // which are all uniformly formatted as: // // struct { // ExtensionType extension_type; // opaque extension_data<0..2^16-1>; // } Extension; // // Extensions always appear inside of a handshake message, // and their internal structure may differ based on the // type of that message. class extensions_Extension { get TYPE_TAG() { throw new Error('not implemented'); } static read(messageType, buf) { const type = buf.readUint16(); let ext = { TYPE_TAG: type, }; buf.readVector16(buf => { switch (type) { case EXTENSION_TYPE.PRE_SHARED_KEY: ext = extensions_PreSharedKeyExtension._read(messageType, buf); break; case EXTENSION_TYPE.SUPPORTED_VERSIONS: ext = extensions_SupportedVersionsExtension._read(messageType, buf); break; case EXTENSION_TYPE.PSK_KEY_EXCHANGE_MODES: ext = extensions_PskKeyExchangeModesExtension._read(messageType, buf); break; default: // Skip over unrecognised extensions. buf.incr(buf.length()); } if (buf.hasMoreBytes()) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } }); return ext; } write(messageType, buf) { buf.writeUint16(this.TYPE_TAG); buf.writeVector16(buf => { this._write(messageType, buf); }); } static _read(messageType, buf) { throw new Error('not implemented'); } static _write(messageType, buf) { throw new Error('not implemented'); } } // The PreSharedKey extension: // // struct { // opaque identity<1..2^16-1>; // uint32 obfuscated_ticket_age; // } PskIdentity; // opaque PskBinderEntry<32..255>; // struct { // PskIdentity identities<7..2^16-1>; // PskBinderEntry binders<33..2^16-1>; // } OfferedPsks; // struct { // select(Handshake.msg_type) { // case client_hello: OfferedPsks; // case server_hello: uint16 selected_identity; // }; // } PreSharedKeyExtension; class extensions_PreSharedKeyExtension extends extensions_Extension { constructor(identities, binders, selectedIdentity) { super(); this.identities = identities; this.binders = binders; this.selectedIdentity = selectedIdentity; } get TYPE_TAG() { return EXTENSION_TYPE.PRE_SHARED_KEY; } static _read(messageType, buf) { let identities = null, binders = null, selectedIdentity = null; switch (messageType) { case HANDSHAKE_TYPE.CLIENT_HELLO: identities = []; binders = []; buf.readVector16(buf => { const identity = buf.readVectorBytes16(); buf.readBytes(4); // Skip over the ticket age. identities.push(identity); }); buf.readVector16(buf => { const binder = buf.readVectorBytes8(); if (binder.byteLength < HASH_LENGTH) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } binders.push(binder); }); if (identities.length !== binders.length) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } break; case HANDSHAKE_TYPE.SERVER_HELLO: selectedIdentity = buf.readUint16(); break; default: throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } return new this(identities, binders, selectedIdentity); } _write(messageType, buf) { switch (messageType) { case HANDSHAKE_TYPE.CLIENT_HELLO: buf.writeVector16(buf => { this.identities.forEach(pskId => { buf.writeVectorBytes16(pskId); buf.writeUint32(0); // Zero for "tag age" field. }); }); buf.writeVector16(buf => { this.binders.forEach(pskBinder => { buf.writeVectorBytes8(pskBinder); }); }); break; case HANDSHAKE_TYPE.SERVER_HELLO: buf.writeUint16(this.selectedIdentity); break; default: throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } } } // The SupportedVersions extension: // // struct { // select(Handshake.msg_type) { // case client_hello: // ProtocolVersion versions < 2..254 >; // case server_hello: // ProtocolVersion selected_version; // }; // } SupportedVersions; class extensions_SupportedVersionsExtension extends extensions_Extension { constructor(versions, selectedVersion) { super(); this.versions = versions; this.selectedVersion = selectedVersion; } get TYPE_TAG() { return EXTENSION_TYPE.SUPPORTED_VERSIONS; } static _read(messageType, buf) { let versions = null, selectedVersion = null; switch (messageType) { case HANDSHAKE_TYPE.CLIENT_HELLO: versions = []; buf.readVector8(buf => { versions.push(buf.readUint16()); }); break; case HANDSHAKE_TYPE.SERVER_HELLO: selectedVersion = buf.readUint16(); break; default: throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } return new this(versions, selectedVersion); } _write(messageType, buf) { switch (messageType) { case HANDSHAKE_TYPE.CLIENT_HELLO: buf.writeVector8(buf => { this.versions.forEach(version => { buf.writeUint16(version); }); }); break; case HANDSHAKE_TYPE.SERVER_HELLO: buf.writeUint16(this.selectedVersion); break; default: throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } } } class extensions_PskKeyExchangeModesExtension extends extensions_Extension { constructor(modes) { super(); this.modes = modes; } get TYPE_TAG() { return EXTENSION_TYPE.PSK_KEY_EXCHANGE_MODES; } static _read(messageType, buf) { const modes = []; switch (messageType) { case HANDSHAKE_TYPE.CLIENT_HELLO: buf.readVector8(buf => { modes.push(buf.readUint8()); }); break; default: throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } return new this(modes); } _write(messageType, buf) { switch (messageType) { case HANDSHAKE_TYPE.CLIENT_HELLO: buf.writeVector8(buf => { this.modes.forEach(mode => { buf.writeUint8(mode); }); }); break; default: throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } } } // CONCATENATED MODULE: ./src/constants.js /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ const VERSION_TLS_1_0 = 0x0301; const VERSION_TLS_1_2 = 0x0303; const VERSION_TLS_1_3 = 0x0304; const TLS_AES_128_GCM_SHA256 = 0x1301; const PSK_MODE_KE = 0; // CONCATENATED MODULE: ./src/messages.js /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ // // Message parsing. // // Herein we need code for reading and writing the various Handshake // messages involved in the protocol. // /* eslint-disable sorting/sort-object-props */ const HANDSHAKE_TYPE = { CLIENT_HELLO: 1, SERVER_HELLO: 2, NEW_SESSION_TICKET: 4, ENCRYPTED_EXTENSIONS: 8, FINISHED: 20, }; /* eslint-enable sorting/sort-object-props */ // Base class for generic reading/writing of handshake messages, // which are all uniformly formatted as: // // struct { // HandshakeType msg_type; /* handshake type */ // uint24 length; /* bytes in message */ // select(Handshake.msg_type) { // ... type specific cases here ... // }; // } Handshake; class messages_HandshakeMessage { get TYPE_TAG() { throw new Error('not implemented'); } static fromBytes(bytes) { // Each handshake message has a type and length prefix, per // https://tools.ietf.org/html/rfc8446#appendix-B.3 const buf = new utils_BufferReader(bytes); const msg = this.read(buf); if (buf.hasMoreBytes()) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } return msg; } toBytes() { const buf = new utils_BufferWriter(); this.write(buf); return buf.flush(); } static read(buf) { const type = buf.readUint8(); let msg = null; buf.readVector24(buf => { switch (type) { case HANDSHAKE_TYPE.CLIENT_HELLO: msg = messages_ClientHello._read(buf); break; case HANDSHAKE_TYPE.SERVER_HELLO: msg = messages_ServerHello._read(buf); break; case HANDSHAKE_TYPE.NEW_SESSION_TICKET: msg = messages_NewSessionTicket._read(buf); break; case HANDSHAKE_TYPE.ENCRYPTED_EXTENSIONS: msg = EncryptedExtensions._read(buf); break; case HANDSHAKE_TYPE.FINISHED: msg = messages_Finished._read(buf); break; } if (buf.hasMoreBytes()) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } }); if (msg === null) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } return msg; } write(buf) { buf.writeUint8(this.TYPE_TAG); buf.writeVector24(buf => { this._write(buf); }); } static _read(buf) { throw new Error('not implemented'); } _write(buf) { throw new Error('not implemented'); } // Some little helpers for reading a list of extensions, // which is uniformly represented as: // // Extension extensions<8..2^16-1>; // // Recognized extensions are returned as a Map from extension type // to extension data object, with a special `lastSeenExtension` // property to make it easy to check which one came last. static _readExtensions(messageType, buf) { const extensions = new Map(); buf.readVector16(buf => { const ext = extensions_Extension.read(messageType, buf); if (extensions.has(ext.TYPE_TAG)) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } extensions.set(ext.TYPE_TAG, ext); extensions.lastSeenExtension = ext.TYPE_TAG; }); return extensions; } _writeExtensions(buf, extensions) { buf.writeVector16(buf => { extensions.forEach(ext => { ext.write(this.TYPE_TAG, buf); }); }); } } // The ClientHello message: // // struct { // ProtocolVersion legacy_version = 0x0303; // Random random; // opaque legacy_session_id<0..32>; // CipherSuite cipher_suites<2..2^16-2>; // opaque legacy_compression_methods<1..2^8-1>; // Extension extensions<8..2^16-1>; // } ClientHello; class messages_ClientHello extends messages_HandshakeMessage { constructor(random, sessionId, extensions) { super(); this.random = random; this.sessionId = sessionId; this.extensions = extensions; } get TYPE_TAG() { return HANDSHAKE_TYPE.CLIENT_HELLO; } static _read(buf) { // The legacy_version field may indicate an earlier version of TLS // for backwards compatibility, but must not predate TLS 1.0! if (buf.readUint16() < VERSION_TLS_1_0) { throw new TLSError(ALERT_DESCRIPTION.PROTOCOL_VERSION); } // The random bytes provided by the peer. const random = buf.readBytes(32); // Read legacy_session_id, so the server can echo it. const sessionId = buf.readVectorBytes8(); // We only support a single ciphersuite, but the peer may offer several. // Scan the list to confirm that the one we want is present. let found = false; buf.readVector16(buf => { const cipherSuite = buf.readUint16(); if (cipherSuite === TLS_AES_128_GCM_SHA256) { found = true; } }); if (! found) { throw new TLSError(ALERT_DESCRIPTION.HANDSHAKE_FAILURE); } // legacy_compression_methods must be a single zero byte for TLS1.3 ClientHellos. // It can be non-zero in previous versions of TLS, but we're not going to // make a successful handshake with such versions, so better to just bail out now. const legacyCompressionMethods = buf.readVectorBytes8(); if (legacyCompressionMethods.byteLength !== 1) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } if (legacyCompressionMethods[0] !== 0x00) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } // Read and check the extensions. const extensions = this._readExtensions(HANDSHAKE_TYPE.CLIENT_HELLO, buf); if (! extensions.has(EXTENSION_TYPE.SUPPORTED_VERSIONS)) { throw new TLSError(ALERT_DESCRIPTION.MISSING_EXTENSION); } if (extensions.get(EXTENSION_TYPE.SUPPORTED_VERSIONS).versions.indexOf(VERSION_TLS_1_3) === -1) { throw new TLSError(ALERT_DESCRIPTION.PROTOCOL_VERSION); } // Was the PreSharedKey extension the last one? if (extensions.has(EXTENSION_TYPE.PRE_SHARED_KEY)) { if (extensions.lastSeenExtension !== EXTENSION_TYPE.PRE_SHARED_KEY) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } } return new this(random, sessionId, extensions); } _write(buf) { buf.writeUint16(VERSION_TLS_1_2); buf.writeBytes(this.random); buf.writeVectorBytes8(this.sessionId); // Our single supported ciphersuite buf.writeVector16(buf => { buf.writeUint16(TLS_AES_128_GCM_SHA256); }); // A single zero byte for legacy_compression_methods buf.writeVectorBytes8(new Uint8Array(1)); this._writeExtensions(buf, this.extensions); } } // The ServerHello message: // // struct { // ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */ // Random random; // opaque legacy_session_id_echo<0..32>; // CipherSuite cipher_suite; // uint8 legacy_compression_method = 0; // Extension extensions < 6..2 ^ 16 - 1 >; // } ServerHello; class messages_ServerHello extends messages_HandshakeMessage { constructor(random, sessionId, extensions) { super(); this.random = random; this.sessionId = sessionId; this.extensions = extensions; } get TYPE_TAG() { return HANDSHAKE_TYPE.SERVER_HELLO; } static _read(buf) { // Fixed value for legacy_version. if (buf.readUint16() !== VERSION_TLS_1_2) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } // Random bytes from the server. const random = buf.readBytes(32); // It should have echoed our vector for legacy_session_id. const sessionId = buf.readVectorBytes8(); // It should have selected our single offered ciphersuite. if (buf.readUint16() !== TLS_AES_128_GCM_SHA256) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } // legacy_compression_method must be zero. if (buf.readUint8() !== 0) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } const extensions = this._readExtensions(HANDSHAKE_TYPE.SERVER_HELLO, buf); if (! extensions.has(EXTENSION_TYPE.SUPPORTED_VERSIONS)) { throw new TLSError(ALERT_DESCRIPTION.MISSING_EXTENSION); } if (extensions.get(EXTENSION_TYPE.SUPPORTED_VERSIONS).selectedVersion !== VERSION_TLS_1_3) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } return new this(random, sessionId, extensions); } _write(buf) { buf.writeUint16(VERSION_TLS_1_2); buf.writeBytes(this.random); buf.writeVectorBytes8(this.sessionId); // Our single supported ciphersuite buf.writeUint16(TLS_AES_128_GCM_SHA256); // A single zero byte for legacy_compression_method buf.writeUint8(0); this._writeExtensions(buf, this.extensions); } } // The EncryptedExtensions message: // // struct { // Extension extensions < 0..2 ^ 16 - 1 >; // } EncryptedExtensions; // // We don't actually send any EncryptedExtensions, // but still have to send an empty message. class EncryptedExtensions extends messages_HandshakeMessage { constructor(extensions) { super(); this.extensions = extensions; } get TYPE_TAG() { return HANDSHAKE_TYPE.ENCRYPTED_EXTENSIONS; } static _read(buf) { const extensions = this._readExtensions(HANDSHAKE_TYPE.ENCRYPTED_EXTENSIONS, buf); return new this(extensions); } _write(buf) { this._writeExtensions(buf, this.extensions); } } // The Finished message: // // struct { // opaque verify_data[Hash.length]; // } Finished; class messages_Finished extends messages_HandshakeMessage { constructor(verifyData) { super(); this.verifyData = verifyData; } get TYPE_TAG() { return HANDSHAKE_TYPE.FINISHED; } static _read(buf) { const verifyData = buf.readBytes(HASH_LENGTH); return new this(verifyData); } _write(buf) { buf.writeBytes(this.verifyData); } } // The NewSessionTicket message: // // struct { // uint32 ticket_lifetime; // uint32 ticket_age_add; // opaque ticket_nonce < 0..255 >; // opaque ticket < 1..2 ^ 16 - 1 >; // Extension extensions < 0..2 ^ 16 - 2 >; // } NewSessionTicket; // // We don't actually make use of these, but we need to be able // to accept them and do basic validation. class messages_NewSessionTicket extends messages_HandshakeMessage { constructor(ticketLifetime, ticketAgeAdd, ticketNonce, ticket, extensions) { super(); this.ticketLifetime = ticketLifetime; this.ticketAgeAdd = ticketAgeAdd; this.ticketNonce = ticketNonce; this.ticket = ticket; this.extensions = extensions; } get TYPE_TAG() { return HANDSHAKE_TYPE.NEW_SESSION_TICKET; } static _read(buf) { const ticketLifetime = buf.readUint32(); const ticketAgeAdd = buf.readUint32(); const ticketNonce = buf.readVectorBytes8(); const ticket = buf.readVectorBytes16(); if (ticket.byteLength < 1) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } const extensions = this._readExtensions(HANDSHAKE_TYPE.NEW_SESSION_TICKET, buf); return new this(ticketLifetime, ticketAgeAdd, ticketNonce, ticket, extensions); } _write(buf) { buf.writeUint32(this.ticketLifetime); buf.writeUint32(this.ticketAgeAdd); buf.writeVectorBytes8(this.ticketNonce); buf.writeVectorBytes16(this.ticket); this._writeExtensions(buf, this.extensions); } } // CONCATENATED MODULE: ./src/states.js /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ // // State-machine for TLS Handshake Management. // // Internally, we manage the TLS connection by explicitly modelling the // client and server state-machines from RFC8446. You can think of // these `State` objects as little plugins for the `Connection` class // that provide different behaviours of `send` and `receive` depending // on the state of the connection. // class states_State { constructor(conn) { this.conn = conn; } async initialize() { // By default, nothing to do when entering the state. } async sendApplicationData(bytes) { // By default, assume we're not ready to send yet and the caller // should be blocking on the connection promise before reaching here. throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } async recvApplicationData(bytes) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } async recvHandshakeMessage(msg) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } async recvAlertMessage(alert) { switch (alert.description) { case ALERT_DESCRIPTION.CLOSE_NOTIFY: this.conn._closeForRecv(alert); throw alert; default: return await this.handleErrorAndRethrow(alert); } } async recvChangeCipherSpec(bytes) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } async handleErrorAndRethrow(err) { let alert = err; if (! (alert instanceof TLSAlert)) { alert = new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } // Try to send error alert to the peer, but we may not // be able to if the outgoing connection was already closed. try { await this.conn._sendAlertMessage(alert); } catch (_) { } await this.conn._transition(ERROR, err); throw err; } async close() { const alert = new TLSCloseNotify(); await this.conn._sendAlertMessage(alert); this.conn._closeForSend(alert); } } // A special "guard" state to prevent us from using // an improperly-initialized Connection. class UNINITIALIZED extends states_State { async initialize() { throw new Error('uninitialized state'); } async sendApplicationData(bytes) { throw new Error('uninitialized state'); } async recvApplicationData(bytes) { throw new Error('uninitialized state'); } async recvHandshakeMessage(msg) { throw new Error('uninitialized state'); } async recvChangeCipherSpec(bytes) { throw new Error('uninitialized state'); } async handleErrorAndRethrow(err) { throw err; } async close() { throw new Error('uninitialized state'); } } // A special "error" state for when something goes wrong. // This state never transitions to another state, effectively // terminating the connection. class ERROR extends states_State { async initialize(err) { this.error = err; this.conn._setConnectionFailure(err); // Unceremoniously shut down the record layer on error. this.conn._recordlayer.setSendError(err); this.conn._recordlayer.setRecvError(err); } async sendApplicationData(bytes) { throw this.error; } async recvApplicationData(bytes) { throw this.error; } async recvHandshakeMessage(msg) { throw this.error; } async recvAlertMessage(err) { throw this.error; } async recvChangeCipherSpec(bytes) { throw this.error; } async handleErrorAndRethrow(err) { throw err; } async close() { throw this.error; } } // The "connected" state, for when the handshake is complete // and we're ready to send application-level data. // The logic for this is largely symmetric between client and server. class states_CONNECTED extends states_State { async initialize() { this.conn._setConnectionSuccess(); } async sendApplicationData(bytes) { await this.conn._sendApplicationData(bytes); } async recvApplicationData(bytes) { return bytes; } async recvChangeCipherSpec(bytes) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } } // A base class for states that occur in the middle of the handshake // (that is, between ClientHello and Finished). These states may receive // CHANGE_CIPHER_SPEC records for b/w compat reasons, which must contain // exactly a single 0x01 byte and must otherwise be ignored. class states_MidHandshakeState extends states_State { async recvChangeCipherSpec(bytes) { if (this.conn._hasSeenChangeCipherSpec) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } if (bytes.byteLength !== 1 || bytes[0] !== 1) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } this.conn._hasSeenChangeCipherSpec = true; } } // These states implement (part of) the client state-machine from // https://tools.ietf.org/html/rfc8446#appendix-A.1 // // Since we're only implementing a small subset of TLS1.3, // we only need a small subset of the handshake. It basically goes: // // * send ClientHello // * receive ServerHello // * receive EncryptedExtensions // * receive server Finished // * send client Finished // // We include some unused states for completeness, so that it's easier // to check the implementation against the diagrams in the RFC. class states_CLIENT_START extends states_State { async initialize() { const keyschedule = this.conn._keyschedule; await keyschedule.addPSK(this.conn.psk); // Construct a ClientHello message with our single PSK. // We can't know the PSK binder value yet, so we initially write zeros. const clientHello = new messages_ClientHello( // Client random salt. await getRandomBytes(32), // Random legacy_session_id; we *could* send an empty string here, // but sending a random one makes it easier to be compatible with // the data emitted by tlslite-ng for test-case generation. await getRandomBytes(32), [ new extensions_SupportedVersionsExtension([VERSION_TLS_1_3]), new extensions_PskKeyExchangeModesExtension([PSK_MODE_KE]), new extensions_PreSharedKeyExtension([this.conn.pskId], [zeros(HASH_LENGTH)]), ], ); const buf = new utils_BufferWriter(); clientHello.write(buf); // Now that we know what the ClientHello looks like, // go back and calculate the appropriate PSK binder value. // We only support a single PSK, so the length of the binders field is the // length of the hash plus one for rendering it as a variable-length byte array, // plus two for rendering the variable-length list of PSK binders. const PSK_BINDERS_SIZE = HASH_LENGTH + 1 + 2; const truncatedTranscript = buf.slice(0, buf.tell() - PSK_BINDERS_SIZE); const pskBinder = await keyschedule.calculateFinishedMAC(keyschedule.extBinderKey, truncatedTranscript); buf.incr(-HASH_LENGTH); buf.writeBytes(pskBinder); await this.conn._sendHandshakeMessageBytes(buf.flush()); await this.conn._transition(states_CLIENT_WAIT_SH, clientHello.sessionId); } } class states_CLIENT_WAIT_SH extends states_State { async initialize(sessionId) { this._sessionId = sessionId; } async recvHandshakeMessage(msg) { if (! (msg instanceof messages_ServerHello)) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } if (! bytesAreEqual(msg.sessionId, this._sessionId)) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } const pskExt = msg.extensions.get(EXTENSION_TYPE.PRE_SHARED_KEY); if (! pskExt) { throw new TLSError(ALERT_DESCRIPTION.MISSING_EXTENSION); } // We expect only the SUPPORTED_VERSIONS and PRE_SHARED_KEY extensions. if (msg.extensions.size !== 2) { throw new TLSError(ALERT_DESCRIPTION.UNSUPPORTED_EXTENSION); } if (pskExt.selectedIdentity !== 0) { throw new TLSError(ALERT_DESCRIPTION.ILLEGAL_PARAMETER); } await this.conn._keyschedule.addECDHE(null); await this.conn._setSendKey(this.conn._keyschedule.clientHandshakeTrafficSecret); await this.conn._setRecvKey(this.conn._keyschedule.serverHandshakeTrafficSecret); await this.conn._transition(states_CLIENT_WAIT_EE); } } class states_CLIENT_WAIT_EE extends states_MidHandshakeState { async recvHandshakeMessage(msg) { // We don't make use of any encrypted extensions, but we still // have to wait for the server to send the (empty) list of them. if (! (msg instanceof EncryptedExtensions)) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } // We do not support any EncryptedExtensions. if (msg.extensions.size !== 0) { throw new TLSError(ALERT_DESCRIPTION.UNSUPPORTED_EXTENSION); } const keyschedule = this.conn._keyschedule; const serverFinishedTranscript = keyschedule.getTranscript(); await this.conn._transition(states_CLIENT_WAIT_FINISHED, serverFinishedTranscript); } } class states_CLIENT_WAIT_FINISHED extends states_State { async initialize(serverFinishedTranscript) { this._serverFinishedTranscript = serverFinishedTranscript; } async recvHandshakeMessage(msg) { if (! (msg instanceof messages_Finished)) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } // Verify server Finished MAC. const keyschedule = this.conn._keyschedule; await keyschedule.verifyFinishedMAC(keyschedule.serverHandshakeTrafficSecret, msg.verifyData, this._serverFinishedTranscript); // Send our own Finished message in return. // This must be encrypted with the handshake traffic key, // but must not appear in the transcript used to calculate the application keys. const clientFinishedMAC = await keyschedule.calculateFinishedMAC(keyschedule.clientHandshakeTrafficSecret); await keyschedule.finalize(); await this.conn._sendHandshakeMessage(new messages_Finished(clientFinishedMAC)); await this.conn._setSendKey(keyschedule.clientApplicationTrafficSecret); await this.conn._setRecvKey(keyschedule.serverApplicationTrafficSecret); await this.conn._transition(states_CLIENT_CONNECTED); } } class states_CLIENT_CONNECTED extends states_CONNECTED { async recvHandshakeMessage(msg) { // A connected client must be prepared to accept NewSessionTicket // messages. We never use them, but other server implementations // might send them. if (! (msg instanceof messages_NewSessionTicket)) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } } } // These states implement (part of) the server state-machine from // https://tools.ietf.org/html/rfc8446#appendix-A.2 // // Since we're only implementing a small subset of TLS1.3, // we only need a small subset of the handshake. It basically goes: // // * receive ClientHello // * send ServerHello // * send empty EncryptedExtensions // * send server Finished // * receive client Finished // // We include some unused states for completeness, so that it's easier // to check the implementation against the diagrams in the RFC. class states_SERVER_START extends states_State { async recvHandshakeMessage(msg) { if (! (msg instanceof messages_ClientHello)) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } // In the spec, this is where we select connection parameters, and maybe // tell the client to try again if we can't find a compatible set. // Since we only support a fixed cipherset, the only thing to "negotiate" // is whether they provided an acceptable PSK. const pskExt = msg.extensions.get(EXTENSION_TYPE.PRE_SHARED_KEY); const pskModesExt = msg.extensions.get(EXTENSION_TYPE.PSK_KEY_EXCHANGE_MODES); if (! pskExt || ! pskModesExt) { throw new TLSError(ALERT_DESCRIPTION.MISSING_EXTENSION); } if (pskModesExt.modes.indexOf(PSK_MODE_KE) === -1) { throw new TLSError(ALERT_DESCRIPTION.HANDSHAKE_FAILURE); } const pskIndex = pskExt.identities.findIndex(pskId => bytesAreEqual(pskId, this.conn.pskId)); if (pskIndex === -1) { throw new TLSError(ALERT_DESCRIPTION.UNKNOWN_PSK_IDENTITY); } await this.conn._keyschedule.addPSK(this.conn.psk); // Validate the PSK binder. const keyschedule = this.conn._keyschedule; const transcript = keyschedule.getTranscript(); // Calculate size occupied by the PSK binders. let pskBindersSize = 2; // Vector16 representation overhead. for (const binder of pskExt.binders) { pskBindersSize += binder.byteLength + 1; // Vector8 representation overhead. } await keyschedule.verifyFinishedMAC(keyschedule.extBinderKey, pskExt.binders[pskIndex], transcript.slice(0, -pskBindersSize)); await this.conn._transition(states_SERVER_NEGOTIATED, msg.sessionId, pskIndex); } } class states_SERVER_NEGOTIATED extends states_MidHandshakeState { async initialize(sessionId, pskIndex) { await this.conn._sendHandshakeMessage(new messages_ServerHello( // Server random await getRandomBytes(32), sessionId, [ new extensions_SupportedVersionsExtension(null, VERSION_TLS_1_3), new extensions_PreSharedKeyExtension(null, null, pskIndex), ] )); // If the client sent a non-empty sessionId, the server *must* send a change-cipher-spec for b/w compat. if (sessionId.byteLength > 0) { await this.conn._sendChangeCipherSpec(); } // We can now transition to the encrypted part of the handshake. const keyschedule = this.conn._keyschedule; await keyschedule.addECDHE(null); await this.conn._setSendKey(keyschedule.serverHandshakeTrafficSecret); await this.conn._setRecvKey(keyschedule.clientHandshakeTrafficSecret); // Send an empty EncryptedExtensions message. await this.conn._sendHandshakeMessage(new EncryptedExtensions([])); // Send the Finished message. const serverFinishedMAC = await keyschedule.calculateFinishedMAC(keyschedule.serverHandshakeTrafficSecret); await this.conn._sendHandshakeMessage(new messages_Finished(serverFinishedMAC)); // We can now *send* using the application traffic key, // but have to wait to receive the client Finished before receiving under that key. // We need to remember the handshake state from before the client Finished // in order to successfully verify the client Finished. const clientFinishedTranscript = await keyschedule.getTranscript(); const clientHandshakeTrafficSecret = keyschedule.clientHandshakeTrafficSecret; await keyschedule.finalize(); await this.conn._setSendKey(keyschedule.serverApplicationTrafficSecret); await this.conn._transition(states_SERVER_WAIT_FINISHED, clientHandshakeTrafficSecret, clientFinishedTranscript); } } class states_SERVER_WAIT_FINISHED extends states_MidHandshakeState { async initialize(clientHandshakeTrafficSecret, clientFinishedTranscript) { this._clientHandshakeTrafficSecret = clientHandshakeTrafficSecret; this._clientFinishedTranscript = clientFinishedTranscript; } async recvHandshakeMessage(msg) { if (! (msg instanceof messages_Finished)) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } const keyschedule = this.conn._keyschedule; await keyschedule.verifyFinishedMAC(this._clientHandshakeTrafficSecret, msg.verifyData, this._clientFinishedTranscript); this._clientHandshakeTrafficSecret = this._clientFinishedTranscript = null; await this.conn._setRecvKey(keyschedule.clientApplicationTrafficSecret); await this.conn._transition(states_CONNECTED); } } // CONCATENATED MODULE: ./src/keyschedule.js /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ // TLS1.3 Key Schedule. // // In this file we implement the "key schedule" from // https://tools.ietf.org/html/rfc8446#section-7.1, which // defines how to calculate various keys as the handshake // state progresses. // The `KeySchedule` class progresses through three stages corresponding // to the three phases of the TLS1.3 key schedule: // // UNINITIALIZED // | // | addPSK() // v // EARLY_SECRET // | // | addECDHE() // v // HANDSHAKE_SECRET // | // | finalize() // v // MASTER_SECRET // // It will error out if the calling code attempts to add key material // in the wrong order. const STAGE_UNINITIALIZED = 0; const STAGE_EARLY_SECRET = 1; const STAGE_HANDSHAKE_SECRET = 2; const STAGE_MASTER_SECRET = 3; class keyschedule_KeySchedule { constructor() { this.stage = STAGE_UNINITIALIZED; // WebCrypto doesn't support a rolling hash construct, so we have to // keep the entire message transcript in memory. this.transcript = new utils_BufferWriter(); // This tracks the main secret from with other keys are derived at each stage. this.secret = null; // And these are all the various keys we'll derive as the handshake progresses. this.extBinderKey = null; this.clientHandshakeTrafficSecret = null; this.serverHandshakeTrafficSecret = null; this.clientApplicationTrafficSecret = null; this.serverApplicationTrafficSecret = null; } async addPSK(psk) { // Use the selected PSK (if any) to calculate the "early secret". if (psk === null) { psk = zeros(HASH_LENGTH); } if (this.stage !== STAGE_UNINITIALIZED) { throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } this.stage = STAGE_EARLY_SECRET; this.secret = await hkdfExtract(zeros(HASH_LENGTH), psk); this.extBinderKey = await this.deriveSecret('ext binder', EMPTY); this.secret = await this.deriveSecret('derived', EMPTY); } async addECDHE(ecdhe) { // Mix in the ECDHE output (if any) to calculate the "handshake secret". if (ecdhe === null) { ecdhe = zeros(HASH_LENGTH); } if (this.stage !== STAGE_EARLY_SECRET) { throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } this.stage = STAGE_HANDSHAKE_SECRET; this.extBinderKey = null; this.secret = await hkdfExtract(this.secret, ecdhe); this.clientHandshakeTrafficSecret = await this.deriveSecret('c hs traffic'); this.serverHandshakeTrafficSecret = await this.deriveSecret('s hs traffic'); this.secret = await this.deriveSecret('derived', EMPTY); } async finalize() { if (this.stage !== STAGE_HANDSHAKE_SECRET) { throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } this.stage = STAGE_MASTER_SECRET; this.clientHandshakeTrafficSecret = null; this.serverHandshakeTrafficSecret = null; this.secret = await hkdfExtract(this.secret, zeros(HASH_LENGTH)); this.clientApplicationTrafficSecret = await this.deriveSecret('c ap traffic'); this.serverApplicationTrafficSecret = await this.deriveSecret('s ap traffic'); this.secret = null; } addToTranscript(bytes) { this.transcript.writeBytes(bytes); } getTranscript() { return this.transcript.slice(); } async deriveSecret(label, transcript = undefined) { transcript = transcript || this.getTranscript(); return await hkdfExpandLabel(this.secret, label, await hash(transcript), HASH_LENGTH); } async calculateFinishedMAC(baseKey, transcript = undefined) { transcript = transcript || this.getTranscript(); const finishedKey = await hkdfExpandLabel(baseKey, 'finished', EMPTY, HASH_LENGTH); return await hmac(finishedKey, await hash(transcript)); } async verifyFinishedMAC(baseKey, mac, transcript = undefined) { transcript = transcript || this.getTranscript(); const finishedKey = await hkdfExpandLabel(baseKey, 'finished', EMPTY, HASH_LENGTH); await verifyHmac(finishedKey, mac, await hash(transcript)); } } // CONCATENATED MODULE: ./src/recordlayer.js /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ // // This file implements the "record layer" for TLS1.3, as defined in // https://tools.ietf.org/html/rfc8446#section-5. // // The record layer is responsible for encrypting/decrypting bytes to be // sent over the wire, including stateful management of sequence numbers // for the incoming and outgoing stream. // // The main interface is the RecordLayer class, which takes a callback function // sending data and can be used like so: // // rl = new RecordLayer(async function send_encrypted_data(data) { // // application-specific sending logic here. // }); // // // Records are sent and received in plaintext by default, // // until you specify the key to use. // await rl.setSendKey(key) // // // Send some data by specifying the record type and the bytes. // // Where allowed by the record type, it will be buffered until // // explicitly flushed, and then sent by calling the callback. // await rl.send(RECORD_TYPE.HANDSHAKE, ) // await rl.send(RECORD_TYPE.HANDSHAKE, ) // await rl.flush() // // // Separate keys are used for sending and receiving. // rl.setRecvKey(key); // // // When data is received, push it into the RecordLayer // // and pass a callback that will be called with a [type, bytes] // // pair for each message parsed from the data. // rl.recv(dataReceivedFromPeer, async (type, bytes) => { // switch (type) { // case RECORD_TYPE.APPLICATION_DATA: // // do something with application data // case RECORD_TYPE.HANDSHAKE: // // do something with a handshake message // default: // // etc... // } // }); // /* eslint-disable sorting/sort-object-props */ const RECORD_TYPE = { CHANGE_CIPHER_SPEC: 20, ALERT: 21, HANDSHAKE: 22, APPLICATION_DATA: 23, }; /* eslint-enable sorting/sort-object-props */ // Encrypting at most 2^24 records will force us to stay // below data limits on AES-GCM encryption key use, and also // means we can accurately represent the sequence number as // a javascript double. const MAX_SEQUENCE_NUMBER = Math.pow(2, 24); const MAX_RECORD_SIZE = Math.pow(2, 14); const MAX_ENCRYPTED_RECORD_SIZE = MAX_RECORD_SIZE + 256; const RECORD_HEADER_SIZE = 5; // These are some helper classes to manage the encryption/decryption state // for a particular key. class recordlayer_CipherState { constructor(key, iv) { this.key = key; this.iv = iv; this.seqnum = 0; } static async create(baseKey, mode) { // Derive key and iv per https://tools.ietf.org/html/rfc8446#section-7.3 const key = await prepareKey(await hkdfExpandLabel(baseKey, 'key', EMPTY, KEY_LENGTH), mode); const iv = await hkdfExpandLabel(baseKey, 'iv', EMPTY, IV_LENGTH); return new this(key, iv); } nonce() { // Ref https://tools.ietf.org/html/rfc8446#section-5.3: // * left-pad the sequence number with zeros to IV_LENGTH // * xor with the provided iv // Our sequence numbers are always less than 2^24, so fit in a Uint32 // in the last 4 bytes of the nonce. const nonce = this.iv.slice(); const dv = new DataView(nonce.buffer, nonce.byteLength - 4, 4); dv.setUint32(0, dv.getUint32(0) ^ this.seqnum); this.seqnum += 1; if (this.seqnum > MAX_SEQUENCE_NUMBER) { throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } return nonce; } } class recordlayer_EncryptionState extends recordlayer_CipherState { static async create(key) { return super.create(key, 'encrypt'); } async encrypt(plaintext, additionalData) { return await encrypt(this.key, this.nonce(), plaintext, additionalData); } } class recordlayer_DecryptionState extends recordlayer_CipherState { static async create(key) { return super.create(key, 'decrypt'); } async decrypt(ciphertext, additionalData) { return await decrypt(this.key, this.nonce(), ciphertext, additionalData); } } // The main RecordLayer class. class recordlayer_RecordLayer { constructor(sendCallback) { this.sendCallback = sendCallback; this._sendEncryptState = null; this._sendError = null; this._recvDecryptState = null; this._recvError = null; this._pendingRecordType = 0; this._pendingRecordBuf = null; } async setSendKey(key) { await this.flush(); this._sendEncryptState = await recordlayer_EncryptionState.create(key); } async setRecvKey(key) { this._recvDecryptState = await recordlayer_DecryptionState.create(key); } async setSendError(err) { this._sendError = err; } async setRecvError(err) { this._recvError = err; } async send(type, data) { if (this._sendError !== null) { throw this._sendError; } // Forbid sending data that doesn't fit into a single record. // We do not support fragmentation over multiple records. if (data.byteLength > MAX_RECORD_SIZE) { throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } // Flush if we're switching to a different record type. if (this._pendingRecordType && this._pendingRecordType !== type) { await this.flush(); } // Flush if we would overflow the max size of a record. if (this._pendingRecordBuf !== null) { if (this._pendingRecordBuf.tell() + data.byteLength > MAX_RECORD_SIZE) { await this.flush(); } } // Start a new pending record if necessary. // We reserve space at the start of the buffer for the record header, // which is conveniently always a fixed size. if (this._pendingRecordBuf === null) { this._pendingRecordType = type; this._pendingRecordBuf = new utils_BufferWriter(); this._pendingRecordBuf.incr(RECORD_HEADER_SIZE); } this._pendingRecordBuf.writeBytes(data); } async flush() { // If there's nothing to flush, bail out early. // Don't throw `_sendError` if we're not sending anything, because `flush()` // can be called when we're trying to transition into an error state. const buf = this._pendingRecordBuf; let type = this._pendingRecordType; if (! type) { if (buf !== null) { throw new TLSError(ALERT_DESCRIPTION.INTERNAL_ERROR); } return; } if (this._sendError !== null) { throw this._sendError; } // If we're encrypting, turn the existing buffer contents into a `TLSInnerPlaintext` by // appending the type. We don't do any zero-padding, although the spec allows it. let inflation = 0, innerPlaintext = null; if (this._sendEncryptState !== null) { buf.writeUint8(type); innerPlaintext = buf.slice(RECORD_HEADER_SIZE); inflation = AEAD_SIZE_INFLATION; type = RECORD_TYPE.APPLICATION_DATA; } // Write the common header for either `TLSPlaintext` or `TLSCiphertext` record. const length = buf.tell() - RECORD_HEADER_SIZE + inflation; buf.seek(0); buf.writeUint8(type); buf.writeUint16(VERSION_TLS_1_2); buf.writeUint16(length); // Followed by different payload depending on encryption status. if (this._sendEncryptState !== null) { const additionalData = buf.slice(0, RECORD_HEADER_SIZE); const ciphertext = await this._sendEncryptState.encrypt(innerPlaintext, additionalData); buf.writeBytes(ciphertext); } else { buf.incr(length); } this._pendingRecordBuf = null; this._pendingRecordType = 0; await this.sendCallback(buf.flush()); } async recv(data) { if (this._recvError !== null) { throw this._recvError; } // For simplicity, we assume that the given data contains exactly one record. // Peers using this library will send one record at a time over the websocket // connection, and we can assume that the server-side websocket bridge will split // up any traffic into individual records if we ever start interoperating with // peers using a different TLS implementation. // Similarly, we assume that handshake messages will not be fragmented across // multiple records. This should be trivially true for the PSK-only mode used // by this library, but we may want to relax it in future for interoperability // with e.g. large ClientHello messages that contain lots of different options. const buf = new utils_BufferReader(data); // The data to read is either a TLSPlaintext or TLSCiphertext struct, // depending on whether record protection has been enabled yet: // // struct { // ContentType type; // ProtocolVersion legacy_record_version; // uint16 length; // opaque fragment[TLSPlaintext.length]; // } TLSPlaintext; // // struct { // ContentType opaque_type = application_data; /* 23 */ // ProtocolVersion legacy_record_version = 0x0303; /* TLS v1.2 */ // uint16 length; // opaque encrypted_record[TLSCiphertext.length]; // } TLSCiphertext; // let type = buf.readUint8(); // The spec says legacy_record_version "MUST be ignored for all purposes", // but we know TLS1.3 implementations will only ever emit two possible values, // so it seems useful to bail out early if we receive anything else. const version = buf.readUint16(); if (version !== VERSION_TLS_1_2) { // TLS1.0 is only acceptable on initial plaintext records. if (this._recvDecryptState !== null || version !== VERSION_TLS_1_0) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } } const length = buf.readUint16(); let plaintext; if (this._recvDecryptState === null || type === RECORD_TYPE.CHANGE_CIPHER_SPEC) { [type, plaintext] = await this._readPlaintextRecord(type, length, buf); } else { [type, plaintext] = await this._readEncryptedRecord(type, length, buf); } // Sanity-check that we received exactly one record. if (buf.hasMoreBytes()) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } return [type, plaintext]; } // Helper to read an unencrypted `TLSPlaintext` struct async _readPlaintextRecord(type, length, buf) { if (length > MAX_RECORD_SIZE) { throw new TLSError(ALERT_DESCRIPTION.RECORD_OVERFLOW); } return [type, buf.readBytes(length)]; } // Helper to read an encrypted `TLSCiphertext` struct, // decrypting it into plaintext. async _readEncryptedRecord(type, length, buf) { if (length > MAX_ENCRYPTED_RECORD_SIZE) { throw new TLSError(ALERT_DESCRIPTION.RECORD_OVERFLOW); } // The outer type for encrypted records is always APPLICATION_DATA. if (type !== RECORD_TYPE.APPLICATION_DATA) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } // Decrypt and decode the contained `TLSInnerPlaintext` struct: // // struct { // opaque content[TLSPlaintext.length]; // ContentType type; // uint8 zeros[length_of_padding]; // } TLSInnerPlaintext; // // The additional data for the decryption is the `TLSCiphertext` record // header, which is a fixed size and immediately prior to current buffer position. buf.incr(-RECORD_HEADER_SIZE); const additionalData = buf.readBytes(RECORD_HEADER_SIZE); const ciphertext = buf.readBytes(length); const paddedPlaintext = await this._recvDecryptState.decrypt(ciphertext, additionalData); // We have to scan backwards over the zero padding at the end of the struct // in order to find the non-zero `type` byte. let i; for (i = paddedPlaintext.byteLength - 1; i >= 0; i--) { if (paddedPlaintext[i] !== 0) { break; } } if (i < 0) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } type = paddedPlaintext[i]; // `change_cipher_spec` records must always be plaintext. if (type === RECORD_TYPE.CHANGE_CIPHER_SPEC) { throw new TLSError(ALERT_DESCRIPTION.DECODE_ERROR); } return [type, paddedPlaintext.slice(0, i)]; } } // CONCATENATED MODULE: ./src/tlsconnection.js /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ // The top-level APIs offered by this module are `ClientConnection` and // `ServerConnection` classes, which provide authenticated and encrypted // communication via the "externally-provisioned PSK" mode of TLS1.3. // They each take a callback to be used for sending data to the remote peer, // and operate like this: // // conn = await ClientConnection.create(psk, pskId, async function send_data_to_server(data) { // // application-specific sending logic here. // }) // // // Send data to the server by calling `send`, // // which will use the callback provided in the constructor. // // A single `send()` by the application may result in multiple // // invokations of the callback. // // await conn.send('application-level data') // // // When data is received from the server, push it into // // the connection and let it return any decrypted app-level data. // // There might not be any app-level data if it was a protocol control // // message, and the receipt of the data might trigger additional calls // // to the send callback for protocol control purposes. // // serverSocket.on('data', async encrypted_data => { // const plaintext = await conn.recv(data) // if (plaintext !== null) { // do_something_with_app_level_data(plaintext) // } // }) // // // It's good practice to explicitly close the connection // // when finished. This will send a "closed" notification // // to the server. // // await conn.close() // // // When the peer sends a "closed" notification it will show up // // as a `TLSCloseNotify` exception from recv: // // try { // data = await conn.recv(data); // } catch (err) { // if (! (err instanceof TLSCloseNotify) { throw err } // do_something_to_cleanly_close_data_connection(); // } // // The `ServerConnection` API operates similarly; the distinction is mainly // in which side is expected to send vs receieve during the protocol handshake. class tlsconnection_Connection { constructor(psk, pskId, sendCallback) { this.psk = assertIsBytes(psk); this.pskId = assertIsBytes(pskId); this.connected = new Promise((resolve, reject) => { this._onConnectionSuccess = resolve; this._onConnectionFailure = reject; }); this._state = new UNINITIALIZED(this); this._handshakeRecvBuffer = null; this._hasSeenChangeCipherSpec = false; this._recordlayer = new recordlayer_RecordLayer(sendCallback); this._keyschedule = new keyschedule_KeySchedule(); this._lastPromise = Promise.resolve(); } // Subclasses will override this with some async initialization logic. static async create(psk, pskId, sendCallback) { return new this(psk, pskId, sendCallback); } // These are the three public API methods that consumers can use // to send and receive data encrypted with TLS1.3. async send(data) { assertIsBytes(data); await this.connected; await this._synchronized(async () => { await this._state.sendApplicationData(data); }); } async recv(data) { assertIsBytes(data); return await this._synchronized(async () => { // Decrypt the data using the record layer. // We expect to receive precisely one record at a time. const [type, bytes] = await this._recordlayer.recv(data); // Dispatch based on the type of the record. switch (type) { case RECORD_TYPE.CHANGE_CIPHER_SPEC: await this._state.recvChangeCipherSpec(bytes); return null; case RECORD_TYPE.ALERT: await this._state.recvAlertMessage(TLSAlert.fromBytes(bytes)); return null; case RECORD_TYPE.APPLICATION_DATA: return await this._state.recvApplicationData(bytes); case RECORD_TYPE.HANDSHAKE: // Multiple handshake messages may be coalesced into a single record. // Store the in-progress record buffer on `this` so that we can guard // against handshake messages that span a change in keys. this._handshakeRecvBuffer = new utils_BufferReader(bytes); if (! this._handshakeRecvBuffer.hasMoreBytes()) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } do { // Each handshake messages has a type and length prefix, per // https://tools.ietf.org/html/rfc8446#appendix-B.3 this._handshakeRecvBuffer.incr(1); const mlength = this._handshakeRecvBuffer.readUint24(); this._handshakeRecvBuffer.incr(-4); const messageBytes = this._handshakeRecvBuffer.readBytes(mlength + 4); this._keyschedule.addToTranscript(messageBytes); await this._state.recvHandshakeMessage(messages_HandshakeMessage.fromBytes(messageBytes)); } while (this._handshakeRecvBuffer.hasMoreBytes()); this._handshakeRecvBuffer = null; return null; default: throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } }); } async close() { await this._synchronized(async () => { await this._state.close(); }); } // Ensure that async functions execute one at a time, // by waiting for the previous call to `_synchronized()` to complete // before starting a new one. This helps ensure that we complete // one state-machine transition before starting to do the next. // It's also a convenient place to catch and alert on errors. _synchronized(cb) { const nextPromise = this._lastPromise.then(() => { return cb(); }).catch(async err => { if (err instanceof TLSCloseNotify) { throw err; } await this._state.handleErrorAndRethrow(err); }); // We don't want to hold on to the return value or error, // just synchronize on the fact that it completed. this._lastPromise = nextPromise.then(noop, noop); return nextPromise; } // This drives internal transition of the state-machine, // ensuring that the new state is properly initialized. async _transition(State, ...args) { this._state = new State(this); await this._state.initialize(...args); await this._recordlayer.flush(); } // These are helpers to allow the State to manipulate the recordlayer // and send out various types of data. async _sendApplicationData(bytes) { await this._recordlayer.send(RECORD_TYPE.APPLICATION_DATA, bytes); await this._recordlayer.flush(); } async _sendHandshakeMessage(msg) { await this._sendHandshakeMessageBytes(msg.toBytes()); } async _sendHandshakeMessageBytes(bytes) { this._keyschedule.addToTranscript(bytes); await this._recordlayer.send(RECORD_TYPE.HANDSHAKE, bytes); // Don't flush after each handshake message, since we can probably // coalesce multiple messages into a single record. } async _sendAlertMessage(err) { await this._recordlayer.send(RECORD_TYPE.ALERT, err.toBytes()); await this._recordlayer.flush(); } async _sendChangeCipherSpec() { await this._recordlayer.send(RECORD_TYPE.CHANGE_CIPHER_SPEC, new Uint8Array([0x01])); await this._recordlayer.flush(); } async _setSendKey(key) { return await this._recordlayer.setSendKey(key); } async _setRecvKey(key) { // Handshake messages that change keys must be on a record boundary. if (this._handshakeRecvBuffer && this._handshakeRecvBuffer.hasMoreBytes()) { throw new TLSError(ALERT_DESCRIPTION.UNEXPECTED_MESSAGE); } return await this._recordlayer.setRecvKey(key); } _setConnectionSuccess() { if (this._onConnectionSuccess !== null) { this._onConnectionSuccess(); this._onConnectionSuccess = null; this._onConnectionFailure = null; } } _setConnectionFailure(err) { if (this._onConnectionFailure !== null) { this._onConnectionFailure(err); this._onConnectionSuccess = null; this._onConnectionFailure = null; } } _closeForSend(alert) { this._recordlayer.setSendError(alert); } _closeForRecv(alert) { this._recordlayer.setRecvError(alert); } } class tlsconnection_ClientConnection extends tlsconnection_Connection { static async create(psk, pskId, sendCallback) { const instance = await super.create(psk, pskId, sendCallback); await instance._transition(states_CLIENT_START); return instance; } } class tlsconnection_ServerConnection extends tlsconnection_Connection { static async create(psk, pskId, sendCallback) { const instance = await super.create(psk, pskId, sendCallback); await instance._transition(states_SERVER_START); return instance; } } // CONCATENATED MODULE: ./node_modules/event-target-shim/dist/event-target-shim.mjs /** * @author Toru Nagashima * @copyright 2015 Toru Nagashima. All rights reserved. * See LICENSE file in root directory for full license. */ /** * @typedef {object} PrivateData * @property {EventTarget} eventTarget The event target. * @property {{type:string}} event The original event object. * @property {number} eventPhase The current event phase. * @property {EventTarget|null} currentTarget The current event target. * @property {boolean} canceled The flag to prevent default. * @property {boolean} stopped The flag to stop propagation. * @property {boolean} immediateStopped The flag to stop propagation immediately. * @property {Function|null} passiveListener The listener if the current listener is passive. Otherwise this is null. * @property {number} timeStamp The unix time. * @private */ /** * Private data for event wrappers. * @type {WeakMap} * @private */ const privateData = new WeakMap(); /** * Cache for wrapper classes. * @type {WeakMap} * @private */ const wrappers = new WeakMap(); /** * Get private data. * @param {Event} event The event object to get private data. * @returns {PrivateData} The private data of the event. * @private */ function pd(event) { const retv = privateData.get(event); console.assert( retv != null, "'this' is expected an Event object, but got", event ); return retv } /** * https://dom.spec.whatwg.org/#set-the-canceled-flag * @param data {PrivateData} private data. */ function setCancelFlag(data) { if (data.passiveListener != null) { if ( typeof console !== "undefined" && typeof console.error === "function" ) { console.error( "Unable to preventDefault inside passive event listener invocation.", data.passiveListener ); } return } if (!data.event.cancelable) { return } data.canceled = true; if (typeof data.event.preventDefault === "function") { data.event.preventDefault(); } } /** * @see https://dom.spec.whatwg.org/#interface-event * @private */ /** * The event wrapper. * @constructor * @param {EventTarget} eventTarget The event target of this dispatching. * @param {Event|{type:string}} event The original event to wrap. */ function Event(eventTarget, event) { privateData.set(this, { eventTarget, event, eventPhase: 2, currentTarget: eventTarget, canceled: false, stopped: false, immediateStopped: false, passiveListener: null, timeStamp: event.timeStamp || Date.now(), }); // https://heycam.github.io/webidl/#Unforgeable Object.defineProperty(this, "isTrusted", { value: false, enumerable: true }); // Define accessors const keys = Object.keys(event); for (let i = 0; i < keys.length; ++i) { const key = keys[i]; if (!(key in this)) { Object.defineProperty(this, key, defineRedirectDescriptor(key)); } } } // Should be enumerable, but class methods are not enumerable. Event.prototype = { /** * The type of this event. * @type {string} */ get type() { return pd(this).event.type }, /** * The target of this event. * @type {EventTarget} */ get target() { return pd(this).eventTarget }, /** * The target of this event. * @type {EventTarget} */ get currentTarget() { return pd(this).currentTarget }, /** * @returns {EventTarget[]} The composed path of this event. */ composedPath() { const currentTarget = pd(this).currentTarget; if (currentTarget == null) { return [] } return [currentTarget] }, /** * Constant of NONE. * @type {number} */ get NONE() { return 0 }, /** * Constant of CAPTURING_PHASE. * @type {number} */ get CAPTURING_PHASE() { return 1 }, /** * Constant of AT_TARGET. * @type {number} */ get AT_TARGET() { return 2 }, /** * Constant of BUBBLING_PHASE. * @type {number} */ get BUBBLING_PHASE() { return 3 }, /** * The target of this event. * @type {number} */ get eventPhase() { return pd(this).eventPhase }, /** * Stop event bubbling. * @returns {void} */ stopPropagation() { const data = pd(this); data.stopped = true; if (typeof data.event.stopPropagation === "function") { data.event.stopPropagation(); } }, /** * Stop event bubbling. * @returns {void} */ stopImmediatePropagation() { const data = pd(this); data.stopped = true; data.immediateStopped = true; if (typeof data.event.stopImmediatePropagation === "function") { data.event.stopImmediatePropagation(); } }, /** * The flag to be bubbling. * @type {boolean} */ get bubbles() { return Boolean(pd(this).event.bubbles) }, /** * The flag to be cancelable. * @type {boolean} */ get cancelable() { return Boolean(pd(this).event.cancelable) }, /** * Cancel this event. * @returns {void} */ preventDefault() { setCancelFlag(pd(this)); }, /** * The flag to indicate cancellation state. * @type {boolean} */ get defaultPrevented() { return pd(this).canceled }, /** * The flag to be composed. * @type {boolean} */ get composed() { return Boolean(pd(this).event.composed) }, /** * The unix time of this event. * @type {number} */ get timeStamp() { return pd(this).timeStamp }, /** * The target of this event. * @type {EventTarget} * @deprecated */ get srcElement() { return pd(this).eventTarget }, /** * The flag to stop event bubbling. * @type {boolean} * @deprecated */ get cancelBubble() { return pd(this).stopped }, set cancelBubble(value) { if (!value) { return } const data = pd(this); data.stopped = true; if (typeof data.event.cancelBubble === "boolean") { data.event.cancelBubble = true; } }, /** * The flag to indicate cancellation state. * @type {boolean} * @deprecated */ get returnValue() { return !pd(this).canceled }, set returnValue(value) { if (!value) { setCancelFlag(pd(this)); } }, /** * Initialize this event object. But do nothing under event dispatching. * @param {string} type The event type. * @param {boolean} [bubbles=false] The flag to be possible to bubble up. * @param {boolean} [cancelable=false] The flag to be possible to cancel. * @deprecated */ initEvent() { // Do nothing. }, }; // `constructor` is not enumerable. Object.defineProperty(Event.prototype, "constructor", { value: Event, configurable: true, writable: true, }); // Ensure `event instanceof window.Event` is `true`. if (typeof window !== "undefined" && typeof window.Event !== "undefined") { Object.setPrototypeOf(Event.prototype, window.Event.prototype); // Make association for wrappers. wrappers.set(window.Event.prototype, Event); } /** * Get the property descriptor to redirect a given property. * @param {string} key Property name to define property descriptor. * @returns {PropertyDescriptor} The property descriptor to redirect the property. * @private */ function defineRedirectDescriptor(key) { return { get() { return pd(this).event[key] }, set(value) { pd(this).event[key] = value; }, configurable: true, enumerable: true, } } /** * Get the property descriptor to call a given method property. * @param {string} key Property name to define property descriptor. * @returns {PropertyDescriptor} The property descriptor to call the method property. * @private */ function defineCallDescriptor(key) { return { value() { const event = pd(this).event; return event[key].apply(event, arguments) }, configurable: true, enumerable: true, } } /** * Define new wrapper class. * @param {Function} BaseEvent The base wrapper class. * @param {Object} proto The prototype of the original event. * @returns {Function} The defined wrapper class. * @private */ function defineWrapper(BaseEvent, proto) { const keys = Object.keys(proto); if (keys.length === 0) { return BaseEvent } /** CustomEvent */ function CustomEvent(eventTarget, event) { BaseEvent.call(this, eventTarget, event); } CustomEvent.prototype = Object.create(BaseEvent.prototype, { constructor: { value: CustomEvent, configurable: true, writable: true }, }); // Define accessors. for (let i = 0; i < keys.length; ++i) { const key = keys[i]; if (!(key in BaseEvent.prototype)) { const descriptor = Object.getOwnPropertyDescriptor(proto, key); const isFunc = typeof descriptor.value === "function"; Object.defineProperty( CustomEvent.prototype, key, isFunc ? defineCallDescriptor(key) : defineRedirectDescriptor(key) ); } } return CustomEvent } /** * Get the wrapper class of a given prototype. * @param {Object} proto The prototype of the original event to get its wrapper. * @returns {Function} The wrapper class. * @private */ function getWrapper(proto) { if (proto == null || proto === Object.prototype) { return Event } let wrapper = wrappers.get(proto); if (wrapper == null) { wrapper = defineWrapper(getWrapper(Object.getPrototypeOf(proto)), proto); wrappers.set(proto, wrapper); } return wrapper } /** * Wrap a given event to management a dispatching. * @param {EventTarget} eventTarget The event target of this dispatching. * @param {Object} event The event to wrap. * @returns {Event} The wrapper instance. * @private */ function wrapEvent(eventTarget, event) { const Wrapper = getWrapper(Object.getPrototypeOf(event)); return new Wrapper(eventTarget, event) } /** * Get the immediateStopped flag of a given event. * @param {Event} event The event to get. * @returns {boolean} The flag to stop propagation immediately. * @private */ function isStopped(event) { return pd(event).immediateStopped } /** * Set the current event phase of a given event. * @param {Event} event The event to set current target. * @param {number} eventPhase New event phase. * @returns {void} * @private */ function setEventPhase(event, eventPhase) { pd(event).eventPhase = eventPhase; } /** * Set the current target of a given event. * @param {Event} event The event to set current target. * @param {EventTarget|null} currentTarget New current target. * @returns {void} * @private */ function setCurrentTarget(event, currentTarget) { pd(event).currentTarget = currentTarget; } /** * Set a passive listener of a given event. * @param {Event} event The event to set current target. * @param {Function|null} passiveListener New passive listener. * @returns {void} * @private */ function setPassiveListener(event, passiveListener) { pd(event).passiveListener = passiveListener; } /** * @typedef {object} ListenerNode * @property {Function} listener * @property {1|2|3} listenerType * @property {boolean} passive * @property {boolean} once * @property {ListenerNode|null} next * @private */ /** * @type {WeakMap>} * @private */ const listenersMap = new WeakMap(); // Listener types const CAPTURE = 1; const BUBBLE = 2; const ATTRIBUTE = 3; /** * Check whether a given value is an object or not. * @param {any} x The value to check. * @returns {boolean} `true` if the value is an object. */ function isObject(x) { return x !== null && typeof x === "object" //eslint-disable-line no-restricted-syntax } /** * Get listeners. * @param {EventTarget} eventTarget The event target to get. * @returns {Map} The listeners. * @private */ function getListeners(eventTarget) { const listeners = listenersMap.get(eventTarget); if (listeners == null) { throw new TypeError( "'this' is expected an EventTarget object, but got another value." ) } return listeners } /** * Get the property descriptor for the event attribute of a given event. * @param {string} eventName The event name to get property descriptor. * @returns {PropertyDescriptor} The property descriptor. * @private */ function defineEventAttributeDescriptor(eventName) { return { get() { const listeners = getListeners(this); let node = listeners.get(eventName); while (node != null) { if (node.listenerType === ATTRIBUTE) { return node.listener } node = node.next; } return null }, set(listener) { if (typeof listener !== "function" && !isObject(listener)) { listener = null; // eslint-disable-line no-param-reassign } const listeners = getListeners(this); // Traverse to the tail while removing old value. let prev = null; let node = listeners.get(eventName); while (node != null) { if (node.listenerType === ATTRIBUTE) { // Remove old value. if (prev !== null) { prev.next = node.next; } else if (node.next !== null) { listeners.set(eventName, node.next); } else { listeners.delete(eventName); } } else { prev = node; } node = node.next; } // Add new value. if (listener !== null) { const newNode = { listener, listenerType: ATTRIBUTE, passive: false, once: false, next: null, }; if (prev === null) { listeners.set(eventName, newNode); } else { prev.next = newNode; } } }, configurable: true, enumerable: true, } } /** * Define an event attribute (e.g. `eventTarget.onclick`). * @param {Object} eventTargetPrototype The event target prototype to define an event attrbite. * @param {string} eventName The event name to define. * @returns {void} */ function defineEventAttribute(eventTargetPrototype, eventName) { Object.defineProperty( eventTargetPrototype, `on${eventName}`, defineEventAttributeDescriptor(eventName) ); } /** * Define a custom EventTarget with event attributes. * @param {string[]} eventNames Event names for event attributes. * @returns {EventTarget} The custom EventTarget. * @private */ function defineCustomEventTarget(eventNames) { /** CustomEventTarget */ function CustomEventTarget() { EventTarget.call(this); } CustomEventTarget.prototype = Object.create(EventTarget.prototype, { constructor: { value: CustomEventTarget, configurable: true, writable: true, }, }); for (let i = 0; i < eventNames.length; ++i) { defineEventAttribute(CustomEventTarget.prototype, eventNames[i]); } return CustomEventTarget } /** * EventTarget. * * - This is constructor if no arguments. * - This is a function which returns a CustomEventTarget constructor if there are arguments. * * For example: * * class A extends EventTarget {} * class B extends EventTarget("message") {} * class C extends EventTarget("message", "error") {} * class D extends EventTarget(["message", "error"]) {} */ function EventTarget() { /*eslint-disable consistent-return */ if (this instanceof EventTarget) { listenersMap.set(this, new Map()); return } if (arguments.length === 1 && Array.isArray(arguments[0])) { return defineCustomEventTarget(arguments[0]) } if (arguments.length > 0) { const types = new Array(arguments.length); for (let i = 0; i < arguments.length; ++i) { types[i] = arguments[i]; } return defineCustomEventTarget(types) } throw new TypeError("Cannot call a class as a function") /*eslint-enable consistent-return */ } // Should be enumerable, but class methods are not enumerable. EventTarget.prototype = { /** * Add a given listener to this event target. * @param {string} eventName The event name to add. * @param {Function} listener The listener to add. * @param {boolean|{capture?:boolean,passive?:boolean,once?:boolean}} [options] The options for this listener. * @returns {void} */ addEventListener(eventName, listener, options) { if (listener == null) { return } if (typeof listener !== "function" && !isObject(listener)) { throw new TypeError("'listener' should be a function or an object.") } const listeners = getListeners(this); const optionsIsObj = isObject(options); const capture = optionsIsObj ? Boolean(options.capture) : Boolean(options); const listenerType = capture ? CAPTURE : BUBBLE; const newNode = { listener, listenerType, passive: optionsIsObj && Boolean(options.passive), once: optionsIsObj && Boolean(options.once), next: null, }; // Set it as the first node if the first node is null. let node = listeners.get(eventName); if (node === undefined) { listeners.set(eventName, newNode); return } // Traverse to the tail while checking duplication.. let prev = null; while (node != null) { if ( node.listener === listener && node.listenerType === listenerType ) { // Should ignore duplication. return } prev = node; node = node.next; } // Add it. prev.next = newNode; }, /** * Remove a given listener from this event target. * @param {string} eventName The event name to remove. * @param {Function} listener The listener to remove. * @param {boolean|{capture?:boolean,passive?:boolean,once?:boolean}} [options] The options for this listener. * @returns {void} */ removeEventListener(eventName, listener, options) { if (listener == null) { return } const listeners = getListeners(this); const capture = isObject(options) ? Boolean(options.capture) : Boolean(options); const listenerType = capture ? CAPTURE : BUBBLE; let prev = null; let node = listeners.get(eventName); while (node != null) { if ( node.listener === listener && node.listenerType === listenerType ) { if (prev !== null) { prev.next = node.next; } else if (node.next !== null) { listeners.set(eventName, node.next); } else { listeners.delete(eventName); } return } prev = node; node = node.next; } }, /** * Dispatch a given event. * @param {Event|{type:string}} event The event to dispatch. * @returns {boolean} `false` if canceled. */ dispatchEvent(event) { if (event == null || typeof event.type !== "string") { throw new TypeError('"event.type" should be a string.') } // If listeners aren't registered, terminate. const listeners = getListeners(this); const eventName = event.type; let node = listeners.get(eventName); if (node == null) { return true } // Since we cannot rewrite several properties, so wrap object. const wrappedEvent = wrapEvent(this, event); // This doesn't process capturing phase and bubbling phase. // This isn't participating in a tree. let prev = null; while (node != null) { // Remove this listener if it's once if (node.once) { if (prev !== null) { prev.next = node.next; } else if (node.next !== null) { listeners.set(eventName, node.next); } else { listeners.delete(eventName); } } else { prev = node; } // Call this listener setPassiveListener( wrappedEvent, node.passive ? node.listener : null ); if (typeof node.listener === "function") { try { node.listener.call(this, wrappedEvent); } catch (err) { if ( typeof console !== "undefined" && typeof console.error === "function" ) { console.error(err); } } } else if ( node.listenerType !== ATTRIBUTE && typeof node.listener.handleEvent === "function" ) { node.listener.handleEvent(wrappedEvent); } // Break if `event.stopImmediatePropagation` was called. if (isStopped(wrappedEvent)) { break } node = node.next; } setPassiveListener(wrappedEvent, null); setEventPhase(wrappedEvent, 0); setCurrentTarget(wrappedEvent, null); return !wrappedEvent.defaultPrevented }, }; // `constructor` is not enumerable. Object.defineProperty(EventTarget.prototype, "constructor", { value: EventTarget, configurable: true, writable: true, }); // Ensure `eventTarget instanceof window.EventTarget` is `true`. if ( typeof window !== "undefined" && typeof window.EventTarget !== "undefined" ) { Object.setPrototypeOf(EventTarget.prototype, window.EventTarget.prototype); } /* harmony default export */ var event_target_shim = (EventTarget); // CONCATENATED MODULE: ./src/index.js /* harmony export (binding) */ __webpack_require__.d(__webpack_exports__, "PairingChannel", function() { return src_PairingChannel; }); /* harmony export (binding) */ __webpack_require__.d(__webpack_exports__, "_internals", function() { return _internals; }); /* concated harmony reexport base64urlToBytes */__webpack_require__.d(__webpack_exports__, "base64urlToBytes", function() { return base64urlToBytes; }); /* concated harmony reexport bytesToBase64url */__webpack_require__.d(__webpack_exports__, "bytesToBase64url", function() { return bytesToBase64url; }); /* concated harmony reexport bytesToHex */__webpack_require__.d(__webpack_exports__, "bytesToHex", function() { return bytesToHex; }); /* concated harmony reexport bytesToUtf8 */__webpack_require__.d(__webpack_exports__, "bytesToUtf8", function() { return bytesToUtf8; }); /* concated harmony reexport hexToBytes */__webpack_require__.d(__webpack_exports__, "hexToBytes", function() { return hexToBytes; }); /* concated harmony reexport TLSCloseNotify */__webpack_require__.d(__webpack_exports__, "TLSCloseNotify", function() { return TLSCloseNotify; }); /* concated harmony reexport TLSError */__webpack_require__.d(__webpack_exports__, "TLSError", function() { return TLSError; }); /* concated harmony reexport utf8ToBytes */__webpack_require__.d(__webpack_exports__, "utf8ToBytes", function() { return utf8ToBytes; }); /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ // A wrapper that combines a WebSocket to the channelserver // with some client-side encryption for securing the channel. // We'll improve the encryption before initial release... const CLOSE_FLUSH_BUFFER_INTERVAL_MS = 200; const CLOSE_FLUSH_BUFFER_MAX_TRIES = 5; class src_PairingChannel extends EventTarget { constructor(channelId, channelKey, socket, connection) { super(); this._channelId = channelId; this._channelKey = channelKey; this._socket = socket; this._connection = connection; this._selfClosed = false; this._peerClosed = false; this._setupListeners(); } /** * Create a new pairing channel. * * @returns Promise */ static create(channelServerURI) { const wsURI = new URL('/v1/ws/', channelServerURI).href; const channelKey = crypto.getRandomValues(new Uint8Array(32)); return this._makePairingChannel(wsURI, tlsconnection_ServerConnection, channelKey); } /** * Connect to an existing pairing channel. * * @returns Promise */ static connect(channelServerURI, channelId, channelKey) { const wsURI = new URL(`/v1/ws/${channelId}`, channelServerURI).href; return this._makePairingChannel(wsURI, tlsconnection_ClientConnection, channelKey); } static _makePairingChannel(wsUri, ConnectionClass, psk) { const socket = new WebSocket(wsUri); return new Promise((resolve, reject) => { // eslint-disable-next-line prefer-const let stopListening; const onConnectionError = async () => { stopListening(); reject(new Error('Error while creating the pairing channel')); }; const onFirstMessage = async event => { stopListening(); try { const {channelid: channelId} = JSON.parse(event.data); const pskId = utf8ToBytes(channelId); const connection = await ConnectionClass.create(psk, pskId, data => { // The channelserver websocket handler epxects b64urlsafe strings // rather than raw bytes, because it wraps them in a JSON object envelope. socket.send(bytesToBase64url(data)); }); const instance = new this(channelId, psk, socket, connection); resolve(instance); } catch (err) { reject(err); } }; stopListening = () => { socket.removeEventListener('error', onConnectionError); socket.removeEventListener('message', onFirstMessage); }; socket.addEventListener('error', onConnectionError); socket.addEventListener('message', onFirstMessage); }); } _setupListeners() { this._socket.addEventListener('message', async event => { try { const channelServerEnvelope = JSON.parse(event.data); const payload = await this._connection.recv(base64urlToBytes(channelServerEnvelope.message)); if (payload !== null) { const data = JSON.parse(bytesToUtf8(payload)); this.dispatchEvent(new CustomEvent('message', { detail: { data, sender: channelServerEnvelope.sender, }, })); } } catch (error) { let event; if (error instanceof TLSCloseNotify) { this._peerClosed = true; if (this._selfClosed) { this._shutdown(); } event = new CustomEvent('close'); } else { event = new CustomEvent('error', { detail: { error, } }); } this.dispatchEvent(event); } }); // Relay the WebSocket events. this._socket.addEventListener('error', () => { this._shutdown(); // The dispatched event that we receive has no useful information. this.dispatchEvent(new CustomEvent('error', { detail: { error: new Error('WebSocket error.'), }, })); }); // In TLS, the peer has to explicitly send a close notification, // which we dispatch above. Unexpected socket close is an error. this._socket.addEventListener('close', () => { this._shutdown(); if (! this._peerClosed) { this.dispatchEvent(new CustomEvent('error', { detail: { error: new Error('WebSocket unexpectedly closed'), } })); } }); } /** * @param {Object} data */ async send(data) { const payload = utf8ToBytes(JSON.stringify(data)); await this._connection.send(payload); } async close() { this._selfClosed = true; await this._connection.close(); try { // Ensure all queued bytes have been sent before closing the connection. let tries = 0; while (this._socket.bufferedAmount > 0) { if (++tries > CLOSE_FLUSH_BUFFER_MAX_TRIES) { throw new Error('Could not flush the outgoing buffer in time.'); } await new Promise(res => setTimeout(res, CLOSE_FLUSH_BUFFER_INTERVAL_MS)); } } finally { // If the peer hasn't closed, we might still receive some data. if (this._peerClosed) { this._shutdown(); } } } _shutdown() { if (this._socket) { this._socket.close(); this._socket = null; this._connection = null; } } get closed() { return (! this._socket) || (this._socket.readyState === 3); } get channelId() { return this._channelId; } get channelKey() { return this._channelKey; } } // Re-export helpful utilities for calling code to use. // For running tests using the built bundle, // expose a bunch of implementation details. const _internals = { arrayToBytes: arrayToBytes, BufferReader: utils_BufferReader, BufferWriter: utils_BufferWriter, bytesAreEqual: bytesAreEqual, bytesToHex: bytesToHex, bytesToUtf8: bytesToUtf8, ClientConnection: tlsconnection_ClientConnection, Connection: tlsconnection_Connection, DecryptionState: recordlayer_DecryptionState, EncryptedExtensions: EncryptedExtensions, EncryptionState: recordlayer_EncryptionState, Finished: messages_Finished, HASH_LENGTH: HASH_LENGTH, hexToBytes: hexToBytes, hkdfExpand: hkdfExpand, KeySchedule: keyschedule_KeySchedule, NewSessionTicket: messages_NewSessionTicket, RecordLayer: recordlayer_RecordLayer, ServerConnection: tlsconnection_ServerConnection, utf8ToBytes: utf8ToBytes, zeros: zeros, }; /***/ }) /******/ ])["PairingChannel"];