1 # Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 # Licensed under the OpenSSL license (the "License"). You may not use
4 # this file except in compliance with the License. You can obtain a copy
5 # in the file LICENSE in the source distribution or at
6 # https://www.openssl.org/source/license.html
9 use POSIX ":sys_wait_h";
11 package TLSProxy::Proxy;
17 use TLSProxy::Message;
18 use TLSProxy::ClientHello;
19 use TLSProxy::HelloRetryRequest;
20 use TLSProxy::ServerHello;
21 use TLSProxy::EncryptedExtensions;
22 use TLSProxy::Certificate;
23 use TLSProxy::CertificateVerify;
24 use TLSProxy::ServerKeyExchange;
25 use TLSProxy::NewSessionTicket;
31 my $ciphersuite = undef;
43 proxy_addr => "localhost",
45 server_addr => "localhost",
61 ciphers => "AES128-SHA:TLS13-AES-128-GCM-SHA256",
67 # IO::Socket::IP is on the core module list, IO::Socket::INET6 isn't.
68 # However, IO::Socket::INET6 is older and is said to be more widely
69 # deployed for the moment, and may have less bugs, so we try the latter
70 # first, then fall back on the code modules. Worst case scenario, we
71 # fall back to IO::Socket::INET, only supports IPv4.
73 require IO::Socket::INET6;
74 my $s = IO::Socket::INET6->new(
83 $IP_factory = sub { IO::Socket::INET6->new(@_); };
87 require IO::Socket::IP;
88 my $s = IO::Socket::IP->new(
97 $IP_factory = sub { IO::Socket::IP->new(@_); };
100 $IP_factory = sub { IO::Socket::INET->new(@_); };
104 return bless $self, $class;
111 $self->{cipherc} = "";
113 $self->{record_list} = [];
114 $self->{message_list} = [];
115 $self->{clientflags} = "";
116 $self->{sessionfile} = undef;
117 $self->{clientpid} = 0;
119 $ciphersuite = undef;
121 TLSProxy::Message->clear();
122 TLSProxy::Record->clear();
130 $self->{ciphers} = "AES128-SHA:TLS13-AES-128-GCM-SHA256";
131 $self->{serverflags} = "";
132 $self->{serverconnects} = 1;
133 $self->{serverpid} = 0;
161 open(STDOUT, ">", File::Spec->devnull())
162 or die "Failed to redirect stdout: $!";
163 open(STDERR, ">&STDOUT");
165 my $execcmd = $self->execute
166 ." s_server -no_comp -rev -engine ossltest -accept "
167 .($self->server_port)
168 ." -cert ".$self->cert." -cert2 ".$self->cert
169 ." -naccept ".$self->serverconnects;
170 if ($self->ciphers ne "") {
171 $execcmd .= " -cipher ".$self->ciphers;
173 if ($self->serverflags ne "") {
174 $execcmd .= " ".$self->serverflags;
177 print STDERR "Server command: $execcmd\n";
181 $self->serverpid($pid);
183 return $self->clientstart;
192 open DEVNULL, ">", File::Spec->devnull();
193 $oldstdout = select(DEVNULL);
196 # Create the Proxy socket
197 my $proxaddr = $self->proxy_addr;
198 $proxaddr =~ s/[\[\]]//g; # Remove [ and ]
199 my $proxy_sock = $IP_factory->(
200 LocalHost => $proxaddr,
201 LocalPort => $self->proxy_port,
208 print "Proxy started on port ".$self->proxy_port."\n";
210 warn "Failed creating proxy socket (".$proxaddr.",".$self->proxy_port."): $!\n";
214 if ($self->execute) {
218 open(STDOUT, ">", File::Spec->devnull())
219 or die "Failed to redirect stdout: $!";
220 open(STDERR, ">&STDOUT");
223 if ($self->reneg()) {
228 my $execcmd = "echo ".$echostr." | ".$self->execute
229 ." s_client -engine ossltest -connect "
230 .($self->proxy_addr).":".($self->proxy_port);
231 if ($self->cipherc ne "") {
232 $execcmd .= " -cipher ".$self->cipherc;
234 if ($self->clientflags ne "") {
235 $execcmd .= " ".$self->clientflags;
237 if (defined $self->sessionfile) {
238 $execcmd .= " -ign_eof";
241 print STDERR "Client command: $execcmd\n";
245 $self->clientpid($pid);
248 # Wait for incoming connection from client
250 if(!($client_sock = $proxy_sock->accept())) {
251 warn "Failed accepting incoming connection: $!\n";
255 print "Connection opened\n";
257 # Now connect to the server
260 #We loop over this a few times because sometimes s_server can take a while
263 my $servaddr = $self->server_addr;
264 $servaddr =~ s/[\[\]]//g; # Remove [ and ]
266 $server_sock = $IP_factory->(
267 PeerAddr => $servaddr,
268 PeerPort => $self->server_port,
275 #Some buggy IP factories can return a defined server_sock that hasn't
276 #actually connected, so we check peerport too
277 if ($@ || !defined($server_sock) || !defined($server_sock->peerport)) {
278 $server_sock->close() if defined($server_sock);
281 #Sleep for a short while
282 select(undef, undef, undef, 0.1);
284 warn "Failed to start up server (".$servaddr.",".$self->server_port."): $!\n";
288 } while (!$server_sock);
290 my $sel = IO::Select->new($server_sock, $client_sock);
292 my @handles = ($server_sock, $client_sock);
294 #Wait for either the server socket or the client socket to become readable
297 while( (!(TLSProxy::Message->end)
298 || (defined $self->sessionfile()
299 && (-s $self->sessionfile()) == 0))
301 && (@ready = $sel->can_read(1))) {
302 foreach my $hand (@ready) {
303 if ($hand == $server_sock) {
304 $server_sock->sysread($indata, 16384) or goto END;
305 $indata = $self->process_packet(1, $indata);
306 $client_sock->syswrite($indata);
308 } elsif ($hand == $client_sock) {
309 $client_sock->sysread($indata, 16384) or goto END;
310 $indata = $self->process_packet(0, $indata);
311 $server_sock->syswrite($indata);
319 die "No progress made" if $ctr >= 10;
322 print "Connection closed\n";
324 $server_sock->close();
327 #Closing this also kills the child process
328 $client_sock->close();
331 $proxy_sock->close();
336 $self->serverconnects($self->serverconnects - 1);
337 if ($self->serverconnects == 0) {
338 die "serverpid is zero\n" if $self->serverpid == 0;
339 print "Waiting for server process to close: "
340 .$self->serverpid."\n";
341 waitpid( $self->serverpid, 0);
342 die "exit code $? from server process\n" if $? != 0;
344 die "clientpid is zero\n" if $self->clientpid == 0;
345 print "Waiting for client process to close: ".$self->clientpid."\n";
346 waitpid($self->clientpid, 0);
353 my ($self, $server, $packet) = @_;
360 print "Received server packet\n";
362 print "Received client packet\n";
365 print "Packet length = ".length($packet)."\n";
366 print "Processing flight ".$self->flight."\n";
368 #Return contains the list of record found in the packet followed by the
369 #list of messages in those records
370 my @ret = TLSProxy::Record->get_records($server, $self->flight, $packet);
371 push @{$self->record_list}, @{$ret[0]};
372 push @{$self->{message_list}}, @{$ret[1]};
376 #Finished parsing. Call user provided filter here
377 if(defined $self->filter) {
378 $self->filter->($self);
381 #Reconstruct the packet
383 foreach my $record (@{$self->record_list}) {
384 #We only replay the records for the current flight
385 if ($record->flight != $self->flight) {
388 $packet .= $record->reconstruct_record($server);
391 $self->{flight} = $self->{flight} + 1;
393 print "Forwarded packet length = ".length($packet)."\n\n";
402 return $self->{execute};
407 return $self->{cert};
412 return $self->{debug};
417 return $self->{flight};
422 return $self->{record_list};
427 return $self->{success};
440 #Read/write accessors
445 $self->{proxy_addr} = shift;
447 return $self->{proxy_addr};
453 $self->{proxy_port} = shift;
455 return $self->{proxy_port};
461 $self->{server_addr} = shift;
463 return $self->{server_addr};
469 $self->{server_port} = shift;
471 return $self->{server_port};
477 $self->{filter} = shift;
479 return $self->{filter};
485 $self->{cipherc} = shift;
487 return $self->{cipherc};
493 $self->{ciphers} = shift;
495 return $self->{ciphers};
501 $self->{serverflags} = shift;
503 return $self->{serverflags};
509 $self->{clientflags} = shift;
511 return $self->{clientflags};
517 $self->{serverconnects} = shift;
519 return $self->{serverconnects};
521 # This is a bit ugly because the caller is responsible for keeping the records
522 # in sync with the updated message list; simply updating the message list isn't
523 # sufficient to get the proxy to forward the new message.
524 # But it does the trick for the one test (test_sslsessiontick) that needs it.
529 $self->{message_list} = shift;
531 return $self->{message_list};
537 $self->{serverpid} = shift;
539 return $self->{serverpid};
545 $self->{clientpid} = shift;
547 return $self->{clientpid};
554 for (my $i = 0; $i < $length; $i++) {
573 $self->{reneg} = shift;
575 return $self->{reneg};
578 #Setting a sessionfile means that the client will not close until the given
579 #file exists. This is useful in TLSv1.3 where otherwise s_client will close
580 #immediately at the end of the handshake, but before the session has been
581 #received from the server. A side effect of this is that s_client never sends
582 #a close_notify, so instead we consider success to be when it sends application
583 #data over the connection.
588 $self->{sessionfile} = shift;
589 TLSProxy::Message->successondata(1);
591 return $self->{sessionfile};
598 $ciphersuite = shift;